webserver line 80.

Jonas Smedegaard Mon, 07 Dec 2020 07:09:17 -0800

Package: lacme
Version: 0.7-1
Severity: normal

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


I have a system with 3 certs (1 setup earlier and 2 newly added),
and when updating them one succeeded, one was skipped, and one failed
(mylacme-jawa is a script on my local system ssh'ing to server jawa
with a tunnel back to local host):

$ mylacme-jawa newOrder
r...@jawa.homebase.dk's password: 
r...@jawa.homebase.dk's password: 
Certificate URI: 
https://acme-v02.api.letsencrypt.org/acme/cert/03a4285ee15d4c432d7351bf2bc35902f78e
Installing X.509 certificate /etc/ssl/shared/homebase.dk.key
Installing X.509 certificate chain /etc/ssl/shared/homebase.dk.chain.pem
SHA256 
Fingerprint=B8:83:E0:30:B4:31:A7:F8:19:02:A9:03:92:A6:5C:39:FC:68:51:FF:DA:4A:44:1A:1B:FF:ED:B7:97:A3:45:AF
        Serial Number:
            03:a4:28:5e:e1:5d:4c:43:2d:73:51:bf:2b:c3:59:02:f7:8e
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: Dec  7 13:50:55 2020 GMT
            Not After : Mar  7 13:50:55 2021 GMT
        Subject: CN = homebase.dk
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                22:50:90:6B:71:EB:0A:28:FD:A9:49:4E:95:CA:43:A0:21:19:16:22
            X509v3 Authority Key Identifier: 
                
keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6

            Authority Information Access: 
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/

            X509v3 Subject Alternative Name: 
                DNS:homebase.dk, DNS:wiki.homebase.dk, DNS:www.homebase.dk, 
DNS:www.wiki.homebase.dk
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 94:20:BC:1E:8E:D5:8D:6C:88:73:1F:82:8B:22:2C:0D:
                                D1:DA:4D:5E:6C:4F:94:3D:61:DB:4E:2F:58:4D:A2:C2
                    Timestamp : Dec  7 14:50:55.713 2020 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:E9:4F:23:6F:4B:A9:D8:B2:E4:EB:C0:
                                A8:2B:0E:2C:26:0B:90:5F:4A:52:20:D3:6F:22:B9:95:
                                1E:EF:69:42:CC:02:20:66:2C:9B:F1:6D:9A:A9:4C:54:
                                5D:DB:16:7A:E9:5C:48:F4:FC:F2:F8:68:84:CB:F5:39:
                                28:14:DE:BF:D1:3F:C8
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : F6:5C:94:2F:D1:77:30:22:14:54:18:08:30:94:56:8E:
                                E3:4D:13:19:33:BF:DF:0C:2F:20:0B:CC:4E:F1:64:E3
                    Timestamp : Dec  7 14:50:55.718 2020 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:C9:35:85:2A:C2:2B:F3:E2:4D:87:AB:
                                97:72:C2:B7:3A:FB:A6:D6:02:F5:5F:A0:03:23:90:52:
                                99:E2:31:5D:87:02:21:00:FE:36:D3:75:13:8D:09:7D:
                                17:F7:E6:65:84:7A:E1:CB:E4:1E:3A:4F:23:F2:12:42:
                                F9:79:61:1D:08:28:63:10
[jawa.homebase.dk] Valid until 2021-01-21 06:36:57 UTC, skipping
Error: Invalid order DNS:mail.homebase.dk, DNS:www.mail.homebase.dk
[mail.homebase.dk] Error: Couldn't issue X.509 certificate!
accept: Invalid argument at /usr/libexec/lacme/webserver line 80.
Connection to jawa.homebase.dk closed.


Now, one issue is that it fails.  I guess I made some error in the setup of
mail.homebase.dk config snippet.

Main issue I raise here, however, is more generally that it is not helpful
to the user that an internal-to-lacme call to /usr/libexec/lacme/webserver
passes broken arguments.

I guess it might be more helpful if such internal errors would trace the error
back to the user-facing command.

Better would be if which user-facing error caused the internal error,
obviously :-)


 - Jonas

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAl/ORS0ACgkQLHwxRsGg
ASGK2BAAhOEB0d6wSqNA1PfZL1vzTaXL7eh6HInli410XGaAcv/aJT4R4BsIuL3k
KFq9Zi8NxlEnQPsdKgW+MzNRIvjsvW8aRk8rU+LowhocGtSIT5C1eDwhJn4/1Wsg
NIeJZTnoRaeGdR8EcRQmORf3mc5XKkmsqfY4tIvkk/fPxgNR+mpYs0ueW+Fy3cea
ueQq9cSrqA30eTuBH5Xv2z5ySIXBtCGVYDYHfebk8vOmskvcgCQIxqf2e3czlEg8
gKPRe0sFSGFsQ3NUy8yTVC3lQeasl9OHttfQtIp9tVIVTADg1nVRm7ojpc2Up5sd
reHF4xniiPAA6m/ZdCuW3EFcpJNYfQkvkdGc4oZHhzNKCnM4pO/V1fBCknGi+O5s
qjgOLxay4aw5mE6vL9twsJW101DhUp7rxGT+23R+jSf/JMhMpLw0d+r/NVLuIhkr
CxRfy/hp5FMtVAwNExfRWZnGkCwcXAc61t9Ngr/o1W9/UFT4UiYUtWtp37A5ih3d
/vSmeOb7QgZcUwsCpkO9CnIQ3pdNyzZDbcUczKtiffwt5my5SkCyJwoTa7r7Qyr0
hyVWXJYCLIBnYv+ZVp/jiq2s9N4WaokPuAxeKUnSj3vFKdIouEstM6rwCHxL44S3
vfpl+k4QcXu7e/ftvCCyDDyM0o9PsN20fsVd3hvis4ay7pYVIXw=
=5aev
-----END PGP SIGNATURE-----

Bug#976734: lacme: unhelpful error message: accept: Invalid argument at /usr/libexec/lacme/webserver line 80.

Reply via email to