acme.sh icon indicating copy to clipboard operation
acme.sh copied to clipboard

Published 20 hours ago verified publisher icon acmesh-official

SSH deploy hook doesn't account for _ecc directory names

Open noraab opened this issue 2 years ago • 2 comments
trafficstars

Steps to reproduce

Issue a certificate (using the new default ecc #2350 ) which issues the certificates into a directory with _ecc-suffix, Run SSH deploy hook like this: ~/.acme.sh/acme.sh --deploy -d "*.example.com" --deploy-hook ssh --debug 2

For newly issued certificates, the deploy hook fails, because it uses the directory without the _ecc-suffix. See DOMAIN_PATH below. If you already had a certificate issued before ecc became the default, the deploy hook doesn't fail but keeps deploying the old certificates that aren't valid anymore.

Debug log

https://github.com/acmesh-official/acme.sh
v3.0.6
[Mon Mar 13 17:46:58 CET 2023] Running cmd: deploy
[Mon Mar 13 17:46:58 CET 2023] Using config home:/root/.acme.sh
[Mon Mar 13 17:46:58 CET 2023] default_acme_server='https://acme-v02.api.letsencrypt.org/directory'
[Mon Mar 13 17:46:58 CET 2023] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Mon Mar 13 17:46:58 CET 2023] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Mon Mar 13 17:46:58 CET 2023] _ACME_SERVER_PATH='directory'
[Mon Mar 13 17:46:58 CET 2023] DOMAIN_PATH='/root/.acme.sh/*.example.com'
[Mon Mar 13 17:46:58 CET 2023] _deployApi='/root/.acme.sh/deploy/ssh.sh'
[Mon Mar 13 17:46:58 CET 2023] _cdomain='*.example.com'
[Mon Mar 13 17:46:58 CET 2023] _ckey='/root/.acme.sh/*.example.com/*.example.com.key'
[Mon Mar 13 17:46:58 CET 2023] _ccert='/root/.acme.sh/*.example.com/*.example.com.cer'
[Mon Mar 13 17:46:58 CET 2023] _cca='/root/.acme.sh/*.example.com/ca.cer'
[Mon Mar 13 17:46:58 CET 2023] _cfullchain='/root/.acme.sh/*.example.com/fullchain.cer'

As a workaround, adding --keylength 2048 when issuing the certificate helps. See #4480 and #4416

noraab avatar Mar 13 '23 17:03 noraab

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

github-actions[bot] avatar Mar 13 '23 17:03 github-actions[bot]

Same here with latest docker image: https://github.com/acmesh-official/acme.sh/issues/4621

HADB avatar May 01 '23 02:05 HADB