Weblog

11 September 2019, 14:03

Due to some changes in the Let's Encrypt API, I've released version 2.1 of the Let's Encrypt script for Hiawatha.

Stumpy
13 September 2019, 19:21
Thanks for the new script. Weirdly, v2.1 of the script doesn't seem to correctly parse my config. If I run the script as-is, it only ever errors out with:

"Read the lefh manual page and follow its instructions before using this tool."

If I comment out the line with the configuration check, it doesn't error but it also doesn't do anything according to the debug log. `letsencrypt expire` does list my domains correctly.

Is this script compatible with PHP 7.3.8? Is it capable of re-using the existing account.key?

Thank you!
Vladas Palubinskas
15 September 2019, 08:46
According to INSTALL, the new version does not use an old access.key of previous versions: "When running the tool for the first time, it will create a Let's Encrypt account key."
Hugo Leisink
16 September 2019, 12:48
@Stumpy: the location for the account.key file is ~/.letsencrypt/. Is that where your account key is stored?
Günther
18 September 2019, 15:21
This Update generates an error on renewing certificates:

"- Error getting challange for mydomain.example.org"

debuglog says:
"type": "urn:ietf:params:acme:error:malformed",
"detail": "No such authorization",
"status": 404
Günther
19 September 2019, 10:09
Finding the error, the path has changed to /usr/lib/... what a mess!
corrected the above, now it cant find hiawatha.conf in /het/hiawatha (it sill exists there):
- Can't find config file HIAWATHA_CONFIG_DIR/hiawatha.conf
Hugo Leisink
25 September 2019, 11:41
I have no idea what you're doing. My guess is that you manually copied files from different versions. Try reinstalling Hiawatha and use the script that comes with it.
Joe Schmoe
2 March 2020, 17:41
I'm having a problem with renewing certificates. Below is the tail end of the log file. It looks it sends the authorization strings with "authz-v3" as part of the URL.

But then when it subsequently requests that URL it only uses "authz" as part of the request and not "authz-v3" which is why I think it returns a 404 error.

If I use either of the URLs in the authorizations config it works just fine. I tried to figure out where in the code it is replacing the "authz-v3" but cannot find it.

Any ideas?

Thanks!

======

"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/xxxxxx1234",
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/xxxxxx1235"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/xxxxx/xxxxxxxxxx"
}"
}
GET /acme/authz/xxxxxx1234
Server response: array(3) {
["status"] => int(404)
["headers"] => array(6) {
["server"] => string(5) "nginx"
["date"] => string(29) "Mon, 04 Mar 2020 16:25:58 GMT"
["content-type"] => string(25) "text/plain; charset=utf-8"
["content-length"] => string(2) "19"
["connection"] => string(5) "close"
["x-content-type-options"] => string(7) "nosniff"
}
["body"] => string(19) "404 page not found
"
}
[/code]
Joe Schmoe
2 March 2020, 18:38
NEVERMIND!

I just figured out that it was still using old libraries in the /usr/lib/hiawatha/letsencrypt directory. Once I replaced that with the new library files the problem was solved.

Vladas
14 February 2021, 11:28
Renewing of certificates does not complete after PHP 7.0 upgrade to PHP8.0:

Renewing certificate for a-z.on.lt.
Generating RSA key.
Generating Certificate Signing Request (CSR).
Ordering certificate.
Getting authorization challenge for a-z.on.lt.
- Creating reponse for authorization challenge.
- Requesting authorization for host.
- Polling authorization status.
Finalizing order.
Removing challenge responses.
Downloading certificates.
PHP Fatal error: Uncaught Error: Undefined constant "DEBUG" in /usr/lib/hiawatha/letsencrypt/logfile.php:59
Stack trace:
#0 /usr/lib/hiawatha/letsencrypt/acmev2.php(357): logfile->clean()
#1 /usr/lib/hiawatha/letsencrypt/letsencrypt.php(300): ACMEv2->get_certificate()
#2 /usr/sbin/lefh(152): LetsEncrypt->request_certificate()
#3 {main}
thrown in /usr/lib/hiawatha/letsencrypt/logfile.php on line 59
PHP Fatal error: Uncaught Error: Undefined constant "DEBUG" in /usr/lib/hiawatha/letsencrypt/logfile.php:59
Stack trace:
#0 /usr/lib/hiawatha/letsencrypt/logfile.php(53): logfile->clean()
#1 /usr/lib/hiawatha/letsencrypt/logfile.php(30): logfile->flush()
#2 [internal function]: logfile->__destruct()
#3 {main}
thrown in /usr/lib/hiawatha/letsencrypt/logfile.php on line 59
Hugo Leisink
14 February 2021, 14:37
Remove line 59 and 61 from logfile.php.
Vladas
15 February 2021, 07:58
Yes, lefh renewed now, thank you very much!
elomraydino
15 April 2022, 21:01
Hi all ! Please I have some issue with lefh on ubuntu 20.04.

GET /acme/authz-v3/2195848543
Server response: array(3) {
["status"] => int(405)
["headers"] => array(7) {
["server"] => string(5) "nginx"
["date"] => string(29) "Fri, 15 Apr 2022 18:27:58 GMT"
["content-type"] => string(24) "application/problem+json"
["content-length"] => string(3) "103"
["connection"] => string(5) "close"
["cache-control"] => string(27) "public, max-age=0, no-cache"
["link"] => string(68) "<https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index""
}
["body"] => string(103) "{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Method not allowed",
"status": 405
}"
}
Hugo Leisink
16 April 2022, 08:31
Is there a proxy in between? The script works, so I think the cause is somewhere in your network or system.
elomraydino
17 April 2022, 19:09
No proxy in front of hiawatha but i'm using it as reverse proxy to nodejs app. In acmev2.php if i change GET into POST in the get_chalange function the script is able to retreive the chalenge but the probing fails. I try that becose of this forum post : https://community.letsencrypt.org/t/invalid-status-value-error-msg-post-as-get-action/140556
elomraydino
17 April 2022, 19:19
Sorry I also needed to change line 149 of acmev2.php like follow to make the POST function works for the GEt cases :

$payload = is_array($payload) ? $this->b64u_encode(str_replace('\\/', '/', json_encode($payload))) : '';
elomraydino
17 April 2022, 20:14
Maybe the deprecation stated here ? https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380
Hugo Leisink
18 April 2022, 16:20
Well, changing the GET into POST explains the 'Method not allowed'. Don't change the script unless you know what you are doing.
elomraydino
18 April 2022, 18:24
Sorry I think I'm not explaining my self well . Changing the GET into POST was my attempt to fix the 'Method not allowed' issue.