-
-
Notifications
You must be signed in to change notification settings - Fork 797
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error getting renewal information from server (BadRequest) #2582
Comments
Lets Enycript deployed an update yesterday to no longer accept the older ARI draft 01. It sounds like win-acme needs to be updated. (Though ideally it should have dealt more gracefully with not being able to get the ARI info; a client should be able to make its own decision on whether it's close enough to renewal if it has a failure getting the data.) |
Context: This error might look scary but doesn't affect the clients operations at all, it should just continue to work as if ARI doesn't exist. |
Build 1683 implements ARI draft 3: EDIT: do not use that build, it contains #2584 |
yes, this version work ok for me
|
All fine with build 1683. |
but when i do a nev certificate i still get error Error requesting certificate "[Manual] project.iztoknet.com" |
That's a separate and unrelated issue, let's discuss it here: #2584 |
Renewal failed with version 2.2.5.1541 17/05/2024
|
The build with the fix is 1683 and it has not been released yet. See the link in my comment above if you want to test it. |
I used 1683 and got many problems:
I tried force renewal with no cache but it doesn't work: warning "Cached order available but not used with --"nocache" option." |
I'm currently working on a new version of 2.2.9 (which implements ARIv3) to fix #2584. Anyone feeling adventurous (or desperate 😄) can try build 1688 here: EDIT: see below for the latest build |
it works for me, i craete new and i dont get any errors |
Joining the party with the issue (I presume it's the same issue). Running win-acme for the first time on IIS. When opening win-acme I get:
When I try to run the renewals I get:
This was after creating a new certificate and getting a similar error. The server is on AWS Lightsail. I've added/opened port 443 thinking it was that. It's also with Cloudflare, but with the proxy off - not sure if either of those make a difference. |
I don't create new certificate and don't try it, but I was able to renew current certificate (force renewal). I don't know how it worked. All HTTP requests contained errors:
but creating private key, downloading and parsing completed with status "OK". I used 2.2.8.1635 after problems with 2.2.9.1683. |
So to repeat and be 100% clear: all errors about ARI are harmless and do not affect the normal operation of the program. ARI is only used in very exceptional circumstances (e.g. a security breach at Let's Encrypt). We should have a new 2.2.9 release that fixes ARI soon once the other issue is resolved. |
There is (probably?) bugfree build (1700) available now here: Found a little bug, so here's 1701: https://ci.appveyor.com/project/WouterTinus/win-acme-s8t9q/builds/49861780/artifacts |
There must be something else at play for me then. The site I'm using win-acme on isn't serving on HTTPS, even with the bindings in place. |
Renewals are failing on multiple servers (using v2.2.9.1680): Information - Plugin "IIS" generated source [Site] with 1 identifiers Do you recommend reverting to prior version, or wait until the "new" 2.2.9 is released? |
I'd recommend trying build 1701 and posting a full log if that also fails. This partial output looks suspicious (as in, might be a bug) but I can't explain what's happening without more details. |
Thank you, I am confirming that with build 1701, renewals are no longer failing, and adding new certificates also worked perfectly. |
Build 1701 has just been released as version 2.2.9.1. |
TL;DR;
The errors are harmless and version 2.2.9.1 makes them go away.
Full story
Back in April of 2023 (win-acme version 2.2.3) we've implemented support for ARI. Back then we wrote about this feature:
Since then the ARI specification has evolved and unfortunately this included breaking changes. Let's Encrypt have recently updated their implementation (Boulder) to a newer version of the spec (draft-3 instead of draft-1), and therefore versions 2.2.3 - 2.2.8 of win-acme are now unable to get ARI information updates, which means that users see errors like:
This looks scary, but does not actually affect the clients operations. Certificates can still be created, renewed, stored and installed like always. Back in 2.2.3 we already included fail-safes in the code to plan ahead for servers with different interpretations of the specification, which is in effect what's happening now (from the client perspective).
Version 2.2.9.1 implements draft-3 of the specification and makes the errors go away, along with other enhancements and fixes as usual.
The text was updated successfully, but these errors were encountered: