New Setup LetsEncrypt Issue

wildfireone · June 28, 2021, 9:52am

Hi,

So I have started a new install and used the -c flag for LetsEncrypt, however this failed with the following error

[Info] Issuing certificates...
[Mon Jun 28 09:44:55 UTC 2021] Using stage ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
[Mon Jun 28 09:44:56 UTC 2021] Standalone mode.
[Mon Jun 28 09:44:56 UTC 2021] Standalone mode.
[Mon Jun 28 09:44:56 UTC 2021] Standalone mode.
[Mon Jun 28 09:44:56 UTC 2021] Standalone mode.
[Mon Jun 28 09:44:56 UTC 2021] Standalone mode.
[Mon Jun 28 09:44:57 UTC 2021] Create account key ok.
[Mon Jun 28 09:44:57 UTC 2021] Registering account
[Mon Jun 28 09:44:58 UTC 2021] Register account Error: {
  "type": "urn:ietf:params:acme:error:badPublicKey",
  "detail": "key too small: 240",
  "status": 400
}
[Mon Jun 28 09:44:58 UTC 2021] Please add '--debug' or '--log' to check more details.
[Mon Jun 28 09:44:58 UTC 2021] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh

I am new to openBalena, so can anyone point me in the direction of how to fix this?

Thanks

mpous · June 28, 2021, 11:18am

Hello @wildfireone

could you please confirm your balenaOS version and the supervisor version? Thanks!

wildfireone · June 28, 2021, 11:18am

So if anyone else gets this, looks like the version of acme.sh is too old. What worked for me is to change the checked out version in src/cert-provider/DockerFile on line 12 to git checkout 2.8.9

Rebuild the container and start it back up. You will then encounter this issue: Using real (not self-signed) certificates - #184 by ppoth

You will need to look at this and comment out lines 182 & 183 to fix it:

github.com/balena-io/open-balena

Cert Provider - Cannot issue a production certificate

opened 10:37PM - 26 Feb 21 UTC

assky

Hi, I have installed open balena on my server and I'm not able to acquire LE cer…ts. I have performed clean instalation 3 times but cert provider always fails on: `[Error] Unable to detect certificate change over. Cannot issue a production certificate. [Stopping]`. When I try to manually execute command (used to check staging cert) from `cert-provider.sh` script: `echo "" | openssl s_client -host "api.{DOMAIN}" -port 443 -showcerts 2>/dev/null | awk '/BEGIN CERT/ {p=1} ; p==1; /END CERT/ {p=0}' | openssl verify -CAfile /usr/src/app/fake-le-bundle.pem /dev/null 2>&1` it throws error: `140406427946312:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE` I have installed many open balena servers and this is the first time I have encountered this issue . Here is complete log of cert provider container: ``` [Info] VALIDATION not set. Using default: http-01 [Info] Waiting for api.{DOMAIN} to be available via HTTP... [Info] (1/3) Connecting... [Info] (1/3) Failed. Retrying in 5 seconds... [Info] (2/3) Connecting... [Info] (2/3) Failed. Retrying in 5 seconds... [Info] (3/3) Connecting... [Info] (3/3) Failed! [Info] Unable to access api.{DOMAIN} on port 80. This is needed for certificate validation. Retrying in 30 seconds... [Info] Waiting for api.{DOMAIN} to be available via HTTP... [Info] (1/3) Connecting... [Info] (1/3) Success! cat: can't open '/usr/src/app/certs/last_run_mode': No such file or directory [Info] Last acquired certificate for [Info] Using STAGING mode [Info] Waiting for api.{DOMAIN} to be available via HTTP... [Info] (1/3) Connecting... [Info] (1/3) Success! [Info] Issuing certificates... [Fri Feb 26 20:52:33 UTC 2021] Using stage ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory [Fri Feb 26 20:52:34 UTC 2021] Standalone mode. [Fri Feb 26 20:52:34 UTC 2021] Standalone mode. [Fri Feb 26 20:52:34 UTC 2021] Standalone mode. [Fri Feb 26 20:52:34 UTC 2021] Standalone mode. [Fri Feb 26 20:52:34 UTC 2021] Create account key ok. [Fri Feb 26 20:52:34 UTC 2021] Registering account [Fri Feb 26 20:52:36 UTC 2021] Registered [Fri Feb 26 20:52:36 UTC 2021] ACCOUNT_THUMBPRINT='...' [Fri Feb 26 20:52:36 UTC 2021] Creating domain key [Fri Feb 26 20:52:36 UTC 2021] The domain key is here: /usr/src/app/certs/api.{DOMAIN}/api.{DOMAIN}.key [Fri Feb 26 20:52:36 UTC 2021] Multi domain='DNS:api.{DOMAIN},DNS:registry.{DOMAIN},DNS:s3.{DOMAIN},DNS:vpn.{DOMAIN}' [Fri Feb 26 20:52:36 UTC 2021] Getting domain auth token for each domain [Fri Feb 26 20:52:39 UTC 2021] Getting webroot for domain='api.{DOMAIN}' [Fri Feb 26 20:52:39 UTC 2021] Getting webroot for domain='registry.{DOMAIN}' [Fri Feb 26 20:52:39 UTC 2021] Getting webroot for domain='s3.{DOMAIN}' [Fri Feb 26 20:52:39 UTC 2021] Getting webroot for domain='vpn.{DOMAIN}' [Fri Feb 26 20:52:39 UTC 2021] Verifying: api.{DOMAIN} [Fri Feb 26 20:52:39 UTC 2021] Standalone mode server [Fri Feb 26 20:52:44 UTC 2021] Pending [Fri Feb 26 20:52:46 UTC 2021] Success [Fri Feb 26 20:52:46 UTC 2021] Verifying: registry.{DOMAIN} [Fri Feb 26 20:52:46 UTC 2021] Standalone mode server [Fri Feb 26 20:52:51 UTC 2021] Success [Fri Feb 26 20:52:51 UTC 2021] Verifying: s3.{DOMAIN} [Fri Feb 26 20:52:51 UTC 2021] Standalone mode server [Fri Feb 26 20:52:56 UTC 2021] Success [Fri Feb 26 20:52:56 UTC 2021] Verifying: vpn.{DOMAIN} [Fri Feb 26 20:52:56 UTC 2021] Standalone mode server [Fri Feb 26 20:53:00 UTC 2021] Success [Fri Feb 26 20:53:00 UTC 2021] Verify finished, start to sign. [Fri Feb 26 20:53:00 UTC 2021] Lets finalize the order, Le_OrderFinalize: https://acme-staging-v02.api.letsencrypt.org/acme/finalize/18299657/247900355 [Fri Feb 26 20:53:01 UTC 2021] Download cert, Le_LinkCert: https://acme-staging-v02.api.letsencrypt.org/acme/cert/fa90613ff99fa062cf8b01b94a37ad968efc [Fri Feb 26 20:53:02 UTC 2021] Cert success. -----BEGIN CERTIFICATE----- MIIF2jCCBMKgAwIBAgITAPqQYT/5n6Biz4sBuUo3rZaO/DANBgkqhkiG9w0BAQsF ... YQyqRZL5fE2Sb7oqOHw= -----END CERTIFICATE----- [Fri Feb 26 20:53:02 UTC 2021] Your cert is in /usr/src/app/certs/api.{DOMAIN}/api.{DOMAIN}.cer [Fri Feb 26 20:53:02 UTC 2021] Your cert key is in /usr/src/app/certs/api.{DOMAIN}/api.{DOMAIN}.key [Fri Feb 26 20:53:02 UTC 2021] The intermediate CA cert is in /usr/src/app/certs/api.{DOMAIN}/ca.cer [Fri Feb 26 20:53:02 UTC 2021] And the full chain certs is there: /usr/src/app/certs/api.{DOMAIN}/fullchain.cer [Info] Installing certificates... [Fri Feb 26 20:53:02 UTC 2021] Installing cert to:/tmp/cert.pem [Fri Feb 26 20:53:02 UTC 2021] Installing key to:/tmp/key.pem [Fri Feb 26 20:53:02 UTC 2021] Installing full chain to:/tmp/fullchain.pem [Fri Feb 26 20:53:02 UTC 2021] Run reload cmd: cat /tmp/fullchain.pem /tmp/key.pem > /certs/open-balena.pem [Fri Feb 26 20:53:02 UTC 2021] Reload success [Info] Waiting for api.{DOMAIN} to use a staging certificate... [Info] (1/3) Connecting... [Info] (1/3) Failed. Retrying in 5 seconds... [Info] (2/3) Connecting... [Info] (2/3) Failed. Retrying in 5 seconds... [Info] (3/3) Connecting... [Info] (3/3) Failed! [Error] Unable to detect certificate change over. Cannot issue a production certificate. [Stopping] [Info] VALIDATION not set. Using default: http-01 [Info] Waiting for api.{DOMAIN} to be available via HTTP... [Info] (1/3) Connecting... [Info] (1/3) Failed. Retrying in 5 seconds... [Info] (2/3) Connecting... [Info] (2/3) Failed. Retrying in 5 seconds... [Info] (3/3) Connecting... [Info] (3/3) Failed! [Info] Unable to access api.{DOMAIN} on port 80. This is needed for certificate validation. Retrying in 30 seconds... [Info] Waiting for api.{DOMAIN} to be available via HTTP... [Info] (1/3) Connecting... [Info] (1/3) Success! [Info] Last acquired certificate for STAGING [Info] Using STAGING mode [Info] Waiting for api.{DOMAIN} to be available via HTTP... [Info] (1/3) Connecting... [Info] (1/3) Success! [Info] Issuing certificates... [Fri Feb 26 20:58:47 UTC 2021] Using stage ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory [Fri Feb 26 20:58:48 UTC 2021] Domains not changed. [Fri Feb 26 20:58:48 UTC 2021] Skip, Next renewal time is: Tue Apr 27 20:53:02 UTC 2021 [Fri Feb 26 20:58:48 UTC 2021] Add '--force' to force to renew. [Info] Installing certificates... [Fri Feb 26 20:58:48 UTC 2021] Installing cert to:/tmp/cert.pem [Fri Feb 26 20:58:48 UTC 2021] Installing key to:/tmp/key.pem [Fri Feb 26 20:58:48 UTC 2021] Installing full chain to:/tmp/fullchain.pem [Fri Feb 26 20:58:48 UTC 2021] Run reload cmd: cat /tmp/fullchain.pem /tmp/key.pem > /certs/open-balena.pem [Fri Feb 26 20:58:48 UTC 2021] Reload success [Info] Waiting for api.{DOMAIN} to use a staging certificate... [Info] (1/3) Connecting... [Info] (1/3) Failed. Retrying in 5 seconds... [Info] (2/3) Connecting... [Info] (2/3) Failed. Retrying in 5 seconds... [Info] (3/3) Connecting... [Info] (3/3) Failed! [Error] Unable to detect certificate change over. Cannot issue a production certificate. [Stopping] ```

Hope this helps others

mpous · June 28, 2021, 11:18am

BTW welcome to the balena forums community

mpous · June 28, 2021, 11:20am

Ok! That was fast @wildfireone thank you for reporting the solution!

Feel free to contribute into the openBalena repository!

Let us know how we can help you more!

wildfireone · June 28, 2021, 11:23am

Thanks, well I had some time this morning so thought I might try and resolve the issue myself by getting down and dirty with how you have it setup. Do you prefer this as a PR in github, or shall I raise it as an issue on there?

gantonayde · June 28, 2021, 11:41am

Thanks for looking into this issue, wildfireone! It seems that on some systems acme.sh has problems with xxd which does the key transformation, hence the error key too small: 240. This is reported here and seems to be resolved from acme v2.8.9 onwards, as you have figured out.

As Marc said, feel free to contribute to the openBalena repository!

fisehara · May 20, 2022, 5:56pm

Thanks to community contribution the tracking issue Cert Provider - Cannot issue a production certificate · Issue #108 · balena-io/open-balena · GitHub has been closed. This issue and related PR should have fixed the here discussed issue.
Thanks to everyone involved.

Topic		Replies	Views
help with the installation openBalena	4	350	March 12, 2024
openBalena quickstart -c but still cant balena login without SELF_SIGNED_CERT_IN_CHAIN error openBalena network	4	844	May 20, 2022
Updating OpenBalena certificates failed openBalena	12	161	May 28, 2024
Using signed certs on OpenBalena openBalena	2	770	April 21, 2021
do the acme certificates replace those generated by easyrsa, or are both still needed? openBalena	1	244	November 20, 2023

New Setup LetsEncrypt Issue

Related Topics