Streisand: Let's Encrypt cert issuance fails due to old protocol (ACMEv1)

Created on 18 Oct 2019  路  9Comments  路  Source: StreisandEffect/streisand

Expected behavior:

Let's Encrypt cert is issued and installed during general install

Actual Behavior:

cert issuance fails due to using outdated ACME protocol version (ACMEv1)

Ansible task error

TASK [lets-encrypt : Perform initial configuration of acmetool] ***************************
fatal: [162.209.11.147]: FAILED! => {"changed": true, "cmd": ["acmetool", "quickstart"], "delta": "0:00:01.010463", "end": "2019-10-18 02:20:29.377881", "msg": "non-zero return code", "rc": 1, "start": "2019-10-18 02:20:28.367418", "stderr": "20191018022029 [CRITICAL] acmetool: fatal: couldn't complete registration: HTTP error: 403 Forbiddennmap[Content-Type:[application/problem+json] Content-Length:[280] Cache-Control:[public, max-age=0, no-cache] Replay-Nonce:[0102GOuWlT6DOzzt5ByE5HcUsIScmrRPoCqAnEwLMpXhZ3Q] Server:[nginx] Date:[Fri, 18 Oct 2019 02:20:29 GMT]]n{n \"type\": \"urn:acme:error:unauthorized\",n \"detail\": \"Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.\",n \"status\": 403n}", "stderr_lines": ["20191018022029 [CRITICAL] acmetool: fatal: couldn't complete registration: HTTP error: 403 Forbidden", "map[Content-Type:[application/problem+json] Content-Length:[280] Cache-Control:[public, max-age=0, no-cache] Replay-Nonce:[0102GOuWlT6DOzzt5ByE5HcUsIScmrRPoCqAnEwLMpXhZ3Q] Server:[nginx] Date:[Fri, 18 Oct 2019 02:20:29 GMT]]", "{", " \"type\": \"urn:acme:error:unauthorized\",", " \"detail\": \"Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.\",", " \"status\": 403", "}"], "stdout": "\r 0 / 100 0.00%\r 0.00% \r 0.00% \r 0.00% \r 0.00% ", "stdout_lines": ["", " 0 / 100 0.00%", " 0.00% ", " 0.00% ", " 0.00% ", " 0.00% "]}

Let's Encrypt announcement

https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430

New account creation for new cert issuance under ACMEv1 stops October 1 2019, which is where we error out. Even if you already had a Let's Encrypt "account" (registered email address), the window is closing for issuance via ACMEv1

I think this also interfered with the rest of the install, as the listening https port returns a broken cert.

Steps to Reproduce:

  1. run install on rackspace

Ansible Information

  • Ansible version: 2.8.4
  • Ansible system: Linux
  • Host OS: Ubuntu
  • Host OS version: 19.04
  • Python interpreter: python
  • Python version: 2.7.16

Streisand Information

  • Streisand Git revision: be8e7a1d3523cc4d4b0caa74e13b346afc2650c7
  • Streisand Git clone has untracked changes: no
  • Genesis role: genesis-rackspace
  • Custom SSH key: False

Enabled Roles

  • Shadowsocks enabled: True
  • Wireguard enabled: True
  • OpenVPN enabled: True
  • stunnel enabled: True
  • Tor enabled: True
  • Openconnect enabled: True
  • TinyProxy enabled: True
  • SSH forward user enabled: True
  • Configured number of VPN clients: 20

Most helpful comment

Is there a canonical way to upgrade acmetool or (better) move to letsencrypt on an existing streisand machine? I got my cert originally with acmetool, but just got an email from letsencrypt that includes

Beginning June 1, 2020, we will stop allowing new domains to validate using
the ACMEv1 protocol. You should upgrade to an ACMEv2 compatible client before
then, or certificate issuance will fail.

Or is it preferable to spin up a new streisand instance that includes #1668?

All 9 comments

:wave: Leaving this note for any maintainers that might be interested in fixing this problem before it breaks new deployments of Streisand with the Let's Encrypt feature on Oct 31st. The ACME client (acmetool) used by Streisand needs to be updated to a version that supports RFC 8555 / ACME v2. There's a beta release available as of 5 days ago. One note of warning:

You will need to build this yourself as release automation is being renovated.

There's a choice here between:

  1. staying on acmetool and building the beta package manually.
  2. staying on acmetool and hoping the PPA gets a binary release before Oct 31st.
  3. switching to an alternative RFC 8555 compat. client (acme.sh, certbot, lego, whatever).

Edit: There's also a first-party ACME plugin for Ansible: https://docs.ansible.com/ansible/latest/modules/acme_certificate_module.html

Uh, so it's November now...

Looks like this is fixed in #1668, it just needs to be merged.

Is there a way around this? As a user, it appears this has kept Streisand from working at all in getting a server up and running since Oct, and it's unclear when the PR will be merged, so just wondering if there's any workaround.

+1 this is causing a hard fail for me today. It crashes out of Ansible without having generated docs or leaving a progress report.

TASK [lets-encrypt : Perform initial configuration of acmetool] **********************************************
fatal: [***.***.***.***]: FAILED! => {"changed": true, "cmd": ["acmetool", "quickstart"], "delta": "0:00:00.386317", "end": "2019-12-01 02:29:36.462673", "msg": "non-zero return code", "rc": 1, "start": "2019-12-01 02:29:36.076356", "stderr": "20191201022936 [CRITICAL] acmetool: fatal: couldn't complete registration: HTTP error: 403 Forbidden\nmap[Server:[nginx] Date:[Sun, 01 Dec 2019 02:29:36 GMT] Content-Type:[application/problem+json] Content-Length:[280] Cache-Control:[public, max-age=0, no-cache] Replay-Nonce:[0101CYoodg8966r1Zz12KiN4jZ89Q-HYqu60MFKXA01GwYU]]\n{\n  \"type\": \"urn:acme:error:unauthorized\",\n  \"detail\": \"Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.\",\n  \"status\": 403\n}", "stderr_lines": ["20191201022936 [CRITICAL] acmetool: fatal: couldn't complete registration: HTTP error: 403 Forbidden", "map[Server:[nginx] Date:[Sun, 01 Dec 2019 02:29:36 GMT] Content-Type:[application/problem+json] Content-Length:[280] Cache-Control:[public, max-age=0, no-cache] Replay-Nonce:[0101CYoodg8966r1Zz12KiN4jZ89Q-HYqu60MFKXA01GwYU]]", "{", "  \"type\": \"urn:acme:error:unauthorized\",", "  \"detail\": \"Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.\",", "  \"status\": 403", "}"], "stdout": "\r 0 / 100    0.00%\r   0.00%  ", "stdout_lines": ["", " 0 / 100    0.00%", "   0.00%  "]}

This is blocking hard error. Should be patched ASAP. Please merge it if it's appropriate. @jlund

I have the same issue for fresh installation of streisand:

streisand Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2

Since #1668 got merged for initial ACME v2 support for initial setup, this has mostly been solved. Though please note users might want to wait for additional cleanup work still to be done to finish Let's Encrypt renewals correctly/completely (see #1688 awaiting merge, and there may be additional tinkering in #1668 ).

Many thanks to @nickgnazzo for getting us out of this pinch, and @nopdotcom for approving the merge.

Is there a canonical way to upgrade acmetool or (better) move to letsencrypt on an existing streisand machine? I got my cert originally with acmetool, but just got an email from letsencrypt that includes

Beginning June 1, 2020, we will stop allowing new domains to validate using
the ACMEv1 protocol. You should upgrade to an ACMEv2 compatible client before
then, or certificate issuance will fail.

Or is it preferable to spin up a new streisand instance that includes #1668?

Was this page helpful?
0 / 5 - 0 ratings

Related issues

tomchiverton picture tomchiverton  路  6Comments

TheNomad11 picture TheNomad11  路  5Comments

psionic12 picture psionic12  路  5Comments

juneyao picture juneyao  路  6Comments

wicknet picture wicknet  路  5Comments