Renew certs with acme.sh?
46 views
Skip to first unread message
David McKenna
Oct 19, 2024, 1:53:12 PM10/19/24
to Apache for OS/2
I am asking this question here in the hope someone who uses acme.sh on OS/2 with Apache to get website certificates may have seen this issue...
Back in July I updated my server computer, installed Paul's latest Apache, copied my websites over and installed https:// certificates using acme.sh with Zerossl. Everything worked. Now it's 3 months later and I need new certificates, but when I try to renew, I get a curl error 3, which implies a mangled (or missing) URL, but I don't see one anywhere. I fear this may be a case of our Curl being out of date for the latest acme.sh.
Anyone else use acme.sh to get SSL certificates who is able to renew (or not)? Any ideas how to get around this problem?
Regards,
Steven Levine
Oct 19, 2024, 5:46:09 PM10/19/24
to apa...@googlegroups.com
In <47372aed-5e8e-4175...@googlegroups.com>, on 10/19/24
at 10:53 AM, David McKenna <davidmc...@gmail.com> said:
Hi David,
> I am asking this question here in the hope someone who uses acme.sh on
>OS/2 with Apache to get website certificates may have seen this issue...
Here is fine. Most of the uacme threads to date have been on the eCS-ISP
mailing. Of course, it's likely that everyone on the eCS-ISP list is also
on this list, so responses should be forthcoming.
> Back in July I updated my server computer, installed Paul's latest
>Apache, copied my websites over and installed https:// certificates using
> acme.sh with Zerossl. Everything worked. Now it's 3 months later and I
>need new certificates, but when I try to renew, I get a curl error 3,
I've not had this issue here, but I'm a Let's Encrypt user. The internet
indicates this implies that something wrong with the URL curl is
attempting to process and the answers I've gotten so far are not very
helpful.
Exactly what is you uacme.exe command line and exactly what was the
console output? Since you are using zerossl, I am assuming you need to
override some of the uacme defaults, such as --acme-url.
What about your CHALLENGE_PATH settings? Are you running a modified
uacme.sh hook script or you setting this some other way?
Also, which version of uacme are you using? Paul built a v1.2.4 in August
which got us up to a current version and fixed a few porting issues we
noticed with v1.0.19 and changed the location of the uacme data directory
to @unixroot/etc/uacme.
I recommend running uacme.exe with the -v switch and redirect stderr and
stdout to a file.
The bad news is that error 3 is CURLE_URL_MALFORMAT internally and it's a
bit of a catch all error code.
Curl decodes CURLE_URL_MALFORMAT to "URL using bad/illegal format or
missing URL"
> Anyone else use acme.sh to get SSL certificates who is able to renew
>(or not)?
Yes. :-)
>Any ideas how to get around this problem?
Not yet. :-) We need to figure out what's going on specifically with your
setup.
Steven
--
----------------------------------------------------------------------
"Steven Levine" <ste...@earthlink.net> Warp/DIY/BlueLion etc.
www.scoug.com www.arcanoae.com www.warpcave.com
----------------------------------------------------------------------
at 10:53 AM, David McKenna <davidmc...@gmail.com> said:
Hi David,
> I am asking this question here in the hope someone who uses acme.sh on
>OS/2 with Apache to get website certificates may have seen this issue...
mailing. Of course, it's likely that everyone on the eCS-ISP list is also
on this list, so responses should be forthcoming.
> Back in July I updated my server computer, installed Paul's latest
>Apache, copied my websites over and installed https:// certificates using
> acme.sh with Zerossl. Everything worked. Now it's 3 months later and I
>need new certificates, but when I try to renew, I get a curl error 3,
indicates this implies that something wrong with the URL curl is
attempting to process and the answers I've gotten so far are not very
helpful.
Exactly what is you uacme.exe command line and exactly what was the
console output? Since you are using zerossl, I am assuming you need to
override some of the uacme defaults, such as --acme-url.
What about your CHALLENGE_PATH settings? Are you running a modified
uacme.sh hook script or you setting this some other way?
Also, which version of uacme are you using? Paul built a v1.2.4 in August
which got us up to a current version and fixed a few porting issues we
noticed with v1.0.19 and changed the location of the uacme data directory
to @unixroot/etc/uacme.
I recommend running uacme.exe with the -v switch and redirect stderr and
stdout to a file.
The bad news is that error 3 is CURLE_URL_MALFORMAT internally and it's a
bit of a catch all error code.
Curl decodes CURLE_URL_MALFORMAT to "URL using bad/illegal format or
missing URL"
> Anyone else use acme.sh to get SSL certificates who is able to renew
>(or not)?
>Any ideas how to get around this problem?
setup.
Steven
--
----------------------------------------------------------------------
"Steven Levine" <ste...@earthlink.net> Warp/DIY/BlueLion etc.
www.scoug.com www.arcanoae.com www.warpcave.com
----------------------------------------------------------------------
David McKenna
Oct 20, 2024, 10:43:13 AM10/20/24
to Apache for OS/2
Hi Steven!
Thanks for your interest in my situation. I am using the shell script 'acme.sh' found here:
The command used is: 'sh C:\Home\.acme.sh\acme.sh --cron --home "C:/Home/.acme.sh"'. I'll attach a log file from an attempt to renew. As you can see in the log, the Curl command is failing. The command uses a file: 'C:\Home\.acme.sh\http.header' to define the URL. That file, as far as I can tell, is always 0 length. So that would explain why Curl fails. Not sure why it is empty, maybe something went wrong with the original install (although it seemed to work fine). I tried deleting it and re-running, but it is re-created as a 0 length file.
I am not familiar with uacme.exe. Can you point me to a copy and some instructions? I'll give it a try...
Regards,
Steven Levine
Oct 20, 2024, 8:24:09 PM10/20/24
to apa...@googlegroups.com
In <09a09d55-75b6-4950...@googlegroups.com>, on 10/20/24
uacme.exe Paul ported. It a pure script implementation that uses curl for
server interaction.
David, what version of uacme.sh are you using? My best guess is 3.0.7,
based on the lo entries. You probaby should update to 3.0.9 just in case
it fixes your problem.
> as I can tell, is always 0 length. So that would explain why Curl fails.
> Not sure why it is empty, maybe something went wrong with the original
>install (although it seemed to work fine). I tried deleting it and
>re-running, but it is re-created as a 0 length file.
It appears you have a config file problem, based on the log entry:
[Sun Oct 20 10:19:20 EDT 2024] Le_API='https://acme.zerossl.com/v2/DV90
'
Note that the URL contains a number of new lines which cannot be right.
Once the url defined by Le_API gets munged, curl is sure to fail.
> I am not familiar with uacme.exe. Can you point me to a copy and some
>instructions? I'll give it a try...
We can switch to uacme.exe if we cannot get acme.sh working for you.
I recommend checking the config file, which is a shell script, for odd
statments.
> Thanks for your interest in my situation. I am using the shell script
>'acme.sh' found here:
>https://github.com/acmesh-official/acme.sh.
For those reading along, what David is using is quite different from the
>'acme.sh' found here:
>https://github.com/acmesh-official/acme.sh.
uacme.exe Paul ported. It a pure script implementation that uses curl for
server interaction.
David, what version of uacme.sh are you using? My best guess is 3.0.7,
based on the lo entries. You probaby should update to 3.0.9 just in case
it fixes your problem.
> as I can tell, is always 0 length. So that would explain why Curl fails.
> Not sure why it is empty, maybe something went wrong with the original
>install (although it seemed to work fine). I tried deleting it and
>re-running, but it is re-created as a 0 length file.
[Sun Oct 20 10:19:20 EDT 2024] Le_API='https://acme.zerossl.com/v2/DV90
'
Note that the URL contains a number of new lines which cannot be right.
Once the url defined by Le_API gets munged, curl is sure to fail.
> I am not familiar with uacme.exe. Can you point me to a copy and some
>instructions? I'll give it a try...
I recommend checking the config file, which is a shell script, for odd
statments.
Massimo S.
Oct 21, 2024, 4:11:50 AM10/21/24
to apa...@googlegroups.com
Il 21/10/2024 02:25, Steven Levine ha scritto:
> In <09a09d55-75b6-4950...@googlegroups.com>, on 10/20/24
> at 07:43 AM, David McKenna <davidmc...@gmail.com> said:
>
> Hi David,
>
>> Thanks for your interest in my situation. I am using the shell script
>> 'acme.sh' found here:
>> https://github.com/acmesh-official/acme.sh.
>
> For those reading along, what David is using is quite different from the
> uacme.exe Paul ported. It a pure script implementation that uses curl for
> server interaction.
Hi all,
> In <09a09d55-75b6-4950...@googlegroups.com>, on 10/20/24
> at 07:43 AM, David McKenna <davidmc...@gmail.com> said:
>
> Hi David,
>
>> Thanks for your interest in my situation. I am using the shell script
>> 'acme.sh' found here:
>> https://github.com/acmesh-official/acme.sh.
>
> For those reading along, what David is using is quite different from the
> uacme.exe Paul ported. It a pure script implementation that uses curl for
> server interaction.
i've seen, but now that my cert script infrastructure is working again
i prefere to keep on using uacme (version 1.2.4)
massimo
David McKenna
Oct 21, 2024, 10:41:14 AM10/21/24
to Apache for OS/2
Steven,
You were right on - my 'davemckenna.com.conf' and 'files.davemckenna.com.conf' had large tracts of empty lines in them. I got rid of them and re-ran and that got rid of the Curl error. But it still doesn't work - now I just get a message: 'Error renewing davemckenna.com_ecc'. I'll attach the log in case it is interesting...
Regards,
Massimo S.
Oct 21, 2024, 11:34:30 AM10/21/24
to apa...@googlegroups.com
Il 21/10/2024 16:41, David McKenna ha scritto:
> Steven,
>
> You were right on - my 'davemckenna.com.conf' and 'files.davemckenna.com.conf' had large tracts of empty
> lines in them. I got rid of them and re-ran and that got rid of the Curl error. But it still doesn't work -
> now I just get a message: 'Error renewing davemckenna.com_ecc'. I'll attach the log in case it is interesting...
>
> Regards,
https://ndilieto.github.io/uacme/uacme.html
expecially the script in the web page:
"EXAMPLE HOOK SCRIPT"
massimo
Steven Levine
Oct 21, 2024, 8:03:15 PM10/21/24
to apa...@googlegroups.com
In <bf99b242-4862-434f...@googlegroups.com>, on 10/21/24
at 07:41 AM, David McKenna <davidmc...@gmail.com> said: Hi David,
> You were right on - my 'davemckenna.com.conf' and
>'files.davemckenna.com.conf' had large tracts of empty lines in them.
The empty lines themselves were probably not the issue. It was the blank
lines inside the quoted strings.
>still doesn't work - now I just get a message: 'Error renewing
>davemckenna.com_ecc'. I'll attach the log in case it is interesting...
It's not clear from the logs why the renewal attempt is failing. I
suspect you still have config file issues or a mismatch between how you
originally issued the cert and how you are trying to renew it.
Exactly what commands did you use to register with zerossl and what
commands did you use to issue the original certificates?
If you used the --apache switch with --issue to issue the original
certificate, I think you need to use --apache with the --cron switch too.
When providing logs, it's a good idea to also provide the output of
acme.sh --version
and the console output generated by the --cron request (in this case).
The console output might have useful data that's not included in the logs.
at 07:41 AM, David McKenna <davidmc...@gmail.com> said: Hi David,
> You were right on - my 'davemckenna.com.conf' and
>'files.davemckenna.com.conf' had large tracts of empty lines in them.
lines inside the quoted strings.
>still doesn't work - now I just get a message: 'Error renewing
>davemckenna.com_ecc'. I'll attach the log in case it is interesting...
suspect you still have config file issues or a mismatch between how you
originally issued the cert and how you are trying to renew it.
Exactly what commands did you use to register with zerossl and what
commands did you use to issue the original certificates?
If you used the --apache switch with --issue to issue the original
certificate, I think you need to use --apache with the --cron switch too.
When providing logs, it's a good idea to also provide the output of
acme.sh --version
and the console output generated by the --cron request (in this case).
The console output might have useful data that's not included in the logs.
David McKenna
Oct 26, 2024, 3:20:55 PM10/26/24
to Apache for OS/2
Hi Steven,
Sorry for the long delay... been busy with other things, and struggling to get acme.sh working too.
I've been using version 3.09 mostly, but allowed acme.sh to 'auto-update' and now it reports 3.10.
I decided to blow it all away and start fresh (with version 3.10). Here is the command I issued to get the certs:
sh acme.sh --issue -d davemckenna.com -w /Data/htdocs -d files.davemckenna.com -w /Data/htdocs/filegator/dist --debug
I had to run that command about 12 times before it was able to complete without some error about 'invalid signature on JWS request' causing it to fail. No idea why, but maybe I should have repeatedly tried the renewal over and over and eventually it would have worked too. The reason I even bothered to do it over and over this time was because I noticed that each time I did it (I had been trying all kinds of permutations of that command line), it failed at a different point in the process, so that made me think it was something in the network causing it to fail, not necessarily acme.sh. Anyway, https:// is working now, and there have been no blank lines inserted in the CONF files either.
I need to step away from this as it has been mind bending. I got 3 months to test the renewal before it has to be done again...
Regards,
Steven Levine
Oct 26, 2024, 9:23:47 PM10/26/24
to apa...@googlegroups.com
In <a534da36-53b5-4b94...@googlegroups.com>, on 10/26/24
>and struggling
> to get acme.sh working too.
> I've been using version 3.09 mostly, but allowed acme.sh to
>'auto-update' and now it reports 3.10.
Can I assume you mean this version?
>sh acme.sh --version
https://github.com/acmesh-official/acme.sh
v3.1.0
> I decided to blow it all away and start fresh (with version 3.10). Here
> is the command I issued to get the certs:
but this is mostly speculation on my part.
One comment on your logs. It appears that the script is assuming you are
running an nginx server, rather that apache httpd. I can only speculate
when this will matter. It might have an effect on where the certificates
are installed or what config file entries the script updates.
> Sorry for the long delay... been busy with other things,
Aren't we all? :-)
>and struggling
> to get acme.sh working too.
> I've been using version 3.09 mostly, but allowed acme.sh to
>'auto-update' and now it reports 3.10.
>sh acme.sh --version
https://github.com/acmesh-official/acme.sh
v3.1.0
> I decided to blow it all away and start fresh (with version 3.10). Here
> is the command I issued to get the certs:
> I had to run that command about 12 times before it was able to complete
> without some error about 'invalid signature on JWS request' causing it
>to fail.
This internet implies this can be the result of stale cached certificates,
> without some error about 'invalid signature on JWS request' causing it
>to fail.
but this is mostly speculation on my part.
One comment on your logs. It appears that the script is assuming you are
running an nginx server, rather that apache httpd. I can only speculate
when this will matter. It might have an effect on where the certificates
are installed or what config file entries the script updates.
David McKenna
Oct 27, 2024, 8:08:45 AM10/27/24
to Apache for OS/2
Hi Steven,
Yes, I mean 3.1.0 - sorry about that.
I tried adding --apache to the command shown above, but it would always fail with an error 'can't find apachectl'. Then tried adding the 'C:/Programs/apache24/bin' directory where apachectl lives to the PATH statement in CONFIG.SYS, but it was no help. Not sure what else would need to be done to make that work, but it didn't prevent finally getting it to work.
Installed the certs manually by using the --installcert command and explicitly directed where to put the certs (where the httpd-ssl.conf file expects them to be). Basically followed the instructions found here:
When those instructions were made, Letsencrypt was the default cert issuer for acme.sh, now ZeroSSL is.
Regards,
Steven Levine
Oct 27, 2024, 12:28:46 PM10/27/24
to apa...@googlegroups.com
In <869928a6-2e8a-4e2c...@googlegroups.com>, on 10/27/24
acme.sh. It exists to support automating httpd.conf updates and deploying
certs to their final home. As you found, this option is not going to work
for OS/2 because the script assumes that it's running on a standard httpd
install on Linux. The apachectl that Paul ships is unported, so several of
the requests apachectl supports will fail.
>Not sure what else would
>need to be done to make that work, but it didn't prevent finally getting
>it to work.
It would require changes in a number of places so that the directory and
file references match how we set up httpd.
> Installed the certs manually by using the --installcert command and
>explicitly directed where to put the certs (where the httpd-ssl.conf file
> expects them to be).
As you found --installcert works because you override the default paths to
match what you need and you are using a subset of the --installcert
options that work for us.
FWIW, the code that --installcert runs is at:
acme.sh:5851
installcert() {
and
acme.sh:5883
_installcert() {
> I tried adding --apache to the command shown above, but it would always
> fail with an error 'can't find apachectl'.
After I mentioned this to to you, I took a look at how the option is used
> fail with an error 'can't find apachectl'.
acme.sh. It exists to support automating httpd.conf updates and deploying
certs to their final home. As you found, this option is not going to work
for OS/2 because the script assumes that it's running on a standard httpd
install on Linux. The apachectl that Paul ships is unported, so several of
the requests apachectl supports will fail.
>Not sure what else would
>need to be done to make that work, but it didn't prevent finally getting
>it to work.
file references match how we set up httpd.
> Installed the certs manually by using the --installcert command and
>explicitly directed where to put the certs (where the httpd-ssl.conf file
> expects them to be).
match what you need and you are using a subset of the --installcert
options that work for us.
FWIW, the code that --installcert runs is at:
acme.sh:5851
installcert() {
and
acme.sh:5883
_installcert() {
David McKenna
Apr 27, 2025, 4:36:49 PMApr 27
to Apache for OS/2
Well, I had to update certificates again, and sure enough it didn't work the first time. In fact I ran the script 11 times before it finally worked (but it did work). But I really don't want to keep doing this. Can anyone point me to a link to Paul's uacme so I can try that?
Regards,
Steven Levine
Apr 27, 2025, 7:14:10 PMApr 27
to apa...@googlegroups.com
In <4936cd25-9f3a-48b8...@googlegroups.com>, on 04/27/25
08-16-24 16:44 88,025 191 uacme-1.2.4-os2-20240817.zip
https://smedley.id.au/tmp/uacme-1.2.4-os2-20240817.zip
5d145f8396b601eeb0e046d975edd463 *uacme-1.2.4-os2-20240817.zip
If you want to give my
uacme-hook.cmd
uacme-renew.cmd
scripts a try, let me know and I will make them available.
They are optimized for Dan and my needs, so they are not quite 100%
generic, but they should be easily adaptable to work with other file
layouts.
FWIW, the Let's Encrypt servers seem to get overloaded quite often, so
retries are part of the process.
> Well, I had to update certificates again, and sure enough it didn't work
> the first time. In fact I ran the script 11 times before it finally
>worked (but it did work). But I really don't want to keep doing this.
>Can anyone point me to a link to Paul's uacme so I can try that?
1.2.4
> the first time. In fact I ran the script 11 times before it finally
>worked (but it did work). But I really don't want to keep doing this.
>Can anyone point me to a link to Paul's uacme so I can try that?
08-16-24 16:44 88,025 191 uacme-1.2.4-os2-20240817.zip
https://smedley.id.au/tmp/uacme-1.2.4-os2-20240817.zip
5d145f8396b601eeb0e046d975edd463 *uacme-1.2.4-os2-20240817.zip
If you want to give my
uacme-hook.cmd
uacme-renew.cmd
scripts a try, let me know and I will make them available.
They are optimized for Dan and my needs, so they are not quite 100%
generic, but they should be easily adaptable to work with other file
layouts.
FWIW, the Let's Encrypt servers seem to get overloaded quite often, so
retries are part of the process.
David McKenna
Apr 28, 2025, 6:11:02 AMApr 28
to Apache for OS/2
Thanks Steven! I'll give it a try. I wouldn't mind looking at your scripts too. I have been using ZeroSSL, not Let'sEncrypt because I have more than 3 domain names to certify (which Let'sEncrypt wants payment for).
Regards,
Reply all
Reply to author
Forward
0 new messages