Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Bug in the v-add-letsencrypt-domain command when updating a Let's Encrypt certificate #2301

Open
pdapnz opened this issue Apr 18, 2024 · 0 comments
Open

[Bug] Bug in the v-add-letsencrypt-domain command when updating a Let's Encrypt certificate #2301

pdapnz opened this issue Apr 18, 2024 · 0 comments

Comments

@pdapnz
Copy link

pdapnz commented Apr 18, 2024

Operating System (OS/VERSION):

CentOS 7.7.1908 (x86_64)

VestaCP Version:

Vesta core package version: 1.0.0 (x86_64) Release: 6

Bug description

During the attempt to reissue a Let's Encrypt certificate, a problem was detected at step 5 for one specific domain with error Let's Encrypt validation status and empty status code in /var/log/vesta/letsencrypt.log. It is noteworthy that all other domains received and renewed the certificate without any problems.

[Wed Apr 17 15:39:27 MSK 2024] : --- Requesting authorization token / STEP 3 ---
[Wed Apr 17 15:39:27 MSK 2024] : for auth=https://acme-v02.api.letsencrypt.org/acme/authz-v3/337375828147
[Wed Apr 17 15:39:27 MSK 2024] : query_le_v2 "https://acme-v02.api.letsencrypt.org/acme/authz-v3/337375828147" "" "V_63_Dn51CMbbU7GPsLk4pSrz99MjMv7fG03UgeFC_BnFfN_kKI"
[Wed Apr 17 15:39:28 MSK 2024] : answer={
  "identifier": {
    "type": "dns",
    "value": "sub.domain.com"
  },
  "status": "pending",
  "expires": "2024-04-18T23:15:04Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/337375828147/FPLvQA",
      "token": "fPx0YoQmSurlQB8WJGvYSGJUaLJtg2Smazv-e9_DeDg"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/337375828147/todILA",
      "token": "fPx0YoQmSurlQB8WJGvYSGJUaLJtg2Smazv-e9_DeDg"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/337375828147/B0HRHQ",
      "token": "fPx0YoQmSurlQB8WJGvYSGJUaLJtg2Smazv-e9_DeDg"
    }
  ]
}HTTP/1.1 200 OK
Server: nginx
Date: Wed, 17 Apr 2024 12:39:28 GMT
Content-Type: application/json
Content-Length: 804
Connection: keep-alive
Boulder-Requester: 74685147
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: fYM0lmBiMw3WyEtWZJ5EcuaOSB6R_3JwjC_p0fd0wTPgdZz1ZJg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

[Wed Apr 17 15:39:28 MSK 2024] : url=https://acme-v02.api.letsencrypt.org/acme/chall-v3/337375828147/FPLvQA
fPx0YoQmSurlQB8WJGvYSGJUaLJtg2Smazv-e9_DeDg
[Wed Apr 17 15:39:28 MSK 2024] : token=fPx0YoQmSurlQB8WJGvYSGJUaLJtg2Smazv-e9_DeDg
[Wed Apr 17 15:39:28 MSK 2024] : nonce=fYM0lmBiMw3WyEtWZJ5EcuaOSB6R_3JwjC_p0fd0wTPgdZz1ZJg
[Wed Apr 17 15:39:28 MSK 2024] : status=200
[Wed Apr 17 15:39:28 MSK 2024] : --- Configuring challenge / STEP 4 ---
[Wed Apr 17 15:39:28 MSK 2024] : wildcard=
[Wed Apr 17 15:39:28 MSK 2024] : in /home/admin/conf/web/nginx.sub.domain.com.conf_letsencrypt we put: PU4DHGjQlkitKnqD52wspfaa2Dum_TBokajulcXzsx8
[Wed Apr 17 15:39:28 MSK 2024] : v-restart-proxy
[Wed Apr 17 15:39:28 MSK 2024] : --- Requesting ACME validation / STEP 5 ---
[Wed Apr 17 15:39:28 MSK 2024] : validation_check=
[Wed Apr 17 15:39:28 MSK 2024] : - Doing pol check on status
[Wed Apr 17 15:39:28 MSK 2024] : query_le_v2 "https://acme-v02.api.letsencrypt.org/acme/chall-v3/337375828147/FPLvQA
fPx0YoQmSurlQB8WJGvYSGJUaLJtg2Smazv-e9_DeDg" "{}" "fYM0lmBiMw3WyEtWZJ5EcuaOSB6R_3JwjC_p0fd0wTPgdZz1ZJg"
[Wed Apr 17 15:39:28 MSK 2024] : answer=
[Wed Apr 17 15:39:28 MSK 2024] : validation=
[Wed Apr 17 15:39:28 MSK 2024] : nonce=
[Wed Apr 17 15:39:28 MSK 2024] : status=
[Wed Apr 17 15:39:28 MSK 2024] : EXIT=Let's Encrypt validation status

As you can see, after parsing the URL from the JSON response in step 4, an incorrect URL with a line break with a piece of the token from the "token" field is passed to step 5:

 "https://acme-v02.api.letsencrypt.org/acme/chall-v3/337375828147/FPLvQA
fPx0YoQmSurlQB8WJGvYSGJUaLJtg2Smazv-e9_DeDg"

but it should be like this:

"https://acme-v02.api.letsencrypt.org/acme/chall-v3/337375828147/FPLvQA"

Screenshot_109

After researching and running the commands from the v-add-letsencrypt-domain file line by line, it turned out that the problem lies in this line:

    url=$(echo "$answer" |grep -A3 $proto |grep url |cut -f 4 -d \")

The grep url reacts to the combination of url characters in the token and does not correctly extract the URL value from JSON.

To fix this problem, you need to add quotes on line 172 so that the line looks like this:

    url=$(echo "$answer" |grep -A3 $proto |grep '"url"' |cut -f 4 -d \")
pdapnz added a commit to pdapnz/vesta that referenced this issue Apr 18, 2024
@pdapnz
fix bug outroll#2301
2a6852b
@pdapnz pdapnz mentioned this issue Apr 18, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pdapnz