Let's encrypt new cert issue no longer working

mode · February 14, 2018, 6:53pm

Like desribed here:

can somebody confirm?
Renew existing certs works fine…

Skywalker-11 · February 14, 2018, 10:17pm

Maybe related to the fact that letsencrypt disabled one of the methods to register a certificate because it could be abused in some hosting scenarios:
https://community.letsencrypt.org/t/2018-01-09-issue-with-tls-sni-01-and-shared-hosting-infrastructure/49996

mode · February 15, 2018, 11:44am

You are absolutely correct.

you have to call acme.sh with --standalone instead of --tls and open port 80 instead of 443. Then it works perfectly. May somebody fix this howto:

Changes:

Add file add80.gw

 config redirect
         option target 'DNAT'
         option src 'wan'
         option dest 'lan'
         option proto 'tcp'
         option src_dport '80'
         option dest_ip '<TURRIS_IP>'  
         option dest_port '80'
         option name 'Turris  Lets encrypt'

Modify file get_acme.sh
#!/bin/bash
VER=1.1.0

 # Backup firewall config
 cp /etc/config/firewall  /etc/config/firewall~
 # Update firewall rules to remove any forward of port 80 on WAN (temporary port is 64436)
 cat /etc/config/firewall~ | sed -r "s/^(\s*)(option)(\s*)(src_dport)(\s*)'(80)'(.*)$/\1\2\3\4\5'64436'\7/" > /etc/config/firewall
 # Update firewall rules to allow access via port 80 from internet to acme.sh
 cat add80.gw >> /etc/config/firewall
 /etc/init.d/firewall reload
 
 # Stop lighttpd as acme.sh is starting its own daemon
 /etc/init.d/lighttpd stop
 
 # Trigger request to Let's Encrypt (and ensure to have the directory)
 mkdir -p /etc/lighttpd/certs
 ./acme.sh --issue --standalone -d <DOMAIN> --certhome /etc/lighttpd/certs --ca-path /etc/ssl/certs
 
 # Prepare the certificates for lighttpd
 ./acme.sh --install-cert -d <DOMAIN> --certhome /etc/lighttpd/certs  --cert-file /etc/lighttpd/host.crt --key-file /etc/lighttpd/host.key --fullchain-file /etc/lighttpd/fullchain.crt --reloadcmd  "cat /etc/lighttpd/host.crt /etc/lighttpd/host.key > /etc/lighttpd/hostkey.pem"
 
 # Start lighttpd again
 /etc/init.d/lighttpd start
 
 # Restore firewall to original state
 mv /etc/config/firewall~ /etc/config/firewall
 /etc/init.d/firewall reload

ssdnvv · February 16, 2018, 6:48am

That is not completely correct. It was only disabled for issuance of new certificates. Renewal is - for now - still possible (please refer to: https://community.letsencrypt.org/t/important-what-you-need-to-know-about-tls-sni-validation-issues/50811 Renewals will continue to work with TLS-SNI, so if you only need to renew certificates, you don’t need to take any immediate action, but you should continue to keep your ACME client software up-to-date.)
But update of how-to should for sure be done.

tristone · February 16, 2018, 7:26am

Noted. Give me some time to investigate and update.

Edit: It will take some time. It requires small changes in whole guide cause the standalone vs. tls methods are using different ports.

tristone · February 16, 2018, 2:59pm

OK, the guide is updated.

It is based on infromation provided by Let’s Encrypt and tests against Staging server. I did not change my certificates in real.

Notes:

download newest acme.sh ; with the old one issuance did not work to me for unknown reason
DO NOT change you renewal procedure unless you generate completely new certificate with the new method ; right now renewal works with TLS-SNI