New Setup LetsEncrypt Issue

wildfireone · June 28, 2021, 11:18am

So if anyone else gets this, looks like the version of acme.sh is too old. What worked for me is to change the checked out version in src/cert-provider/DockerFile on line 12 to git checkout 2.8.9

Rebuild the container and start it back up. You will then encounter this issue: Using real (not self-signed) certificates - #184 by ppoth

You will need to look at this and comment out lines 182 & 183 to fix it:

github.com/balena-io/open-balena

Cert Provider - Cannot issue a production certificate

opened 10:37PM - 26 Feb 21 UTC

assky

Hi, I have installed open balena on my server and I'm not able to acquire LE cer…ts. I have performed clean instalation 3 times but cert provider always fails on: `[Error] Unable to detect certificate change over. Cannot issue a production certificate. [Stopping]`. When I try to manually execute command (used to check staging cert) from `cert-provider.sh` script: `echo "" | openssl s_client -host "api.{DOMAIN}" -port 443 -showcerts 2>/dev/null | awk '/BEGIN CERT/ {p=1} ; p==1; /END CERT/ {p=0}' | openssl verify -CAfile /usr/src/app/fake-le-bundle.pem /dev/null 2>&1` it throws error: `140406427946312:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE` I have installed many open balena servers and this is the first time I have encountered this issue . Here is complete log of cert provider container: ``` [Info] VALIDATION not set. Using default: http-01 [Info] Waiting for api.{DOMAIN} to be available via HTTP... [Info] (1/3) Connecting... [Info] (1/3) Failed. Retrying in 5 seconds... [Info] (2/3) Connecting... [Info] (2/3) Failed. Retrying in 5 seconds... [Info] (3/3) Connecting... [Info] (3/3) Failed! [Info] Unable to access api.{DOMAIN} on port 80. This is needed for certificate validation. Retrying in 30 seconds... [Info] Waiting for api.{DOMAIN} to be available via HTTP... [Info] (1/3) Connecting... [Info] (1/3) Success! cat: can't open '/usr/src/app/certs/last_run_mode': No such file or directory [Info] Last acquired certificate for [Info] Using STAGING mode [Info] Waiting for api.{DOMAIN} to be available via HTTP... [Info] (1/3) Connecting... [Info] (1/3) Success! [Info] Issuing certificates... [Fri Feb 26 20:52:33 UTC 2021] Using stage ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory [Fri Feb 26 20:52:34 UTC 2021] Standalone mode. [Fri Feb 26 20:52:34 UTC 2021] Standalone mode. [Fri Feb 26 20:52:34 UTC 2021] Standalone mode. [Fri Feb 26 20:52:34 UTC 2021] Standalone mode. [Fri Feb 26 20:52:34 UTC 2021] Create account key ok. [Fri Feb 26 20:52:34 UTC 2021] Registering account [Fri Feb 26 20:52:36 UTC 2021] Registered [Fri Feb 26 20:52:36 UTC 2021] ACCOUNT_THUMBPRINT='...' [Fri Feb 26 20:52:36 UTC 2021] Creating domain key [Fri Feb 26 20:52:36 UTC 2021] The domain key is here: /usr/src/app/certs/api.{DOMAIN}/api.{DOMAIN}.key [Fri Feb 26 20:52:36 UTC 2021] Multi domain='DNS:api.{DOMAIN},DNS:registry.{DOMAIN},DNS:s3.{DOMAIN},DNS:vpn.{DOMAIN}' [Fri Feb 26 20:52:36 UTC 2021] Getting domain auth token for each domain [Fri Feb 26 20:52:39 UTC 2021] Getting webroot for domain='api.{DOMAIN}' [Fri Feb 26 20:52:39 UTC 2021] Getting webroot for domain='registry.{DOMAIN}' [Fri Feb 26 20:52:39 UTC 2021] Getting webroot for domain='s3.{DOMAIN}' [Fri Feb 26 20:52:39 UTC 2021] Getting webroot for domain='vpn.{DOMAIN}' [Fri Feb 26 20:52:39 UTC 2021] Verifying: api.{DOMAIN} [Fri Feb 26 20:52:39 UTC 2021] Standalone mode server [Fri Feb 26 20:52:44 UTC 2021] Pending [Fri Feb 26 20:52:46 UTC 2021] Success [Fri Feb 26 20:52:46 UTC 2021] Verifying: registry.{DOMAIN} [Fri Feb 26 20:52:46 UTC 2021] Standalone mode server [Fri Feb 26 20:52:51 UTC 2021] Success [Fri Feb 26 20:52:51 UTC 2021] Verifying: s3.{DOMAIN} [Fri Feb 26 20:52:51 UTC 2021] Standalone mode server [Fri Feb 26 20:52:56 UTC 2021] Success [Fri Feb 26 20:52:56 UTC 2021] Verifying: vpn.{DOMAIN} [Fri Feb 26 20:52:56 UTC 2021] Standalone mode server [Fri Feb 26 20:53:00 UTC 2021] Success [Fri Feb 26 20:53:00 UTC 2021] Verify finished, start to sign. [Fri Feb 26 20:53:00 UTC 2021] Lets finalize the order, Le_OrderFinalize: https://acme-staging-v02.api.letsencrypt.org/acme/finalize/18299657/247900355 [Fri Feb 26 20:53:01 UTC 2021] Download cert, Le_LinkCert: https://acme-staging-v02.api.letsencrypt.org/acme/cert/fa90613ff99fa062cf8b01b94a37ad968efc [Fri Feb 26 20:53:02 UTC 2021] Cert success. -----BEGIN CERTIFICATE----- MIIF2jCCBMKgAwIBAgITAPqQYT/5n6Biz4sBuUo3rZaO/DANBgkqhkiG9w0BAQsF ... YQyqRZL5fE2Sb7oqOHw= -----END CERTIFICATE----- [Fri Feb 26 20:53:02 UTC 2021] Your cert is in /usr/src/app/certs/api.{DOMAIN}/api.{DOMAIN}.cer [Fri Feb 26 20:53:02 UTC 2021] Your cert key is in /usr/src/app/certs/api.{DOMAIN}/api.{DOMAIN}.key [Fri Feb 26 20:53:02 UTC 2021] The intermediate CA cert is in /usr/src/app/certs/api.{DOMAIN}/ca.cer [Fri Feb 26 20:53:02 UTC 2021] And the full chain certs is there: /usr/src/app/certs/api.{DOMAIN}/fullchain.cer [Info] Installing certificates... [Fri Feb 26 20:53:02 UTC 2021] Installing cert to:/tmp/cert.pem [Fri Feb 26 20:53:02 UTC 2021] Installing key to:/tmp/key.pem [Fri Feb 26 20:53:02 UTC 2021] Installing full chain to:/tmp/fullchain.pem [Fri Feb 26 20:53:02 UTC 2021] Run reload cmd: cat /tmp/fullchain.pem /tmp/key.pem > /certs/open-balena.pem [Fri Feb 26 20:53:02 UTC 2021] Reload success [Info] Waiting for api.{DOMAIN} to use a staging certificate... [Info] (1/3) Connecting... [Info] (1/3) Failed. Retrying in 5 seconds... [Info] (2/3) Connecting... [Info] (2/3) Failed. Retrying in 5 seconds... [Info] (3/3) Connecting... [Info] (3/3) Failed! [Error] Unable to detect certificate change over. Cannot issue a production certificate. [Stopping] [Info] VALIDATION not set. Using default: http-01 [Info] Waiting for api.{DOMAIN} to be available via HTTP... [Info] (1/3) Connecting... [Info] (1/3) Failed. Retrying in 5 seconds... [Info] (2/3) Connecting... [Info] (2/3) Failed. Retrying in 5 seconds... [Info] (3/3) Connecting... [Info] (3/3) Failed! [Info] Unable to access api.{DOMAIN} on port 80. This is needed for certificate validation. Retrying in 30 seconds... [Info] Waiting for api.{DOMAIN} to be available via HTTP... [Info] (1/3) Connecting... [Info] (1/3) Success! [Info] Last acquired certificate for STAGING [Info] Using STAGING mode [Info] Waiting for api.{DOMAIN} to be available via HTTP... [Info] (1/3) Connecting... [Info] (1/3) Success! [Info] Issuing certificates... [Fri Feb 26 20:58:47 UTC 2021] Using stage ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory [Fri Feb 26 20:58:48 UTC 2021] Domains not changed. [Fri Feb 26 20:58:48 UTC 2021] Skip, Next renewal time is: Tue Apr 27 20:53:02 UTC 2021 [Fri Feb 26 20:58:48 UTC 2021] Add '--force' to force to renew. [Info] Installing certificates... [Fri Feb 26 20:58:48 UTC 2021] Installing cert to:/tmp/cert.pem [Fri Feb 26 20:58:48 UTC 2021] Installing key to:/tmp/key.pem [Fri Feb 26 20:58:48 UTC 2021] Installing full chain to:/tmp/fullchain.pem [Fri Feb 26 20:58:48 UTC 2021] Run reload cmd: cat /tmp/fullchain.pem /tmp/key.pem > /certs/open-balena.pem [Fri Feb 26 20:58:48 UTC 2021] Reload success [Info] Waiting for api.{DOMAIN} to use a staging certificate... [Info] (1/3) Connecting... [Info] (1/3) Failed. Retrying in 5 seconds... [Info] (2/3) Connecting... [Info] (2/3) Failed. Retrying in 5 seconds... [Info] (3/3) Connecting... [Info] (3/3) Failed! [Error] Unable to detect certificate change over. Cannot issue a production certificate. [Stopping] ```

Hope this helps others

Topic		Replies	Views
help with the installation openBalena	4	354	March 12, 2024
openBalena quickstart -c but still cant balena login without SELF_SIGNED_CERT_IN_CHAIN error openBalena network	4	845	May 20, 2022
Updating OpenBalena certificates failed openBalena	12	165	May 28, 2024
Using signed certs on OpenBalena openBalena	2	770	April 21, 2021
do the acme certificates replace those generated by easyrsa, or are both still needed? openBalena	1	245	November 20, 2023

New Setup LetsEncrypt Issue

Related topics