Koozali.org: home of the SME Server

Letsencrypt and dehydrated problem switching from API1 to API2

Offline waldviertler

  • ***
  • 107
  • +0/-0
Hello

I used dehydrated for the last years without problems - and now I got the message that I have to switch to API2.

So I changed the config:
Code: [Select]
#!/bin/bash
#CA="https://acme-v02.api.letsencrypt.org/directory"
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
HOOK="/usr/bin/hook-script.sh"
BASEDIR="/etc/dehydrated"
CONTACT_EMAIL=mail@adress.com
API="2"

PARAM_ACCEPT_TERMS="yes"


But It still get the path to API1 with
Code: [Select]
[root@www ~]# dehydrated -e
# dehydrated configuration
# INFO: Using main config file /etc/dehydrated/config
declare -- CA="https://acme-v01.api.letsencrypt.org/directory"
declare -- LICENSE="https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
declare -- CERTDIR="/etc/dehydrated/certs"
declare -- CHALLENGETYPE="http-01"
declare -- DOMAINS_D=""
declare -- DOMAINS_TXT="/etc/dehydrated/domains.txt"
declare -- HOOK="/usr/bin/hook-script.sh"
declare -- HOOK_CHAIN="no"
declare -- RENEW_DAYS="30"
declare -- ACCOUNT_KEY="/etc/dehydrated/accounts/long path/account_key.pem"
declare -- ACCOUNT_KEY_JSON="/etc/dehydrated/accounts/long path/registration_info.json"
declare -- KEYSIZE="4096"
declare -- WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
declare -- PRIVATE_KEY_RENEW="yes"
declare -- OPENSSL_CNF="/etc/pki/tls/openssl.cnf"
declare -- CONTACT_EMAIL="mail@address.com"
declare -- LOCKFILE="/etc/dehydrated/lock"

as you see at "declare -- CA="https://acme-v01.api.letsencrypt.org/directory""

When I uncomment in config
CA="https://acme-v02.api.letsencrypt.org/directory"

I get:

Code: [Select]
[root@www ~]# /usr/bin/dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
Fetching missing account information from CA...
  + ERROR: An error occurred while sending post-request to https://acme-staging-v02.api.letsencrypt.org/acme/new-acct (Status 400)

Details:
HTTP/1.1 100 Continue

HTTP/1.1 400 Bad Request
Server: nginx
Date: Thu, 03 Jun 2021 09:11:34 GMT
Content-Type: application/problem+json
Content-Length: 134
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0004dgd0feS87q0sxTbrernNonJAt58Qc0qnGJOHdrymvqU

{
  "type": "urn:ietf:params:acme:error:accountDoesNotExist",
  "detail": "No account exists with the provided key",
  "status": 400
}


In sum:
When I add only
API="2"
to the config it will still point to https://acme-v01.api.letsencrypt.org/directory
When I add
CA="https://acme-v02.api.letsencrypt.org/directory" to the config I get an error.
("type": "urn:ietf:params:acme:error:accountDoesNotExist",
  "detail": "No account exists with the provided key")

My versions of letsencrypt and dehydrated are up-to-date:
letsencrypt-0.5-15
dehydrated-0.6.5-1


Till now I have tried this:
Code: [Select]
config delprop modSSL crt
config delprop modSSL key
config delprop modSSL CertificateChainFile

signal-event console-save
reboot

config setprop letsencrypt status test
signal-event console-save

dehydrated -c

and
this
https://forums.contribs.org/index.php/topic,54460.msg285207.html#msg285207


But it does not work.

Can somebody point me in the right direction?
Thank you for your help

Martin



« Last Edit: June 03, 2021, 03:45:49 PM by waldviertler »

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: Letsencrypt and dehydrated problem switching from API1 to API2
« Reply #1 on: June 03, 2021, 11:52:15 AM »
I found this post on the turnkey linux site saying you need to update the 'LICENSE' declaration in your configuration
https://www.turnkeylinux.org/forum/support/fri-20171124-1958/dehydrated-out-date

[caveat]
I have no idea if this is relevant or useful...

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: Letsencrypt and dehydrated problem switching from API1 to API2
« Reply #2 on: June 03, 2021, 12:10:42 PM »
I found the other post from last october in the internet archive wayback machine:
https://web.archive.org/web/20201019153926/https://forums.contribs.org/index.php/topic,54276.0.html

(again... I have no idea if this is useful...)

Quote from: Stefano
you just need to delete some props:

Code: [Select]
config delprop modSSL crt
config delprop modSSL key
config delprop modSSL CertificateChainFile


then a signal-event post upgrade, a reboot and you're done

Online Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Letsencrypt and dehydrated problem switching from API1 to API2
« Reply #3 on: June 03, 2021, 02:44:08 PM »
I see you play manually with the configuration file.
You really better use the contrib and the key property to change that.

normally the key registered for v1 will be automatically converted to v2, but you need to update to last dehydrated version available for centos 6 / sme 9

and ... you have to update to SME 10 ASAP.

Offline waldviertler

  • ***
  • 107
  • +0/-0
Re: Letsencrypt and dehydrated problem switching from API1 to API2
« Reply #4 on: June 03, 2021, 03:59:17 PM »
Thank you for your time.

I hope I have found the reason.
It looks that I have two versions of dehydrated on the server.
One in /usr/local/bin
and
one in
/usr/bin

and each time I called
Code: [Select]
dehydrated -cthe version from /usr/local/bin is used.
also the cron.daily for dehydrated uses this path.

But I read here somewhere to call dehydrated only from the root folder with
Code: [Select]
cd
/usr/bin/dehydrated

And I think it is working now.



« Last Edit: June 03, 2021, 08:07:30 PM by waldviertler »

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Letsencrypt and dehydrated problem switching from API1 to API2
« Reply #5 on: June 03, 2021, 10:31:06 PM »
Clean up your server.... !!
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Online Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Letsencrypt and dehydrated problem switching from API1 to API2
« Reply #6 on: June 04, 2021, 05:58:59 AM »
Clean up your server.... !!
then migrate :)