Lua-resty-auto-ssl: sudo luarocks install lua-resty-auto-ssl still using dehydrated 0.5.0

Created on 25 Sep 2019  ·  10Comments  ·  Source: auto-ssl/lua-resty-auto-ssl

I just tried to install lua-resty-auto-ssl using luarocks command below:
sudo luarocks install lua-resty-auto-ssl

But it is still using dehydrated version 0.5.0 that has a bug of getting the Replay-Nonce header from letsencrypt during validation. I have to update the dehydrated file to make it works!

Can we update the luarocks repo?

picture ronaldgetz

Most helpful comment

Sorry for the headaches caused by the delay on this everyone! v0.13.0 is now released which includes the newer version of dehydrated bundled in. Give a shout if you're still seeing any issues with the new release.

And thanks to everyone for reporting this and the temporary workarounds!

picture GUI on 30 Sep 2019
🎉8 👍4

All 10 comments

According to a post on the letsencrypt forums letsencrypt changed their CDN yesterday which is causing problems with the 0.5.0 version of dehydrated.
The planned 0.13.0 release looks to include 0.6.5 of dehydrated which is said to fix this problem.

im-erikjohansson picture im-erikjohansson on 25 Sep 2019

Thank you @im-erikjohansson.

As for anyone who is facing similar issue, you will need to update the 'dehydrated' file located at ' /usr/local/openresty/luajit/bin/resty-auto-ssl/dehydrated'.

Update the following lines:
REAL_LICENSE="$(http_request head "${CA_TERMS}" | (grep Location: || true) | awk -F ': ' '{print $2}' | tr -d '\n\r')"
to
REAL_LICENSE="$(http_request head "${CA_TERMS}" | (grep -i Location: || true) | awk -F ': ' '{print $2}' | tr -d '\n\r')"

AND

# Retrieve nonce from acme-server if [[ ${API} -eq 1 ]]; then nonce="$(http_request head "${CA}" | grep Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')" else nonce="$(http_request head "${CA_NEW_NONCE}" | grep Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')" fi

to

# Retrieve nonce from acme-server if [[ ${API} -eq 1 ]]; then nonce="$(http_request head "${CA}" | grep -i Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')" else nonce="$(http_request head "${CA_NEW_NONCE}" | grep -i Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')" fi

ronaldgetz picture ronaldgetz on 25 Sep 2019
👍8

@ronaldgetz thank you for that, perfect temporary fix.
Any idea when the 0.13.0 release is scheduled?

sweet-greg picture sweet-greg on 25 Sep 2019

The 0.13.0 release needs to be released as soon as possible. Anything that I could do to help with this?

dvigueras picture dvigueras on 25 Sep 2019
👍2

@GUI can you chime in on this? This seems to be caused by HTTP/2 case sensitive headers.
Dehydrated fixed that

sweet-greg picture sweet-greg on 26 Sep 2019

This should be high-priority. I don't want to be demanding or anything as I know how much work it is to maintain Open Source projects, but please release a new version of this one, as no new SSL certs can be issued anymore.

In case someone runs this on Docker Containers like we do - we deployed a fix like this:

# Temporary fix for https://github.com/GUI/lua-resty-auto-ssl/issues/192
RUN sed -i 's/grep Location/grep -i Location/g' /usr/local/openresty/luajit/bin/resty-auto-ssl/dehydrated && \
    sed -i 's/grep Replay/grep -i Replay/g' /usr/local/openresty/luajit/bin/resty-auto-ssl/dehydrated

Thank you @ronaldgetz for the fix.

andreasschroth picture andreasschroth on 27 Sep 2019
👍5

Cool, also it fixed this on my side

Details:
{
  "type": "urn:acme:error:badNonce",
  "detail": "JWS has no anti-replay nonce",
  "status": 400
}
ezbik picture ezbik on 29 Sep 2019

Sorry for the headaches caused by the delay on this everyone! v0.13.0 is now released which includes the newer version of dehydrated bundled in. Give a shout if you're still seeing any issues with the new release.

And thanks to everyone for reporting this and the temporary workarounds!

GUI picture GUI on 30 Sep 2019
🎉8 👍4

@GUI Thank you for your quick release of the new, fixed version. It's definitely not common maintainers react that fast. You did a great job here. 👍So thank you again.

andreasschroth picture andreasschroth on 30 Sep 2019

Here are @ronaldgetz changes as a patch for easier hotfixing:

--- luajit/bin/resty-auto-ssl/dehydrated    2019-10-23 16:05:48.322378013 +0200
+++ luajit/bin/resty-auto-ssl/dehydrated    2019-10-23 16:08:12.359383225 +0200
@@ -296,7 +296,7 @@
   else
     # Check if private account key exists, if it doesn't exist yet generate a new one (rsa key)
     if [[ ! -e "${ACCOUNT_KEY}" ]]; then
-      REAL_LICENSE="$(http_request head "${CA_TERMS}" | (grep Location: || true) | awk -F ': ' '{print $2}' | tr -d '\n\r')"
+      REAL_LICENSE="$(http_request head "${CA_TERMS}" | (grep -i Location: || true) | awk -F ': ' '{print $2}' | tr -d '\n\r')"
       if [[ -z "${REAL_LICENSE}" ]]; then
         printf '\n' >&2
         printf 'Error retrieving terms of service from certificate authority.\n' >&2
@@ -523,9 +523,9 @@

   # Retrieve nonce from acme-server
   if [[ ${API} -eq 1 ]]; then
-    nonce="$(http_request head "${CA}" | grep Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')"
+    nonce="$(http_request head "${CA}" | grep -i Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')"
   else
-    nonce="$(http_request head "${CA_NEW_NONCE}" | grep Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')"
+    nonce="$(http_request head "${CA_NEW_NONCE}" | grep -i Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')"
   fi

   # Build header with just our public key and algorithm information
felixbuenemann picture felixbuenemann on 23 Oct 2019
👎2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

byrnedo picture byrnedo  ·  16Comments
prionkor picture prionkor  ·  11Comments
domharrington picture domharrington  ·  7Comments
n11c picture n11c  ·  13Comments
discobean picture discobean  ·  8Comments