[SOLVED] Cluster Letsencrypt SSL

[lweidig]

We have a Proxmox 5.1 cluster and were trying to follow the directions for LetsEncrypt SSL certificates for the nodes. We are following the directions at:

https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x_and_newer)

These directions worked great for the first node in the cluster. However, when I try to get certificates for any of the other nodes at step 5 when I attempt to issue the certificate I get:

[Thu Dec 7 12:43:49 CST 2017] Standalone mode.
[Thu Dec 7 12:43:49 CST 2017] Registering account
[Thu Dec 7 12:43:49 CST 2017] Already registered
[Thu Dec 7 12:43:49 CST 2017] Update account error.
[Thu Dec 7 12:43:49 CST 2017] Please check log file for more details: /root/.acme.sh/acme.sh.log
​

Any suggestions how to get certificates issued for the remaining nodes in the cluster?

 

[fabian]

well - what does the log say?

 

[lweidig]

Here is a slightly scrubbed log but the host / email address are correct and DNS resolvable forward / reverse:

# cat acme.sh.log
[Mon Dec 11 07:29:01 CST 2017] DOMAIN_PATH='/root/.acme.sh/xxxxx.excel.net'
[Mon Dec 11 07:29:01 CST 2017] Using ACME_DIRECTORY: https://acme-v01.api.letsencrypt.org/directory
[Mon Dec 11 07:29:01 CST 2017] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Mon Dec 11 07:29:01 CST 2017] ACME_KEY_CHANGE='https://acme-v01.api.letsencrypt.org/acme/key-change'
[Mon Dec 11 07:29:01 CST 2017] ACME_NEW_AUTHZ='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Mon Dec 11 07:29:01 CST 2017] ACME_NEW_ORDER='https://acme-v01.api.letsencrypt.org/acme/new-cert'
[Mon Dec 11 07:29:01 CST 2017] ACME_NEW_ACCOUNT='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Mon Dec 11 07:29:01 CST 2017] ACME_REVOKE_CERT='https://acme-v01.api.letsencrypt.org/acme/revoke-cert'
[Mon Dec 11 07:29:01 CST 2017] Le_NextRenewTime
[Mon Dec 11 07:29:02 CST 2017] _on_before_issue
[Mon Dec 11 07:29:02 CST 2017] Le_LocalAddress
[Mon Dec 11 07:29:02 CST 2017] Check for domain='xxxxx.excel.net'
[Mon Dec 11 07:29:02 CST 2017] _currentRoot='no'
[Mon Dec 11 07:29:02 CST 2017] Standalone mode.
[Mon Dec 11 07:29:02 CST 2017] _checkport='80'
[Mon Dec 11 07:29:02 CST 2017] _checkaddr
[Mon Dec 11 07:29:02 CST 2017] Using: ss
[Mon Dec 11 07:29:02 CST 2017] Using config home:/root/.acme.sh
[Mon Dec 11 07:29:02 CST 2017] RSA key
[Mon Dec 11 07:29:02 CST 2017] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Mon Dec 11 07:29:02 CST 2017] ACME_KEY_CHANGE='https://acme-v01.api.letsencrypt.org/acme/key-change'
[Mon Dec 11 07:29:02 CST 2017] ACME_NEW_AUTHZ='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Mon Dec 11 07:29:02 CST 2017] ACME_NEW_ORDER='https://acme-v01.api.letsencrypt.org/acme/new-cert'
[Mon Dec 11 07:29:02 CST 2017] ACME_NEW_ACCOUNT='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Mon Dec 11 07:29:02 CST 2017] ACME_REVOKE_CERT='https://acme-v01.api.letsencrypt.org/acme/revoke-cert'
[Mon Dec 11 07:29:02 CST 2017] AGREEMENT
[Mon Dec 11 07:29:02 CST 2017] Registering account
[Mon Dec 11 07:29:02 CST 2017] url='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Mon Dec 11 07:29:02 CST 2017] payload='{"resource": "new-reg", "contact": ["mailto: xxxxx@excel.net"], "agreement": ""}'
[Mon Dec 11 07:29:02 CST 2017] GET
[Mon Dec 11 07:29:02 CST 2017] url='https://acme-v01.api.letsencrypt.org/directory'
[Mon Dec 11 07:29:02 CST 2017] timeout
[Mon Dec 11 07:29:02 CST 2017] _WGET='wget -q --content-on-error '
[Mon Dec 11 07:29:02 CST 2017] ret='0'
[Mon Dec 11 07:29:02 CST 2017] POST
[Mon Dec 11 07:29:02 CST 2017] url='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Mon Dec 11 07:29:02 CST 2017] _WGET='wget -q --content-on-error '
[Mon Dec 11 07:29:02 CST 2017] wget returns 8, the server returns a 'Bad request' response, lets process the response later.
[Mon Dec 11 07:29:02 CST 2017] Using sed  -i
[Mon Dec 11 07:29:02 CST 2017] _ret='0'
[Mon Dec 11 07:29:02 CST 2017] code='409'
[Mon Dec 11 07:29:02 CST 2017] Already registered
[Mon Dec 11 07:29:02 CST 2017] _accUri='https://acme-v01.api.letsencrypt.org/acme/reg/25492412'
[Mon Dec 11 07:29:02 CST 2017] _tos
[Mon Dec 11 07:29:02 CST 2017] Use default tos: https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf
[Mon Dec 11 07:29:02 CST 2017] AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'
[Mon Dec 11 07:29:02 CST 2017] Update tos: https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf
[Mon Dec 11 07:29:02 CST 2017] url='https://acme-v01.api.letsencrypt.org/acme/reg/25492412'
[Mon Dec 11 07:29:02 CST 2017] payload='{"resource": "reg", "contact": ["mailto: xxxxxx@excel.net"], "agreement": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"}'
[Mon Dec 11 07:29:02 CST 2017] POST
[Mon Dec 11 07:29:02 CST 2017] url='https://acme-v01.api.letsencrypt.org/acme/reg/25492412'
[Mon Dec 11 07:29:02 CST 2017] _WGET='wget -q --content-on-error '
[Mon Dec 11 07:29:02 CST 2017] wget returns 8, the server returns a 'Bad request' response, lets process the response later.
[Mon Dec 11 07:29:02 CST 2017] Using sed  -i
[Mon Dec 11 07:29:02 CST 2017] _ret='0'
[Mon Dec 11 07:29:02 CST 2017] code='400'
[Mon Dec 11 07:29:02 CST 2017] Update account error.
[Mon Dec 11 07:29:02 CST 2017] _on_issue_err
[Mon Dec 11 07:29:02 CST 2017] Please check log file for more details: /root/.acme.sh/acme.sh.log

Thanks!

 

[fabian]

seems like a bug in acme.sh : https://github.com/Neilpang/acme.sh/pull/1117 / https://github.com/Neilpang/acme.sh/issues/1112

 

[lweidig]

Yep, that was the problem. I had installed using the zip file and not git. Changed to git and went through just as documented. Thanks for catching this!