New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/crypto/acme/autocert: seems broken #44894
Comments
Please replace me with someone else in the owners. I have long moved on to other projects. Sorry. |
I rolled back to a previous codebase that I had used without issue previously and pulled/used the old packages in the module since those servers were and are running just fine. golang.org/x/crypto v0.0.0-20190618222545-ea8f1a30c443 Now I get this error, so it obviously is something that has changed on the letsencrypt side and the library does not correctly support v2 and provides no challenges or something like that. 2021/03/10 04:00:45 http: TLS handshake error from x.x.x.x:55718: 403 urn:acme:error:unauthorized: Error creating new authz :: Validations for new domains are disabled in the V1 API (https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430) |
From LetsEncrypt: ACME v1 (Deprecated) https://letsencrypt.org/docs/acme-protocol-updates/ Perhaps this helps the authors and maintainers. So if you have an old cert, it will still work and renew as long as do you not need a new label OR you have a wildcard cert. If you need a new cart for a new domain, then this is broken. The only simple work around is using certbot, or similar, which of course means you have to let it bind to port 80, so if you are using 80, then you have to take your server down if your program redirects 80 or mirrors 80, which is of course what I do. Or you have to do a dns challenge, which I can't easily do. This library was marvelous, reverting back to certbot feels so clunky. |
resolved: |
Sorry if this is OT, but leaving breadcrumb for others: HTTP should be unnecessary. In my case I got |
Does this issue reproduce with the latest release?
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
opened port 80/443 and even turned the firewall off for good measure as well
tried this same build using go 15, 15.8, and 16 and on CentOS7, 8, 8 Stream, Arch, Ubunto images
GOOS=linux go build https-test.go
then scp https-test file to remote server, log in and:
ENV={some fqdn here} ./https
What did you expect to see?
I expect to be able to connect the the server via HTTPS and not get errors.
What did you see instead?
Note: obviously I do not own example.com, stick in whatever you own, I replaced the results with that and replaced my ip with x.x.x.x.
I have used six different domains and tried to get certs for new one.
Port 80/443 are both open on the server.
curl -X GET https://example.com/x/endpoint
curl: (35) error:14004438:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert internal error
2021/03/09 20:40:22 http: TLS handshake error from x.x.x.x:57856: acme/autocert: unable to satisfy "https://acme-v02.api.letsencrypt.org/acme/authz-v3/11437819518" for domain "example.com": no viable challenge type found
This ACME show update 18 days ago, was/is that the source problem?
The text was updated successfully, but these errors were encountered: