ght-acme.sh icon indicating copy to clipboard operation
ght-acme.sh copied to clipboard

Published 20 hours ago verified publisher icon bruncsak

Account creation broken

Open allanrbo opened this issue 5 years ago • 9 comments

Account creation is broken on the newest version. I also tried on a random older version (9d7813619d228383bd4f61a836a6a6f2d51183cb), and it works fine there.

Here's what happens on the newest version:

$ openssl genrsa -out account.key 4096
Generating RSA private key, 4096 bit long modulus
...................................................................................................................................................++
...................................................................++
e is 65537 (0x10001)
$ ./letsencrypt.sh register -a account.key -e [email protected]
pwnedkeys.com claims: account key is not compromised
register account
unhandled response while registering account

HTTP/1.1 100 Continue

HTTP/1.1 400 Bad Request
Server: nginx
Date: Wed, 24 Jun 2020 20:17:53 GMT
Content-Type: application/problem+json
Content-Length: 114
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0001a3IX76GwuWP45fsUjQ0ziDPOLqPyZrBhQ2214DAsUm0

{
  "type": "urn:ietf:params:acme:error:badPublicKey",
  "detail": "key exponent must be 65537",
  "status": 400
}

OS: Debian 8.1. Bash 4.3.30.

allanrbo avatar Jun 24 '20 20:06 allanrbo

actually, I just realized that it works fine on an Ubuntu 20.04, so I guess it's just time to upgrade my old Debian 8.1 server.

allanrbo avatar Jun 24 '20 20:06 allanrbo

Actually it is good that you reported this. I am trying to maintain the code for old versions of UNIX systems, it is running on Solaris and Tru64 UNIX as well. If you are still having the Debian 8.1, may I ask you to give me from the output of the

openssl rsa -in account.key -text -noout

command but only the part which relates to the publicExponent, please? (not the rest, to avoid disclosing the private part) Probably filtering the output like

openssl rsa -in account.key -text -noout | grep -i publicExponent | cat -te

would be OK, but I am not sure, there may be additional lines related this value.

bruncsak avatar Jun 25 '20 08:06 bruncsak

Same issue here:

pwnedkeys.com claims: account key is not compromised

register account
unhandled response while registering account

HTTP/1.1 100 Continue

HTTP/1.1 400 Bad Request
Server: nginx
Date: Tue, 11 Aug 2020 18:22:04 GMT
Content-Type: application/problem+json
Content-Length: 114
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 00028HA6DCyqXYiBQnQ12bFQVeX5UrHoVqEqTmG1hVSq-jk

{
  "type": "urn:ietf:params:acme:error:badPublicKey",
  "detail": "key exponent must be 65537",
  "status": 400
}

Ubuntu 16.04.4 LTS

openssl rsa -in account.key -text -noout | grep -i publicExponent | cat -te publicExponent: 65537 (0x10001)$

Dennislampert avatar Aug 11 '20 18:08 Dennislampert

Thanks for reporting. Is the problem reproducible (same error on retry)? What is the output of the echo -e 'x\040x' | od -cb and echo -e 'x\0040x' | od -cb commands?

bruncsak avatar Aug 15 '20 13:08 bruncsak

The /bin/sh shell on Ubuntu 16.04 does not handle correctly the \0000 octal escape sequence. I updated the code, reverting to the use of the xxd utility. The program should properly work now.

bruncsak avatar Aug 15 '20 16:08 bruncsak

Account generation fails for me with:

./letsencrypt.sh: 157: ./letsencrypt.sh: xxd: not found
./letsencrypt.sh: 157: ./letsencrypt.sh: xxd: not found
pwnedkeys.com claims: account key is not compromised
register account
unhandled response while registering account

HTTP/2 400
server: nginx
date: Sun, 14 Mar 2021 21:50:48 GMT
content-type: application/problem+json
content-length: 108
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: 0103dCPunUitDQi8ECJJNLBg_cjI27T0gcKaFJbXf9B_...

{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Parse error reading JWS",
  "status": 400
}

contentfree avatar Mar 14 '21 21:03 contentfree

(installing xxd fixes that, but should be noted in the documentation that it's required)

contentfree avatar Mar 14 '21 21:03 contentfree

(installing xxd fixes that, but should be noted in the documentation that it's required)

Thanks for this note. I created a file doc/requirements.md file enlisting the utilities needed to run the program.

bruncsak avatar Mar 15 '21 08:03 bruncsak

I upgraded the code that it checks first for the required commands. If some command is not found, it will print error message and exit immediately. No option left for confusion via unrelated supplementary error messages.

bruncsak avatar Mar 16 '21 16:03 bruncsak