I just tried to install lua-resty-auto-ssl using luarocks command below:
sudo luarocks install lua-resty-auto-ssl
But it is still using dehydrated version 0.5.0 that has a bug of getting the Replay-Nonce header from letsencrypt during validation. I have to update the dehydrated file to make it works!
Can we update the luarocks repo?
According to a post on the letsencrypt forums letsencrypt changed their CDN yesterday which is causing problems with the 0.5.0 version of dehydrated.
The planned 0.13.0 release looks to include 0.6.5 of dehydrated which is said to fix this problem.
Thank you @im-erikjohansson.
As for anyone who is facing similar issue, you will need to update the 'dehydrated' file located at ' /usr/local/openresty/luajit/bin/resty-auto-ssl/dehydrated'.
Update the following lines:
REAL_LICENSE="$(http_request head "${CA_TERMS}" | (grep Location: || true) | awk -F ': ' '{print $2}' | tr -d '\n\r')"
to
REAL_LICENSE="$(http_request head "${CA_TERMS}" | (grep -i Location: || true) | awk -F ': ' '{print $2}' | tr -d '\n\r')"
AND
# Retrieve nonce from acme-server
if [[ ${API} -eq 1 ]]; then
nonce="$(http_request head "${CA}" | grep Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')"
else
nonce="$(http_request head "${CA_NEW_NONCE}" | grep Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')"
fi
to
# Retrieve nonce from acme-server
if [[ ${API} -eq 1 ]]; then
nonce="$(http_request head "${CA}" | grep -i Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')"
else
nonce="$(http_request head "${CA_NEW_NONCE}" | grep -i Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')"
fi
@ronaldgetz thank you for that, perfect temporary fix.
Any idea when the 0.13.0 release is scheduled?
The 0.13.0 release needs to be released as soon as possible. Anything that I could do to help with this?
@GUI can you chime in on this? This seems to be caused by HTTP/2 case sensitive headers.
Dehydrated fixed that
This should be high-priority. I don't want to be demanding or anything as I know how much work it is to maintain Open Source projects, but please release a new version of this one, as no new SSL certs can be issued anymore.
In case someone runs this on Docker Containers like we do - we deployed a fix like this:
# Temporary fix for https://github.com/GUI/lua-resty-auto-ssl/issues/192
RUN sed -i 's/grep Location/grep -i Location/g' /usr/local/openresty/luajit/bin/resty-auto-ssl/dehydrated && \
sed -i 's/grep Replay/grep -i Replay/g' /usr/local/openresty/luajit/bin/resty-auto-ssl/dehydrated
Thank you @ronaldgetz for the fix.
Cool, also it fixed this on my side
Details:
{
"type": "urn:acme:error:badNonce",
"detail": "JWS has no anti-replay nonce",
"status": 400
}
Sorry for the headaches caused by the delay on this everyone! v0.13.0 is now released which includes the newer version of dehydrated bundled in. Give a shout if you're still seeing any issues with the new release.
And thanks to everyone for reporting this and the temporary workarounds!
@GUI Thank you for your quick release of the new, fixed version. It's definitely not common maintainers react that fast. You did a great job here. 👍So thank you again.
Here are @ronaldgetz changes as a patch for easier hotfixing:
--- luajit/bin/resty-auto-ssl/dehydrated 2019-10-23 16:05:48.322378013 +0200
+++ luajit/bin/resty-auto-ssl/dehydrated 2019-10-23 16:08:12.359383225 +0200
@@ -296,7 +296,7 @@
else
# Check if private account key exists, if it doesn't exist yet generate a new one (rsa key)
if [[ ! -e "${ACCOUNT_KEY}" ]]; then
- REAL_LICENSE="$(http_request head "${CA_TERMS}" | (grep Location: || true) | awk -F ': ' '{print $2}' | tr -d '\n\r')"
+ REAL_LICENSE="$(http_request head "${CA_TERMS}" | (grep -i Location: || true) | awk -F ': ' '{print $2}' | tr -d '\n\r')"
if [[ -z "${REAL_LICENSE}" ]]; then
printf '\n' >&2
printf 'Error retrieving terms of service from certificate authority.\n' >&2
@@ -523,9 +523,9 @@
# Retrieve nonce from acme-server
if [[ ${API} -eq 1 ]]; then
- nonce="$(http_request head "${CA}" | grep Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')"
+ nonce="$(http_request head "${CA}" | grep -i Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')"
else
- nonce="$(http_request head "${CA_NEW_NONCE}" | grep Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')"
+ nonce="$(http_request head "${CA_NEW_NONCE}" | grep -i Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')"
fi
# Build header with just our public key and algorithm information
Most helpful comment
Sorry for the headaches caused by the delay on this everyone! v0.13.0 is now released which includes the newer version of dehydrated bundled in. Give a shout if you're still seeing any issues with the new release.
And thanks to everyone for reporting this and the temporary workarounds!