porunov / acme_client Goto Github PK

Hi,

I am running pjac against a non-LE server implementation. The account registration fails as our acme server requires contact information inside the body of the registration request and even if specified pjac does not send it.

Below the command used for registration:

java -jar acme_client.jar --server-url http://acme-srv.bar.local --command register -a /root/pjac/account.key --email [email protected] --with-agreement-update --log-level DEBUG

The attached logs show that no contact information is added to the request.
acme.log

Am I doing something wrong or did I get hit by a bug?

Thank you for your help and have a nice day.

/G.

When running:
java -jar acme_client.jar --log-dir "C:/letsencrypt/" --log-level TRACE --server-url https://acme-staging.api.letsencrypt.org/directory --command add-email --account-key "C:/letsencrypt/gen/account.key" --with-agreement-update --email [email protected]

The first time, I get this error:

2017-07-06 15:26:43 DEBUG org.shredzone.acme4j.connector.DefaultConnection:294 - Location: https://acme-staging.api.letsencrypt.org/acme/reg/2793666
2017-07-06 15:26:43 DEBUG org.shredzone.acme4j.connector.DefaultConnection:325 - Link: terms-of-service -> https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf
2017-07-06 15:26:43 INFO  com.jblur.acme_client.CommandExecutor:62 - Trying to update agreement
2017-07-06 15:26:43 ERROR com.jblur.acme_client.command.registration.UpdateAgreementCommand:42 - Agreement haven't been updated because your provider haven't returned an agreement URL.
java.lang.NullPointerException: null
	at com.jblur.acme_client.command.registration.UpdateAgreementCommand.commandExecution(UpdateAgreementCommand.java:29)
	at com.jblur.acme_client.command.ACMECommand.execute(ACMECommand.java:64)
	at com.jblur.acme_client.CommandExecutor.automaticallyUpdateAgreement(CommandExecutor.java:68)
	at com.jblur.acme_client.CommandExecutor.execute(CommandExecutor.java:106)
	at com.jblur.acme_client.Application.main(Application.java:117)

If I run the same command again, it works and I can continue the process.

In the "Get a certificate for multiple domains" part, everything works fine until step 8, but the certificates are not downloaded.

I create the ssl certificate step by step with the doc. but some exception has been found.
2017-05-19 11:05:03 ERROR com.jblur.acme_client.command.registration.RegistrationCommand:29 - Problem with registration/authorization org.shredzone.acme4j.exception.AcmeNetworkException: Network error at org.shredzone.acme4j.connector.DefaultConnection.accept(DefaultConnection.java:201) at org.shredzone.acme4j.provider.AbstractAcmeProvider.directory(AbstractAcmeProvider.java:56) at org.shredzone.acme4j.Session.readDirectory(Session.java:211) at org.shredzone.acme4j.Session.resourceUri(Session.java:186) at org.shredzone.acme4j.RegistrationBuilder.create(RegistrationBuilder.java:86) at com.jblur.acme_client.manager.RegistrationManager.<init>(RegistrationManager.java:44) at com.jblur.acme_client.command.registration.RegistrationCommand.commandExecution(RegistrationCommand.java:27) at com.jblur.acme_client.command.ACMECommand.execute(ACMECommand.java:64) at com.jblur.acme_client.CommandExecutor.executeACMECommand(CommandExecutor.java:57) at com.jblur.acme_client.CommandExecutor.getRegistrationManager(CommandExecutor.java:45) at com.jblur.acme_client.CommandExecutor.execute(CommandExecutor.java:94) at com.jblur.acme_client.Application.main(Application.java:117) Caused by: java.net.SocketTimeoutException: Read timed out at java.net.SocketInputStream.socketRead0(Native Method) at java.net.SocketInputStream.read(SocketInputStream.java:150) at java.net.SocketInputStream.read(SocketInputStream.java:121) at sun.security.ssl.InputRecord.readFully(InputRecord.java:465) at sun.security.ssl.InputRecord.read(InputRecord.java:503) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:954) at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:911) at sun.security.ssl.AppInputStream.read(AppInputStream.java:105) at java.io.BufferedInputStream.fill(BufferedInputStream.java:246) at java.io.BufferedInputStream.read1(BufferedInputStream.java:286) at java.io.BufferedInputStream.read(BufferedInputStream.java:345) at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:701) at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:647) at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1534) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1439) at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338) at org.shredzone.acme4j.connector.DefaultConnection.accept(DefaultConnection.java:183) ... 11 common frames omitted 2017-05-19 11:05:03 ERROR com.jblur.acme_client.CommandExecutor:48 - Cannot get account information. 2017-05-19 11:05:04 ERROR com.jblur.acme_client.CommandExecutor:97 - Cannot get registration.

I downloaded acme_client on a system that did not have software such as bouncycastle installed, and jdeps crashed with an error about a provider not being found. I tried an initial test, just getting the agreement URL from lets encrypt, and that worked just fine.

I've been considering using acme_client.jar in a Docker container, using jllink to reduce the size of the JRE, and wanted to use jdeps to find what modules to pass to jlink.

Documentation with just a list of the appropriate Java modules would be very helpful, at least until jlink is fixed. I was testing using Java 17. With version 17.0.9
of jdeps, the command
jdeps acme_client.jar
produced the following stack trace:
Exception in thread "main" java.lang.module.FindException: Module org.bouncycastle.provider not found, required by org.bouncycastle.pkix
at java.base/java.lang.module.Resolver.findFail(Resolver.java:893)
at java.base/java.lang.module.Resolver.resolve(Resolver.java:192)
at java.base/java.lang.module.Resolver.resolve(Resolver.java:141)
at java.base/java.lang.module.Configuration.resolve(Configuration.java:421)
at java.base/java.lang.module.Configuration.resolve(Configuration.java:255)
at jdk.jdeps/com.sun.tools.jdeps.JdepsConfiguration$Builder.build(JdepsConfiguration.java:564)
at jdk.jdeps/com.sun.tools.jdeps.JdepsTask.buildConfig(JdepsTask.java:603)
at jdk.jdeps/com.sun.tools.jdeps.JdepsTask.run(JdepsTask.java:557)
at jdk.jdeps/com.sun.tools.jdeps.JdepsTask.run(JdepsTask.java:533)
at jdk.jdeps/com.sun.tools.jdeps.Main.main(Main.java:49)

jdeps options to suppress warnings or errors did not help.

generate-certificate after successfully validating a DNS01 challenge comes back with a status of ok yet no certificate uri list and nothing in the cert directory. Nothing stands out in the debg logs either.

So, I tried to renew my certificates and ran:

(1652) toy:/root/acme# java -jar acme_client.jar --command verify-domains -a /etc/pjac/account.key -w /etc/pjac/workdir/ -c /etc/pjac/eenfach.de.csr --challenge-type DNS01
Exception in thread "main" org.shredzone.acme4j.exception.AcmeLazyLoadingException: Order https://acme-v02.api.letsencrypt.org/acme/order/67299589/1157210309
        at org.shredzone.acme4j.AcmeJsonResource.getJSON(AcmeJsonResource.java:68)
        at org.shredzone.acme4j.Order.getAuthorizations(Order.java:107)
        at com.jblur.acme_client.command.certificate.VerifyDomainsCommand.commandExecution(VerifyDomainsCommand.java:51)
        at com.jblur.acme_client.command.ACMECommand.execute(ACMECommand.java:47)
        at com.jblur.acme_client.CommandExecutor.executeACMECommand(CommandExecutor.java:123)
        at com.jblur.acme_client.CommandExecutor.execute(CommandExecutor.java:74)
        at com.jblur.acme_client.Application.main(Application.java:65)
Caused by: org.shredzone.acme4j.exception.AcmeServerException: No order for ID 1157210309
        at org.shredzone.acme4j.connector.DefaultConnection.throwAcmeException(DefaultConnection.java:490)
        at org.shredzone.acme4j.connector.DefaultConnection.performRequest(DefaultConnection.java:417)
        at org.shredzone.acme4j.connector.DefaultConnection.sendSignedRequest(DefaultConnection.java:346)
        at org.shredzone.acme4j.connector.DefaultConnection.sendSignedPostAsGetRequest(DefaultConnection.java:147)
        at org.shredzone.acme4j.AcmeJsonResource.update(AcmeJsonResource.java:119)
        at org.shredzone.acme4j.AcmeJsonResource.getJSON(AcmeJsonResource.java:63)
        ... 6 more
(1653) toy:/root/acme# 

I verified that my TXT records are updated correctly by queries to googles NS.

My pjac version is 3.0.1 and I run JDK 1.8.0_131:

(1656) toy:/root/acme# java -jar acme_client.jar --version
Porunov Java ACME Client (PJAC) v3.0.1
(1657) toy:/root/acme# 
(1657) toy:/root/acme# java -version
java version "1.8.0_131"
Java(TM) SE Runtime Environment (build 1.8.0_131-b11)
Java HotSpot(TM) 64-Bit Server VM (build 25.131-b11, mixed mode)

I follow the steps for the DNS challenge.
https://github.com/porunov/acme_client/wiki/Get-a-wildcard-certificate

In Step 7, we need to create 2 txt record in the DNS with the same name. Is it possible? Or is it a typo?

Quoted text:
First record. Name: _acme-challenge value: ;
Second record. Name: _acme-challenge value: .
Wait till your DNS records are updated and check that your two digests are available to be checked for the domain: _acme-challenge.example.com.

I have OpenFire (XMPP/Jabber) serwer on windows, and i need to add letsencrypt cert.

There are instructions on web ( https://community.letsencrypt.org/t/using-cert-in-openfire-xmpp-server/10676/14 ) and ( http://download.igniterealtime.org/openfire/docs/latest/documentation/ssl-guide.html ).

But it will be much simpler to just add option to add cert to Java keystore.

When following the wiki tutorial acme_client does not download the challenge files when renewing a certificiate. I am running the following commands:

ACMECLIENT="java -jar acme_client.jar -w . --log-dir . --log-level TRACE"
$ACMECLIENT -a ./cert/account.key -c ./cert/$DOMAIN.csr --command order-certificate --well-known-dir ./challenge --one-dir-for-well-known

After the command acme_client returns {"status":"ok"} but the specified challenge directory is empty. The trace logfile is attached, but I cannot see any error listed
acme.log
.

Suggestion: It would be nice if you could a command (or integrate it into the "register" command) to create an account key. Or it at least describe how to create one (with keytool or openssl). Thanks.

Now Let’s Encrypt start to support the Wildcard Certificates

Z:\home\pete\le_java>java -jar acme_client.jar --version
Porunov Java ACME Client (PJAC) v3.0.0

Z:\home\pete\le_java>java -version
java version "1.8.0_131"
Java(TM) SE Runtime Environment (build 1.8.0_131-b11)
Java HotSpot(TM) 64-Bit Server VM (build 25.131-b11, mixed mode)

I created a wildcard cert for a new domain back in August with no problems at all. I was also able to renew an existing certificate on a non-wildcard cert (petesworkshop.com) Today I decided to create a new wildcard for petesworkshop.com and created a csr in exactly the same way I did for my successful wildcard domain.

The decoded CSR has this:

Common Name: petesworkshop.com
Subject Alternative Names: *.petesworkshop.com
Organization: Value Added Software
Locality: San Antonio
State: Texas
Country: US

When I order the certificate I get this error:
{"failed_domains":["*.petesworkshop.com"],"status":"error"}

The log shows:
018-11-08 11:18:03 ERROR com.jblur.acme_client.command.certificate.OrderCertificateCommand:56 - Cannot process authorization https://acme-v02.api.letsencrypt.org/acme/authz/xpmEGKjVOv-U1yMMLfVNwWQ7rCpYRU5DPJbs0kWgEMA with domain *.petesworkshop.com
java.lang.NullPointerException: null
at com.jblur.acme_client.command.certificate.CertificateCommand.writeChallengeByAuthorization(CertificateCommand.java:119)
at com.jblur.acme_client.command.certificate.OrderCertificateCommand.commandExecution(OrderCertificateCommand.java:54)
at com.jblur.acme_client.command.ACMECommand.execute(ACMECommand.java:47)
at com.jblur.acme_client.CommandExecutor.executeACMECommand(CommandExecutor.java:123)
at com.jblur.acme_client.CommandExecutor.execute(CommandExecutor.java:65)
at com.jblur.acme_client.Application.main(Application.java:65)

So, did I miss a step somewhere? Your wildcard example uses DNS01 and in my case I am using HTTP01. Is that the issue? Command looks like this:

java -jar acme_client.jar --command order-certificate -a Z:/home/pete/certs/le_pub_key/le_account.key -w z:/etc/pjac/certdir -c z:/home/pete/certs/csr/petesworkshop.csr --well-known-dir Z:/www/petes/htdocs/letsencrypt-challenges/.well-known/acme-challenge --one-dir-for-well-known

Thanks

I am unable to verify my domain. It keeps returning

ERROR com.jblur.acme_client.command.certificate.VerifyDomainsCommand:100 - Domain SG-awsRedisTSL-17.devservers.scalegrid.io is not verified. Please, check warnings.

I have verified that the TXT record exists in _acme-challenge.SG-awsRedisTSL-17.devservers.scalegrid.io and the digest value matches.

I am running java 1.8
java version "1.8.0_45"
Java(TM) SE Runtime Environment (build 1.8.0_45-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.45-b02, mixed mode)

Any idea what went wrong?

2021-10-01 19:11:30 DEBUG org.shredzone.acme4j.connector.DefaultConnection:524 - HEADER X-Frame-Options: DENY
2021-10-01 19:11:30 DEBUG org.shredzone.acme4j.connector.DefaultConnection:524 - HEADER null: HTTP/1.1 200 OK
2021-10-01 19:11:30 DEBUG org.shredzone.acme4j.connector.DefaultConnection:524 - HEADER Strict-Transport-Security: max-age=604800
2021-10-01 19:11:30 DEBUG org.shredzone.acme4j.connector.DefaultConnection:524 - HEADER Cache-Control: public, max-age=0, no-cache
2021-10-01 19:11:30 DEBUG org.shredzone.acme4j.connector.DefaultConnection:524 - HEADER Server: nginx
2021-10-01 19:11:30 DEBUG org.shredzone.acme4j.connector.DefaultConnection:524 - HEADER Replay-Nonce: 0002hIwoauBlrxymy7QodWzFKLwZnrbu6eI2cgQbLWkCRjo
2021-10-01 19:11:30 DEBUG org.shredzone.acme4j.connector.DefaultConnection:524 - HEADER Connection: keep-alive
2021-10-01 19:11:30 DEBUG org.shredzone.acme4j.connector.DefaultConnection:524 - HEADER Boulder-Requester: 28541468
2021-10-01 19:11:30 DEBUG org.shredzone.acme4j.connector.DefaultConnection:524 - HEADER Content-Length: 840
2021-10-01 19:11:30 DEBUG org.shredzone.acme4j.connector.DefaultConnection:524 - HEADER Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"
2021-10-01 19:11:30 DEBUG org.shredzone.acme4j.connector.DefaultConnection:524 - HEADER Date: Fri, 01 Oct 2021 19:11:30 GMT
2021-10-01 19:11:30 DEBUG org.shredzone.acme4j.connector.DefaultConnection:524 - HEADER Content-Type: application/json
2021-10-01 19:11:30 DEBUG org.shredzone.acme4j.connector.DefaultConnection:238 - Replay Nonce: 0002hIwoauBlrxymy7QodWzFKLwZnrbu6eI2cgQbLWkCRjo
2021-10-01 19:11:30 DEBUG org.shredzone.acme4j.connector.DefaultConnection:184 - Result JSON: {"identifier":{"type":"dns","value":"sg-awsredistsl-17.devservers.scalegrid.io"},"status":"pending","expires":"2021-10-08T18:23:00Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/611157838/vw8IWQ","token":""},{"type":"dns-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/611157838/QOpPMw","token":""},{"type":"tls-alpn-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/611157838/MTyxKw","token":"*******************************************"}]}
2021-10-01 19:11:30 ERROR com.jblur.acme_client.command.certificate.VerifyDomainsCommand:100 - Domain SG-awsRedisTSL-17.devservers.scalegrid.io is not verified. Please, check warnings.

root@xxxxxxxxxxx [acme_client]# gradle build

Task :compileJava FAILED

FAILURE: Build failed with an exception.

• What went wrong:
  Execution failed for task ':compileJava'.

Could not find tools.jar. Please check that /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.275.b01-0.el6_10.x86_64/jre contains a valid JDK installation.

• Try:
  Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights.

• Get more help at https://help.gradle.org

this is cause by most java 8+ versions other than devel version. tools.jar is decomissioned

The library you are using sets the "NO_PROXY" proxy by default, causing any default settings, including the http(s).proxyHost and proxyPort system properties, to be ignored. I was able to fix by adding the following statement to the ACMECommand constructor:

session.setProxy(ProxySelector.getDefault().
  select(URI.create(this.parameters.getAcmeServerUrl())).get(0));

This should also work for environments that do not need proxies, if I understand the Java documentation correctly (the select returns always at least one entry). But I haven't tested it.

I am trying to generate a certificate and i do not have any account-key . How do I register/ create an account-key for Lets Encrypt ? I tried reading different articles, but could not find anywhere a solid way to register an account? As I am new to this certificate area, I am struggling at this. Please help.

Not exactly sure what the issue is here. I went to renew an expired certificate and cannot. I updated to the latest jar. I cleared the workdir and digests folder. Order certificates runs fine. I copied the values for each challenge to the TXT records ( I use GoDaddy).

I used LetsDebug,net to validate the challenge (at least I think that is what it does). It says that all is OK. So, what am I missing? This has been working fine although it has been a while since I renewed the certificate. Still looking for a solution. Ideas?

2019-12-29 15:45:05 WARN com.jblur.acme_client.command.certificate.VerifyDomainsCommand:74 - Cannot validate one of challenges for domain: *.ossgarden.org org.shredzone.acme4j.exception.AcmeException: Challenge invalid: https://acme-v02.api.letsencrypt.org/acme/chall-v3/1999273187/rBdjGA at com.jblur.acme_client.manager.ChallengeManager$1.failIfInvalid(ChallengeManager.java:81) at com.jblur.acme_client.manager.ValidationService.validate(ValidationService.java:59) at com.jblur.acme_client.manager.ValidationService.validate(ValidationService.java:21) at com.jblur.acme_client.manager.ChallengeManager.validateChallenge(ChallengeManager.java:57) at com.jblur.acme_client.command.certificate.VerifyDomainsCommand.commandExecution(VerifyDomainsCommand.java:72) at com.jblur.acme_client.command.ACMECommand.execute(ACMECommand.java:47) at com.jblur.acme_client.CommandExecutor.executeACMECommand(CommandExecutor.java:123) at com.jblur.acme_client.CommandExecutor.execute(CommandExecutor.java:74) at com.jblur.acme_client.Application.main(Application.java:65) 2019-12-29 15:45:10 WARN com.jblur.acme_client.command.certificate.VerifyDomainsCommand:74 - Cannot validate one of challenges for domain: ossgarden.org org.shredzone.acme4j.exception.AcmeException: Challenge invalid: https://acme-v02.api.letsencrypt.org/acme/chall-v3/1999273188/4hndhw at com.jblur.acme_client.manager.ChallengeManager$1.failIfInvalid(ChallengeManager.java:81) at com.jblur.acme_client.manager.ValidationService.validate(ValidationService.java:59) at com.jblur.acme_client.manager.ValidationService.validate(ValidationService.java:21) at com.jblur.acme_client.manager.ChallengeManager.validateChallenge(ChallengeManager.java:57) at com.jblur.acme_client.command.certificate.VerifyDomainsCommand.commandExecution(VerifyDomainsCommand.java:72) at com.jblur.acme_client.command.ACMECommand.execute(ACMECommand.java:47) at com.jblur.acme_client.CommandExecutor.executeACMECommand(CommandExecutor.java:123) at com.jblur.acme_client.CommandExecutor.execute(CommandExecutor.java:74) at com.jblur.acme_client.Application.main(Application.java:65) 2019-12-29 15:45:10 ERROR com.jblur.acme_client.command.certificate.VerifyDomainsCommand:100 - Domain *.ossgarden.org is not verified. Please, check warnings. 2019-12-29 15:45:10 ERROR com.jblur.acme_client.command.certificate.VerifyDomainsCommand:100 - Domain ossgarden.org is not verified. Please, check warnings.

I have an account key that I use with other ACME clients. I can´t use it with PJAC
java -jar acme_client.jar --command order-certificate -a "my_old_account_key.pem" -w . -c csr.pem --well-known-dir "D:\Internet\WEB\mydomain.com.well-known\acme-challenge" --one-dir-for-well-known --server-url https://acme-staging-v02.api.letsencrypt.org/directory
but I get
Exception in thread "main" java.lang.ClassCastException: org.bouncycastle.asn1.pkcs.PrivateKeyInfo cannot be cast to org.bouncycastle.openssl.PEMKeyPair
Does PJAC requires a new account?

java -jar acme_client.jar --version

Porunov Java ACME Client (PJAC) v2.1.1 rev51

java -version

java version "1.8.0_144"

java -jar acme_client.jar --log-dir log --command verify-domains -a Account_LetsEncrypt.key -w workdir -d [domain].de -d www.[domain].de -d mail.[domain].de

Exception in thread "main" org.shredzone.acme4j.exception.AcmeProtocolException: Could not load lazily at org.shredzone.acme4j.Authorization.load(Authorization.java:214) at org.shredzone.acme4j.Authorization.getDomain(Authorization.java:75) at com.jblur.acme_client.command.authorization.VerifyDomainsCommand.comm andExecution(VerifyDomainsCommand.java:37) at com.jblur.acme_client.command.ACMECommand.execute(ACMECommand.java:64 ) at com.jblur.acme_client.CommandExecutor.executeACMECommand(CommandExecu tor.java:57) at com.jblur.acme_client.CommandExecutor.execute(CommandExecutor.java:13 5) at com.jblur.acme_client.Application.main(Application.java:117) Caused by: org.shredzone.acme4j.exception.AcmeServerException: Expired authoriza tion at org.shredzone.acme4j.connector.DefaultConnection.createAcmeException( DefaultConnection.java:397) at org.shredzone.acme4j.connector.DefaultConnection.accept(DefaultConnec tion.java:199) at org.shredzone.acme4j.Authorization.update(Authorization.java:180) at org.shredzone.acme4j.Authorization.load(Authorization.java:209) ... 6 more

Has someone an idea why that fails?

Thanks in Advance