Univention Bugzilla – Bug 50976
Traceback "ValueError: Error getting challenges:" generating letsencrypt certificate if "test" option is enabled
Last modified: 2021-04-20 13:13:09 CEST
Fresh UCS-Installation: version/version: 4.4 version/patchlevel: 3 version/erratalevel: 499 root@ms:~# /usr/share/univention-letsencrypt/refresh-cert-cron Mi 18. Mär 22:42:38 CET 2020 Refreshing certificate for following domains: mvp.ucs-schule.de Parsing account key... Parsing CSR... Found domains: mvp.ucs-schule.de Getting directory... Directory found! Registering account... Already registered! Creating new order... Order created! Traceback (most recent call last): File "/usr/share/univention-letsencrypt/acme_tiny.py", line 197, in <module> main(sys.argv[1:]) File "/usr/share/univention-letsencrypt/acme_tiny.py", line 193, in main signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact) File "/usr/share/univention-letsencrypt/acme_tiny.py", line 125, in get_crt authorization, _, _ = _do_request(auth_url, err_msg="Error getting challenges") File "/usr/share/univention-letsencrypt/acme_tiny.py", line 45, in _do_request raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data)) ValueError: Error getting challenges: Url: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/44414335 Data: None Response Code: 405 Response: { "type": "urn:ietf:params:acme:error:malformed", "detail": "Method not allowed", "status": 405 } Setting letsencrypt/status Mar 18 22:40:59 ms systemd[1]: Starting The Apache HTTP Server... Mar 18 22:40:59 ms apachectl[55619]: AH00526: Syntax error on line 30 of /etc/apache2/sites-enabled/univention-letsencrypt.conf: Mar 18 22:40:59 ms apachectl[55619]: SSLCertificateFile: file '/etc/univention/letsencrypt/signed_chain.crt' does not exist or is empty Mar 18 22:40:59 ms apachectl[55619]: Action 'start' failed. Mar 18 22:40:59 ms apachectl[55619]: The Apache error log may have more information. Workaround: a2dissite univention-letsencrypt.conf service apache2 restart
Related to Bug #50614 After deactivating checkbox "dry-run/with test-CA" it worked like a charm. A fix would still have saved me a lot of nerves and time.
(In reply to Michel Smidt from comment #1) > Related to Bug #50614 > After deactivating checkbox "dry-run/with test-CA" it worked like a charm. > A fix would still have saved me a lot of nerves and time. The checkbox is deactivated by default, why was it activated?
*** Bug 50614 has been marked as a duplicate of this bug. ***
See also: https://community.letsencrypt.org/t/method-not-allowed-error-in-staging-environment/108194 https://community.letsencrypt.org/t/acme-breaking-change-most-gets-become-posts/71025
(In reply to Ingo Steuwer from comment #2) > (In reply to Michel Smidt from comment #1) > > Related to Bug #50614 > > After deactivating checkbox "dry-run/with test-CA" it worked like a charm. > > A fix would still have saved me a lot of nerves and time. > > The checkbox is deactivated by default, why was it activated? Because I wanted to test it first.
(In reply to Ingo Steuwer from comment #2) > (In reply to Michel Smidt from comment #1) > > Related to Bug #50614 > > After deactivating checkbox "dry-run/with test-CA" it worked like a charm. > > A fix would still have saved me a lot of nerves and time. > > The checkbox is deactivated by default, why was it activated? The letsencrypt API has a very strict rate limit for requesting certificates: https://letsencrypt.org/de/docs/rate-limits/ These limits are sometimes quickly reached during testing if, for example, reverse proxies do not allow access during the ACME challenge. Depending on the limit, the blocking period may even be a week, so you definitely want to test your setup with the checkbox activated before the final certificate is issued. We should also look into finding a usability friendly way to have the checkbox enabled by default to spare the limit, but also give inexperienced users the ability to immediately see that the setup is set up correctly and they now need to uncheck the checkbox for everything to work. Write a setup wizard?