Bug 50976 - Traceback "ValueError: Error getting challenges:" generating letsencrypt certificate if "test" option is enabled
Traceback "ValueError: Error getting challenges:" generating letsencrypt cert...
Status: NEW
Product: UCS
Classification: Unclassified
Component: Let's Encrypt
UCS 4.4
Other Mac OS X 10.1
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
: 50614 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-03-18 22:52 CET by Michel Smidt
Modified: 2021-04-20 13:13 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.143
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michel Smidt 2020-03-18 22:52:08 CET
Fresh UCS-Installation:
version/version: 4.4
version/patchlevel: 3
version/erratalevel: 499


root@ms:~# /usr/share/univention-letsencrypt/refresh-cert-cron                                                                                                          
Mi 18. Mär 22:42:38 CET 2020
Refreshing certificate for following domains:
mvp.ucs-schule.de
Parsing account key...
Parsing CSR...
Found domains: mvp.ucs-schule.de
Getting directory...
Directory found!
Registering account...
Already registered!
Creating new order...
Order created!
Traceback (most recent call last):
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 197, in <module>
    main(sys.argv[1:])
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 193, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 125, in get_crt
    authorization, _, _ = _do_request(auth_url, err_msg="Error getting challenges")
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 45, in _do_request
    raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))                                        
ValueError: Error getting challenges:
Url: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/44414335
Data: None
Response Code: 405
Response: {
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Method not allowed",
  "status": 405
}
Setting letsencrypt/status



Mar 18 22:40:59 ms systemd[1]: Starting The Apache HTTP Server...
Mar 18 22:40:59 ms apachectl[55619]: AH00526: Syntax error on line 30 of /etc/apache2/sites-enabled/univention-letsencrypt.conf:                                        
Mar 18 22:40:59 ms apachectl[55619]: SSLCertificateFile: file '/etc/univention/letsencrypt/signed_chain.crt' does not exist or is empty                                 
Mar 18 22:40:59 ms apachectl[55619]: Action 'start' failed.
Mar 18 22:40:59 ms apachectl[55619]: The Apache error log may have more information.


Workaround:
a2dissite univention-letsencrypt.conf
service apache2 restart
Comment 1 Michel Smidt 2020-03-18 23:16:27 CET
Related to Bug #50614
After deactivating checkbox "dry-run/with test-CA" it worked like a charm.
A fix would still have saved me a lot of nerves and time.
Comment 2 Ingo Steuwer univentionstaff 2020-03-19 08:53:33 CET
(In reply to Michel Smidt from comment #1)
> Related to Bug #50614
> After deactivating checkbox "dry-run/with test-CA" it worked like a charm.
> A fix would still have saved me a lot of nerves and time.

The checkbox is deactivated by default, why was it activated?
Comment 3 Erik Damrose univentionstaff 2020-03-19 09:13:39 CET
*** Bug 50614 has been marked as a duplicate of this bug. ***
Comment 5 Michel Smidt 2020-03-19 10:00:31 CET
(In reply to Ingo Steuwer from comment #2)
> (In reply to Michel Smidt from comment #1)
> > Related to Bug #50614
> > After deactivating checkbox "dry-run/with test-CA" it worked like a charm.
> > A fix would still have saved me a lot of nerves and time.
> 
> The checkbox is deactivated by default, why was it activated?

Because I wanted to test it first.
Comment 6 Sönke Schwardt-Krummrich univentionstaff 2021-04-20 13:13:09 CEST
(In reply to Ingo Steuwer from comment #2)
> (In reply to Michel Smidt from comment #1)
> > Related to Bug #50614
> > After deactivating checkbox "dry-run/with test-CA" it worked like a charm.
> > A fix would still have saved me a lot of nerves and time.
> 
> The checkbox is deactivated by default, why was it activated?

The letsencrypt API has a very strict rate limit for requesting certificates:
https://letsencrypt.org/de/docs/rate-limits/

These limits are sometimes quickly reached during testing if, for example, reverse proxies do not allow access during the ACME challenge. Depending on the limit, the blocking period may even be a week, so you definitely want to test your setup with the checkbox activated before the final certificate is issued.

We should also look into finding a usability friendly way to have the checkbox enabled by default to spare the limit, but also give inexperienced users the ability to immediately see that the setup is set up correctly and they now need to uncheck the checkbox for everything to work.
Write a setup wizard?