vesta icon indicating copy to clipboard operation
vesta copied to clipboard

Published 20 hours ago verified publisher icon serghey-rodin

[Bug] Bug in the v-add-letsencrypt-domain command when updating a Let's Encrypt certificate

Open pdapnz opened this issue 10 months ago • 0 comments

Operating System (OS/VERSION):

CentOS 7.7.1908 (x86_64)

VestaCP Version:

Vesta core package version: 1.0.0 (x86_64) Release: 6

Bug description

During the attempt to reissue a Let's Encrypt certificate, a problem was detected at step 5 for one specific domain with error Let's Encrypt validation status and empty status code in /var/log/vesta/letsencrypt.log. It is noteworthy that all other domains received and renewed the certificate without any problems.

[Wed Apr 17 15:39:27 MSK 2024] : --- Requesting authorization token / STEP 3 ---
[Wed Apr 17 15:39:27 MSK 2024] : for auth=https://acme-v02.api.letsencrypt.org/acme/authz-v3/337375828147
[Wed Apr 17 15:39:27 MSK 2024] : query_le_v2 "https://acme-v02.api.letsencrypt.org/acme/authz-v3/337375828147" "" "V_63_Dn51CMbbU7GPsLk4pSrz99MjMv7fG03UgeFC_BnFfN_kKI"
[Wed Apr 17 15:39:28 MSK 2024] : answer={
  "identifier": {
    "type": "dns",
    "value": "sub.domain.com"
  },
  "status": "pending",
  "expires": "2024-04-18T23:15:04Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/337375828147/FPLvQA",
      "token": "fPx0YoQmSurlQB8WJGvYSGJUaLJtg2Smazv-e9_DeDg"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/337375828147/todILA",
      "token": "fPx0YoQmSurlQB8WJGvYSGJUaLJtg2Smazv-e9_DeDg"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/337375828147/B0HRHQ",
      "token": "fPx0YoQmSurlQB8WJGvYSGJUaLJtg2Smazv-e9_DeDg"
    }
  ]
}HTTP/1.1 200 OK
Server: nginx
Date: Wed, 17 Apr 2024 12:39:28 GMT
Content-Type: application/json
Content-Length: 804
Connection: keep-alive
Boulder-Requester: 74685147
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: fYM0lmBiMw3WyEtWZJ5EcuaOSB6R_3JwjC_p0fd0wTPgdZz1ZJg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

[Wed Apr 17 15:39:28 MSK 2024] : url=https://acme-v02.api.letsencrypt.org/acme/chall-v3/337375828147/FPLvQA
fPx0YoQmSurlQB8WJGvYSGJUaLJtg2Smazv-e9_DeDg
[Wed Apr 17 15:39:28 MSK 2024] : token=fPx0YoQmSurlQB8WJGvYSGJUaLJtg2Smazv-e9_DeDg
[Wed Apr 17 15:39:28 MSK 2024] : nonce=fYM0lmBiMw3WyEtWZJ5EcuaOSB6R_3JwjC_p0fd0wTPgdZz1ZJg
[Wed Apr 17 15:39:28 MSK 2024] : status=200
[Wed Apr 17 15:39:28 MSK 2024] : --- Configuring challenge / STEP 4 ---
[Wed Apr 17 15:39:28 MSK 2024] : wildcard=
[Wed Apr 17 15:39:28 MSK 2024] : in /home/admin/conf/web/nginx.sub.domain.com.conf_letsencrypt we put: PU4DHGjQlkitKnqD52wspfaa2Dum_TBokajulcXzsx8
[Wed Apr 17 15:39:28 MSK 2024] : v-restart-proxy
[Wed Apr 17 15:39:28 MSK 2024] : --- Requesting ACME validation / STEP 5 ---
[Wed Apr 17 15:39:28 MSK 2024] : validation_check=
[Wed Apr 17 15:39:28 MSK 2024] : - Doing pol check on status
[Wed Apr 17 15:39:28 MSK 2024] : query_le_v2 "https://acme-v02.api.letsencrypt.org/acme/chall-v3/337375828147/FPLvQA
fPx0YoQmSurlQB8WJGvYSGJUaLJtg2Smazv-e9_DeDg" "{}" "fYM0lmBiMw3WyEtWZJ5EcuaOSB6R_3JwjC_p0fd0wTPgdZz1ZJg"
[Wed Apr 17 15:39:28 MSK 2024] : answer=
[Wed Apr 17 15:39:28 MSK 2024] : validation=
[Wed Apr 17 15:39:28 MSK 2024] : nonce=
[Wed Apr 17 15:39:28 MSK 2024] : status=
[Wed Apr 17 15:39:28 MSK 2024] : EXIT=Let's Encrypt validation status

As you can see, after parsing the URL from the JSON response in step 4, an incorrect URL with a line break with a piece of the token from the "token" field is passed to step 5:

 "https://acme-v02.api.letsencrypt.org/acme/chall-v3/337375828147/FPLvQA
fPx0YoQmSurlQB8WJGvYSGJUaLJtg2Smazv-e9_DeDg"

but it should be like this:

"https://acme-v02.api.letsencrypt.org/acme/chall-v3/337375828147/FPLvQA"

Screenshot_109

After researching and running the commands from the v-add-letsencrypt-domain file line by line, it turned out that the problem lies in this line:

    url=$(echo "$answer" |grep -A3 $proto |grep url |cut -f 4 -d \")

The grep url reacts to the combination of url characters in the token and does not correctly extract the URL value from JSON.

To fix this problem, you need to add quotes on line 172 so that the line looks like this:

    url=$(echo "$answer" |grep -A3 $proto |grep '"url"' |cut -f 4 -d \")

pdapnz avatar Apr 18 '24 09:04 pdapnz