pebble icon indicating copy to clipboard operation
pebble copied to clipboard

Published 20 hours ago verified publisher icon letsencrypt

Does not work on macOS

Open aral opened this issue 3 years ago • 2 comments

With the same configuration file, Pebble behaves differently on Linux and on macOS.

Specifically, on macOS, Pebble does not:

  • Set the OCSP responder URL
  • Has different root issuer output
  • Has different intermediate issuer output
  • Doesn’t generate issuance chain
  • Does not report that it is using the system DNS resolver for ACME challenges
  • Does not report that it is configured for authz reuse
  • Does not report that is is configured for N orders per page
  • Does not create the management interface server or listen to it on port 15000
  • Reports that the root certificate is available from the server on port 14000

Is Pebble simply not supported on macOS?

Config file

{
  "pebble": {
    "listenAddress": "0.0.0.0:14000",
    "managementListenAddress": "0.0.0.0:15000",
    "certificate": "test/certs/localhost/cert.pem",
    "privateKey": "test/certs/localhost/key.pem",
    "httpPort": 80,
    "tlsPort": 443,
    "ocspResponderURL": "http://localhost:8888",
    "externalAccountBindingRequired": false
  }
}

Launch output on Linux

Pebble 2021/03/23 12:19:15 Starting Pebble ACME server
Pebble 2021/03/23 12:19:15 Setting OCSP responder URL for issued certificates to "http://localhost:8888"
Pebble 2021/03/23 12:19:16 Generated new root issuer CN=Pebble Root CA 21804d with serial 3444a012a4e04a31 and SKI 4f89a2c5cab21fefccce67d38ddfb29b1ac3f116
Pebble 2021/03/23 12:19:16 Generated new intermediate issuer CN=Pebble Intermediate CA 4b49c9 with serial 1965cc6e8446292c and SKI 5af45fd9e39388c6b81710042a42528d69b1d52a
Pebble 2021/03/23 12:19:16 Generated issuance chain: Pebble Root CA 21804d -> Pebble Intermediate CA 4b49c9
Pebble 2021/03/23 12:19:16 Using system DNS resolver for ACME challenges
Pebble 2021/03/23 12:19:16 Configured to reject 5% of good nonces
Pebble 2021/03/23 12:19:16 Configured to attempt authz reuse for each identifier 50% of the time
Pebble 2021/03/23 12:19:16 Configured to show 3 orders per page
Pebble 2021/03/23 12:19:16 Management interface listening on: 0.0.0.0:15000
Pebble 2021/03/23 12:19:16 Root CA certificate available at: https://0.0.0.0:15000/roots/0
Pebble 2021/03/23 12:19:16 Listening on: 0.0.0.0:14000
Pebble 2021/03/23 12:19:16 ACME directory available at: https://0.0.0.0:14000/dir

Launch output on macOS

Pebble 2021/03/23 14:31:14 Starting Pebble ACME server
Pebble 2021/03/23 14:31:14 Generated new root issuer with serial 24458feeaecfdb5b
Pebble 2021/03/23 14:31:14 Generated new intermediate issuer with serial 52ffe067ab99757e
Pebble 2021/03/23 14:31:14 Configured to reject 5% of good nonces
Pebble 2021/03/23 14:31:14 Listening on: 0.0.0.0:14000
Pebble 2021/03/23 14:31:14 ACME directory available at: https://0.0.0.0:14000/dir
Pebble 2021/03/23 14:31:14 Root CA certificate available at: https://0.0.0.0:14000/root

aral avatar Mar 23 '21 14:03 aral

Thanks for the report, @aral! As far as I know, we've never tested pebble on macOS. Have you tried running it inside a docker container with the provided docker-compose.yml?

jsha avatar Mar 24 '21 00:03 jsha

The macOS output appears to be from a much earlier version (at least 6014f24b0a426ae81301dddd4572250213d6cd50, July 2019). My best guess is you're running through docker-compose which is configured for letsencrypt/pebble:latest, and you have/had an old "latest" tag.

Is this still an issue, and if so, can you try re-pulling latest?

squizzling avatar Jun 15 '21 16:06 squizzling