LettuceEncrypt icon indicating copy to clipboard operation
LettuceEncrypt copied to clipboard

Published 20 hours ago verified publisher icon natemcmaster

Can not find issuer for staging server

Open Tvde1 opened this issue 4 years ago • 15 comments

Describe the bug A clear and concise description of what the bug is.

When setting "UseStagingServer": true, the following output is given when my server runs:

fail: LettuceEncrypt.Internal.AcmeCertificateLoader[0]
      Failed to automatically create a certificate for [url removed]
      Certes.AcmeException: Can not find issuer 'C=US,O=(STAGING) Internet Security Research Group,CN=(STAGING) Pretend Pear X1' for certificate 'C=US,O=(STAGING) Internet Security Research Group,CN=(STAGING) Bogus Broccoli X2'.
         at Certes.Pkcs.CertificateStore.GetIssuers(Byte[] der)
         at Certes.Pkcs.PfxBuilder.FindIssuers()
         at Certes.Pkcs.PfxBuilder.Build(String friendlyName, String password)
         at LettuceEncrypt.Internal.CertificateFactory.CompleteCertificateRequestAsync(IOrderContext order, CancellationToken cancellationToken)
         at LettuceEncrypt.Internal.CertificateFactory.CreateCertificateAsync(CancellationToken cancellationToken)
         at LettuceEncrypt.Internal.AcmeCertificateLoader.CreateCertificateAsync(String[] domainNames, CancellationToken cancellationToken)
fail: LettuceEncrypt.Internal.AcmeCertificateLoader[0]
      Failed to create certificate
      Certes.AcmeException: Can not find issuer 'C=US,O=(STAGING) Internet Security Research Group,CN=(STAGING) Pretend Pear X1' for certificate 'C=US,O=(STAGING) Internet Security Research Group,CN=(STAGING) Bogus Broccoli X2'.
         at Certes.Pkcs.CertificateStore.GetIssuers(Byte[] der)
         at Certes.Pkcs.PfxBuilder.FindIssuers()
         at Certes.Pkcs.PfxBuilder.Build(String friendlyName, String password)
         at LettuceEncrypt.Internal.CertificateFactory.CompleteCertificateRequestAsync(IOrderContext order, CancellationToken cancellationToken)
         at LettuceEncrypt.Internal.CertificateFactory.CreateCertificateAsync(CancellationToken cancellationToken)
         at LettuceEncrypt.Internal.AcmeCertificateLoader.CreateCertificateAsync(String[] domainNames, CancellationToken cancellationToken)
         at LettuceEncrypt.Internal.AcmeCertificateLoader.LoadCerts(CancellationToken cancellationToken)
         at LettuceEncrypt.Internal.AcmeCertificateLoader.<>c__DisplayClass15_0.<<ExecuteAsync>b__0>d.MoveNext()
Failed to automatically create a certificate for [url removed]
      Certes.AcmeException: Can not find issuer 'C=US,O=(STAGING) Internet Security Research Group,CN=(STAGING) Pretend Pear X1' for certificate 'C=US,O=(STAGING) Internet Security Research Group,CN=(STAGING) Bogus Broccoli X2'.

To Reproduce Steps to reproduce the behavior:

  1. Using this version of the library 'v1.0.1'
  2. Run this code '....'
  3. With these arguments '....'
  4. See error

Expected behavior A clear and concise description of what you expected to happen.

A staging cert will be generated

Screenshots If applicable, add screenshots to help explain your problem.

Additional context Add any other context about the problem here.

Tvde1 avatar May 19 '21 08:05 Tvde1

Apparently this is due to the fact that Let's Encrypt is changing their staging keys, and my server does not have their CE trusted (see https://letsencrypt.org/docs/staging-environment/#root-certificates).

I don't think this is something for this library to solve so feel free to close it if I am correct with this assumption.

Tvde1 avatar May 20 '21 17:05 Tvde1

If I remember right, I think @huesie ran into this issue as well, and solved it by forking this project and adding automatic fetching of the staging server CA certs. If this is a general problem for others, I'd be interested in taking a contribution to make it easier to solve.

natemcmaster avatar Jun 13 '21 03:06 natemcmaster

The root cause for this problem lies in the fact that Certes does not include the new staging keys in their set of embedded certificates.

I've tried to install the staging certificates to the current users certificate store for testing but that did not work. So I would be thankful for some pointers on how to mitigate this issue.

MxFr avatar Jul 14 '21 14:07 MxFr

This issue has been automatically marked as stale because it has no recent activity. It will be closed if no further activity occurs. Please comment if you believe this should remain open, otherwise it will be closed in 14 days. Thank you for your contributions to this project.

github-actions[bot] avatar Jul 15 '22 02:07 github-actions[bot]

Closing due to inactivity. If you are looking at this issue in the future and think it should be reopened, please make a commented here and mention natemcmaster so he sees the notification.

github-actions[bot] avatar Jul 30 '22 02:07 github-actions[bot]

I've just merged https://github.com/natemcmaster/LettuceEncrypt/pull/279. Can you take a look at this and see if it solves your problem?

natemcmaster avatar Jan 01 '23 20:01 natemcmaster

I've just merged #279. Can you take a look at this and see if it solves your problem?

It doesn't solve the issue. With the latest version (1.2.0), I get the same problem on my own end here.

Codeh4ck avatar Jan 02 '23 23:01 Codeh4ck

You have to test against main, the NuGet is does not have the fix.

FreeApophis avatar Jan 03 '23 09:01 FreeApophis

You can also test with https://www.nuget.org/packages/LettuceEncrypt/1.3.0-beta.246

natemcmaster avatar Jan 07 '23 13:01 natemcmaster

I'm seeing the same issue with the current beta version: 1.3.0-beta.249

netclectic avatar Jan 26 '23 14:01 netclectic

@netclectic can you share the steps you are using so I can reproduce the problem?

natemcmaster avatar Feb 04 '23 16:02 natemcmaster

@netclectic can you share the steps you are using so I can reproduce the problem?

I made a repo - https://github.com/netclectic/Blazor_LettuceEncrypt

Its using ngrok, so you will need to follow the integration test instructions and change the values in the appsettings.

https://github.com/natemcmaster/LettuceEncrypt/tree/main/test/Integration

netclectic avatar Feb 08 '23 13:02 netclectic

I'm also seeing this same issue with 1.3.0-beta.249

orkylish avatar Feb 15 '23 18:02 orkylish

Have you tried using the AdditionalIssuers option?

https://github.com/natemcmaster/LettuceEncrypt/blob/4dfcf037ba0ebde9109c7ba503be39c094bc5e0d/src/LettuceEncrypt/LettuceEncryptOptions.cs#L51-L65

natemcmaster avatar Jun 25 '23 09:06 natemcmaster

@orkylish @netclectic alternatively you can use ICertificateAuthorityConfiguration's new property IssuerCertificates. Internally, it is passed into certes the same way the AdditionalIssuers are, as shown by nate. You will have to manually pass the staging root certificate (what certificate exactly can be learned here: https://letsencrypt.org/docs/staging-environment/). For example, just read the text and add it to the options (or the property). LettuceEncrypt does not automatically register a staging certificate when you set UseStagingServer to true - it has be done manually (unlike Certbot, when you pass --test-cert).

Everything else should be clear if you read the xml documentation of AdditionalIssuers that nate included in his comment! I can also help if needed, you can just reply to me, here.

Mafii avatar Jul 24 '23 09:07 Mafii

This issue has been automatically marked as stale because it has no recent activity. It will be closed if no further activity occurs. Please comment if you believe this should remain open, otherwise it will be closed in 14 days. Thank you for your contributions to this project.

github-actions[bot] avatar Jul 24 '24 01:07 github-actions[bot]

Closing due to inactivity. If you are looking at this issue in the future and think it should be reopened, please make a commented here and mention natemcmaster so he sees the notification.

github-actions[bot] avatar Aug 07 '24 01:08 github-actions[bot]