TLS handshake error: upgrade your ACME client

[Florian]

Hi,

I've just started using Perkeep, setting it up on an Amazon EC2 with an attached S3 bucket and I have been able to hook it up to one of my domain names.

However, I have been trying to get HTTPS to work, but keep getting the following printed:

"403 urn:acme:error:unauthorized: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details."

Since I'm mostly a front-end dev, this is all a little on the far side of my knowledge and comfort zone, so I was hoping someone could point me in the right direction.

Fwiw, my config looks like this:

{

    "auth": "userpass:<user>:<secret>:+localhost",

    "https": true,

    "baseURL": "https://<mydomain>",

    "listen": ":443",

    "camliNetIP": "",

    "identity": "<identity>",

    "identitySecretRing": "/home/ec2-user/.config/perkeep/identity-secring.gpg",

    "s3": "<s3 config>",

    "packRelated": true,

    "levelDB": "/home/ec2-user/var/perkeep/index.leveldb"

}

Thanks in advance to anyone taking the time,

Regards,

Florian

[Tamás Gulácsi]

It does need upgrading. For a workaround, put it behind caddy (caddyserver.com), without tls.

--
You received this message because you are subscribed to the Google Groups "Perkeep" group.
To unsubscribe from this group and stop receiving emails from it, send an email to perkeep+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/perkeep/637fca78-ff01-4b01-a7cd-3fa7ba930a49o%40googlegroups.com.

[Florian]

Okay, I've been able to set that up and use the keyc/cert from Caddy for the Perkeep server.

For some reason it now keeps asking me for basic auth, even if I have that set to `auth: "none"`, and I don't have basic auth set up on Caddy.

So basicly I'm stuck on that prompt dialog.

If you happen to have a working instance of this, would you mind sharing your Caddyfile?

To unsubscribe from this group and stop receiving emails from it, send an email to per...@googlegroups.com.

[Florian]

Found it .. the "without tls" did not get through to me apparently! Running Perkeep without https did solve this issue.

[Gulácsi Tamás]

Great! I use it behind caddy, without tls, too.

---

From: per...@googlegroups.com <per...@googlegroups.com> on behalf of Florian <florind...@gmail.com>
Sent: Wednesday, July 15, 2020 4:54:47 PM
To: Perkeep <per...@googlegroups.com>
Subject: Re: TLS handshake error: upgrade your ACME client

 

To unsubscribe from this group and stop receiving emails from it, send an email to perkeep+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/perkeep/af336f42-d18f-48bb-9b41-41d5d44cbad5n%40googlegroups.com.

[Souvik Haldar]

Can you please share a blog post on how you achieved this setup consisting of ec2 + s3 + caddy?

I'm sure this would be helpful to many! 

Thanks!

To view this discussion on the web visit https://groups.google.com/d/msgid/perkeep/VI1P192MB028520BD81D6422FE808229FF27E0%40VI1P192MB0285.EURP192.PROD.OUTLOOK.COM.

[tgulacsi78]

It's just a closet server, using Perkeep on HTTP(s) behind Caddy.

Caddy config:

```

https://camli.tamas.gulacsi.eu {
        reverse_proxy * https://127.0.0.1:3179 {
                transport http {
                        tls_insecure_skip_verify
                }
        }
}

```
~/.config/perkeep/server-config.json:

```

{
    "listen": ":3179",
    "baseURL": "https://camli.tamas.gulacsi.hu",
    "https": true,
    "httpsCert": "/home/gthomas/.config/camlistore/tls.crt",
    "httpsKey": "/home/gthomas/.config/camlistore/tls.key",
    "shareHandler": true,
    "auth": "userpass:gthomas:password:+localhost",
    "identity": "XXX",
    "identitySecretRing": "/home/gthomas/.config/camlistore/identity-secring.gpg",
    "levelDB": "/home/gthomas/var/camlistore/camli-index.leveldb",
    "blobPath": "/home/gthomas/var/camlistore/packs",
    "packBlobs": true,
    "runIndex": true,
    "copyIndexToMemory": true,
    "memoryIndex": false,
}
```

It's HTTPS because otherwise the URLs spit by Perkeep are http://, causing spurious problems.

~/ .config/systemd/user/perkeep.service:

```

[Unit]
Description=Perkeep

[Service]
Type=simple
ExecStart=/home/gthomas/go/bin/perkeepd
Restart=on-success
CPUAccounting=true
CPUSchedulingPolicy=batch
Nice=19
IOSchedulingClass=idle
StandardOutput=journal
StandardError=journal+console
LimitNOFILE=32768

[Install]
WantedBy=basic.target

```

Sorry, I'm not a blogger.

Tamás

[Florian]

Yeah sure, I can try to write up some things.

I did notice that uploads don't work as in: I see upload progress, no errors, but also no files when the upload ends.

Once I iron out those quirks I'll attempt to clean up the notes I made as I went.

Also tgulacsi78, thank you for sharing your configs. They do differ somewhat from what I have, so they might come in handy!

[Souvik Haldar]

Thanks Florian!

These hiccups make up for a great learning experience.

To view this discussion on the web visit https://groups.google.com/d/msgid/perkeep/2440b298-e32b-427e-86d4-215dae61835dn%40googlegroups.com.