Dan Frantz's picture

I went through each solution to make my lamp server work. I got all the errors listed and no cert for domain. This is a new install 15.1 LAMP just downloaded.

My last error was after I updated to dehydrated_0.6.5. appeared to install correctly.

 + ERROR: An error occurred while sending post-request to https://acme-v02.api.letsencrypt.org/acme/new-acct (Status 400)

Details:
HTTP/2 400 
server: nginx
date: Mon, 28 Oct 2019 18:29:45 GMT
content-type: application/problem+json
content-length: 134
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: 0001Fk1cV3kBRsb47W6qjKNm4swQvN0Yj7meXGlIGUerRmo

{
  "type": "urn:ietf:params:acme:error:accountDoesNotExist",
  "detail": "No account exists with the provided key",
  "status": 400
}

[2019-10-28 18:29:45] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2019-10-28 18:29:45] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert & key.
[2019-10-28 18:29:45] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.

Not much going right today. I need it to work here first before I go to my servers with about 20 websites. The errors below were my other attempts.

 

  + ERROR: An error occurred while sending post-request to https://acme-v01.api.letsencrypt.org/acme/new-reg (Status 400)

Details:
{
  "type": "urn:acme:error:badNonce",
  "detail": "JWS has no anti-replay nonce",
  "status": 400
}

[2019-10-28 15:14:09] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2019-10-28 15:14:09] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert & key.
[2019-10-28 15:14:09] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
  + ERROR: An error occurred while sending post-request to https://acme-v01.api.letsencrypt.org/acme/new-reg (Status 400)

Details:
{
  "type": "urn:acme:error:badNonce",
  "detail": "JWS has no anti-replay nonce",
  "status": 400
}

[2019-10-28 15:16:43] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2019-10-28 15:16:43] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert & key.
[2019-10-28 15:16:44] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
  + ERROR: An error occurred while sending post-request to https://acme-v01.api.letsencrypt.org/acme/new-reg (Status 400)

Details:
{
  "type": "urn:acme:error:badNonce",
  "detail": "JWS has no anti-replay nonce",
  "status": 400
}

[2019-10-28 15:45:18] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2019-10-28 15:45:18] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert & key.
[2019-10-28 15:45:18] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
ERROR: Certificate authority doesn't allow registrations.
[2019-10-28 15:53:06] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2019-10-28 15:53:06] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert & key.
[2019-10-28 15:53:06] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
ERROR: Certificate authority doesn't allow certificate signing
[2019-10-28 15:57:10] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2019-10-28 15:57:10] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert & key.
[2019-10-28 15:57:10] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
ERROR: Certificate authority doesn't allow certificate signing
[2019-10-28 16:22:57] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2019-10-28 16:22:57] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert & key.
[2019-10-28 16:22:57] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
ERROR: Certificate authority doesn't allow certificate signing
[2019-10-28 16:35:49] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2019-10-28 16:35:49] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert & key.
[2019-10-28 16:35:49] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
ERROR: Certificate authority doesn't allow certificate signing
[2019-10-28 17:17:30] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2019-10-28 17:17:30] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert & key.
[2019-10-28 17:17:30] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
ERROR: Certificate authority doesn't allow certificate signing
[2019-10-28 17:17:39] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2019-10-28 17:17:39] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert & key.
[2019-10-28 17:17:39] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.

Forum: 
Jeremy Davis's picture

I'm guessing that the spam filter ate the body of your post. I've just manually updated your account so that it can bypass the bulk of the spam filters now.

I'm guessing you were posting to say that you are struggling to get Let's Encrypt certificates via our Confconsole Let's Encrypt integration. As you are possibly aware, some recent changes Let's Encrypt changes have broken things.

Most of the issues should be resolved if you follow the instructions in the top post of this issue on GitHub. Although unfortunately, even with those steps in place, if you are using a number of domains, there is still a chance that you're hitting this issue.

FWIW, I did start having a hack on it over the weekend and have the basis of a workaround. Unfortunately, I haven't yet completed it and it still requires integration with the hook script and a write up to make it easy for users to apply.

If anyone (including you) is willing and able to have a look at my code and give it a test drive, that would be awesome! I'll comment on the other thread to encourage the guys who have posted there to have a look at this thread.

To give a bit more context, I have developed a new script (add-water-ctl) to control add-water (the mini-server that we use to serve the challenges). I have tested that independently and it seems to be much more reliable.

I have also done a bit of adjustment to our dehydrated-wrapper to accommodate the new add-water-ctl script (which I haven't tested so well). What still remains is tweaking the dehydrated hook script to leverage the changes that have been made. And then obviously the whole thing needs testing...

I hope to have something completed and tested as soon as possible, but unfortunately, I can't give you a hard timeframe. If anyone has the skills and the patience and are able to have a look (and update the hook script and do some testing) , then I would be eternally grateful! FWIW to test it out, then I suggest testing against the staging server (so you don't get blocked by the "proper" server if it still isn't working quite right).

Dan Frantz's picture

So I built a lamp server to test letsencryt, dehydrated solutions your presented. For me, they all failed. I have been doing IT for 40 years and I thought I followed your instructions fairly closely. But I do have bad days. 

I have a couple of wordpress servers with 10 websites on each, so I need to see a solution that works here. Just for info these are blogs and info sites for the most part and are not critical. All my customer websites are elsewhere.

Here is my whole confconsole log since install

[2019-10-28 15:14:04] dehydrated-wrapper: WARNING: /etc/dehydrated/confconsole.config not found; copying default from /usr/share/confconsole/letsencrypt/dehydrated-confconsole.config
[2019-10-28 15:14:05] dehydrated-wrapper: WARNING: /etc/dehydrated/confconsole.hook.sh not found; copying default from /usr/share/confconsole/letsencrypt/dehydrated-confconsole.hook.sh
[2019-10-28 15:14:05] dehydrated-wrapper: WARNING: /etc/cron.daily/confconsole-dehydrated not found; copying default from /usr/share/confconsole/letsencrypt/dehydrated-confconsole.cron
  + ERROR: An error occurred while sending post-request to https://acme-v01.api.letsencrypt.org/acme/new-reg (Status 400)

Details:
{
  "type": "urn:acme:error:badNonce",
  "detail": "JWS has no anti-replay nonce",
  "status": 400
}

[2019-10-28 15:14:09] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2019-10-28 15:14:09] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert & key.
[2019-10-28 15:14:09] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
  + ERROR: An error occurred while sending post-request to https://acme-v01.api.letsencrypt.org/acme/new-reg (Status 400)

Details:
{
  "type": "urn:acme:error:badNonce",
  "detail": "JWS has no anti-replay nonce",
  "status": 400
}

[2019-10-28 15:16:43] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2019-10-28 15:16:43] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert & key.
[2019-10-28 15:16:44] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
  + ERROR: An error occurred while sending post-request to https://acme-v01.api.letsencrypt.org/acme/new-reg (Status 400)

Details:
{
  "type": "urn:acme:error:badNonce",
  "detail": "JWS has no anti-replay nonce",
  "status": 400
}

[2019-10-28 15:45:18] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2019-10-28 15:45:18] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert & key.
[2019-10-28 15:45:18] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
ERROR: Certificate authority doesn't allow registrations.
[2019-10-28 15:53:06] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2019-10-28 15:53:06] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert & key.
[2019-10-28 15:53:06] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
ERROR: Certificate authority doesn't allow certificate signing
[2019-10-28 15:57:10] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2019-10-28 15:57:10] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert & key.
[2019-10-28 15:57:10] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
ERROR: Certificate authority doesn't allow certificate signing
[2019-10-28 16:22:57] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2019-10-28 16:22:57] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert & key.
[2019-10-28 16:22:57] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
ERROR: Certificate authority doesn't allow certificate signing
[2019-10-28 16:35:49] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2019-10-28 16:35:49] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert & key.
[2019-10-28 16:35:49] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
ERROR: Certificate authority doesn't allow certificate signing
[2019-10-28 17:17:30] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2019-10-28 17:17:30] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert & key.
[2019-10-28 17:17:30] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
ERROR: Certificate authority doesn't allow certificate signing
[2019-10-28 17:17:39] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2019-10-28 17:17:39] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert & key.
[2019-10-28 17:17:39] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
  + ERROR: An error occurred while sending post-request to https://acme-v02.api.letsencrypt.org/acme/new-acct (Status 400)

Details:
HTTP/2 400 
server: nginx
date: Mon, 28 Oct 2019 18:29:45 GMT
content-type: application/problem+json
content-length: 134
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: 0001Fk1cV3kBRsb47W6qjKNm4swQvN0Yj7meXGlIGUerRmo

{
  "type": "urn:ietf:params:acme:error:accountDoesNotExist",
  "detail": "No account exists with the provided key",
  "status": 400
}

[2019-10-28 18:29:45] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2019-10-28 18:29:45] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert & key.
[2019-10-28 18:29:45] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
 

I am moving to setup another server for testing purpose using wordpress since Lamp appears to use Nginx.

As I said no worries and I will watch your efforts.

Daniel Frantz

Jeremy Davis's picture

I've just done a quick bit of googling and from a response to an issue noted on Dehydrated's issue tracker (see the second paragraph) and a thread on the Let's Encrypt support forums I suspect that the 400 error is because you've hit the Let's Encrypt rate limit.

Although, actually, having a closer look at your logs, I note the "detail":

No account exists with the provided key

That might suggest that at some point along the line, Dehydrated thinks that it successfully registered a Let's Encrypt account (as part of the process), but for some reason that account isn't actually valid.

If that's the case, unfortunately, I'm not completely sure. But perhaps you could try moving the Dehydrated data directory out? And starting again. E.g. try this:

mv /var/lib/dehydrated /var/lib/dehydrated.bak

Then try again.

Also, while you are testing it's probably worth noting that to avoid risk of getting rate limited (or at least confirm that it's all working otherwise and isn't a rate limit issue) then it's worth try using the Let's Encrypt staging environment. That won't give you a legitimate certificate, but it will allow you to test your config. You'll find notes about using the staging env with Dehyrated here.

As something of an aside, since the update to a newer version of Dehydrated, another new issue has been occurring for some users (only those with multiple domains, so this may well apply to you). There has been a possible workaround reported but it's untested by us so I can't confirm it. I did start working on a possible fix, but it's a bit dirty and I suspect may well just kick the can down the road a bit. I had some extensive discussions with one of our developers yesterday (who contributed some code to our initial integration, although wasn't responsible for the whole setup; much of that was me). He did start having a look at it and was able to reliably reproduce the issue (which is always a good start to ensuring that a fix is working). He is looking into a much better approach that what I was intending, but haven't heard anything back yet, so not sure where that's up to. Regardless, I suspect that there likely won't be anything solid on that until next week at the absolute earliest.

A couple more things to note:

Firstly, re your comment:

I am moving to setup another server for testing purpose using wordpress since Lamp appears to use Nginx.

Not sure what lead you to that conclusion, but our LAMP appliance (as well as WordPress and about 70% of the library) use Apache to provide the webserving (and shouldn't even have Nginx installed). A few appliances that include software which is essentially self hosting, use Nginx as a front end reverse proxy. And a few other appliances that don't primarily use HTTP, have super simple static html pages (i.e. not PHP apps) served by Nginx (or LigHTTPd). I'm almost certain that currently, the only appliance that uses Nginx to serve PHP is our specific Nginx appliance.

So either the appliance has been mislabelled (unlikely I'd hope - but possible I guess), something else has occurred that I'm unaware of, or you are possibly confused?!

Either way, I'd be really interested to understand what lead you to thinking that LAMP includes Nginx.

Final thing is that if you need Let's Encrypt up and running ASAP and continue to have issues, then it might be worth considering an alternate approach. As you've likely gathered by now, we leverage Dehydrated, so you could use that independently of our setup (i.e. without our wrapper script and with your own config file and hook script). Or alternatively, go with a completely alternate client (e.g. the "official" Let's Encrypt client; "certbot" - it's in the Debian repos and there is an Apache integration also packaged - although I haven't tested it).

FWIW our setup uses a separate mini-server to serve the challenges so the same client and config will work with any of our appliances (or at least that's the intention and how it was working up until a few weeks ago).

I haven't had any experience with anything other than our default setup, but please feel free to ask if you have any questions or issues as I do have intimate knowledge of TurnKey, plus pretty good general knowledge of Debian and Linux more broadly.

Jeremy Davis's picture

I've just published Confconsole v1.1.1. It's not yet available from our repos (although will be soon) and still requires some specific steps to install and set up on a v15.x server (although better than instructions published previously).

Please note that users who have already updated via various other means are still recommended to install this update as it includes reliability fixes for add-water; our custom challenge mini-server. Please see the release notes for full step by step setup and further info - instructions cover both new and existing users.

Any issues, please ask. Any feedback (e.g. anything that isn't clear, etc). Please ask.

Jeremy Davis's picture

It's been bought to my attention that after installing the v1.1.1 Confconsole update, the add-water service is being inadvertently enabled. That means that on reboot, it will start up and will likely block Apache (or other webserver) from starting!

The fix is easy:

systemctl disable add-water

Please note that on any server where you have already run the v1.1.1 update, you need to apply the above line and there is no value in updating to the newer package. For any new servers you launch though (or for anyone else who hasn't applied any fixes and stumbles across this thread) the newer v1.1.2 release resolves this issue (it's exactly that same as v1.1.1, but doesn't auto enable the add-water service on install).

Add new comment