Error getting renewal information from server (BadRequest)

[SteffenAL]

TL;DR;

The errors are harmless and version 2.2.9.1 makes them go away.

Full story

Back in April of 2023 (win-acme version 2.2.3) we've implemented support for ARI. Back then we wrote about this feature:

This release implements ARI, a draft extension proposal for ACME currently being deployed by Let's Encrypt that enabled tighter integration between servers and clients. For example, the server can now tell the client when it feels a certificate should be renewed, both to spread load and to respond to security incidents. For now win-acme will only renew certificate earlier based ARI suggestions, but not later. On the other side of the coin, the client can now tell the server if or when it stops caring about a certificate. When you cancel a renewal or a certificate is replaced by one with a different shape, we now let the server know. Note that this feature is enabled by default, but can be disabled using the RenewalDisableServerSchedule setting.

Since then the ARI specification has evolved and unfortunately this included breaking changes. Let's Encrypt have recently updated their implementation (Boulder) to a newer version of the spec (draft-3 instead of draft-1), and therefore versions 2.2.3 - 2.2.8 of win-acme are now unable to get ARI information updates, which means that users see errors like:

• Error getting renewal information from server (BadRequest)
• AcmeProtocolException: While parsing ARI CertID an error occurred :: Invalid path

This looks scary, but does not actually affect the clients operations. Certificates can still be created, renewed, stored and installed like always. Back in 2.2.3 we already included fail-safes in the code to plan ahead for servers with different interpretations of the specification, which is in effect what's happening now (from the client perspective).

Version 2.2.9.1 implements draft-3 of the specification and makes the errors go away, along with other enhancements and fixes as usual.

[iztokba]

Lets Enycript deployed an update yesterday to no longer accept the older ARI draft 01. It sounds like win-acme needs to be updated. (Though ideally it should have dealt more gracefully with not being able to get the ARI info; a client should be able to make its own decision on whether it's close enough to renewal if it has a failure getting the data.)

[WouterTinus]

Context:
https://community.letsencrypt.org/t/discontinuing-support-for-acme-clients-using-draft-ietf-acme-ari-01/215126
https://community.letsencrypt.org/t/win-acme-wacs-error-status-badrequest-beginning-2024-05-16/218570/3

This error might look scary but doesn't affect the clients operations at all, it should just continue to work as if ARI doesn't exist.

[WouterTinus]

Build 1683 implements ARI draft 3: https://ci.appveyor.com/project/WouterTinus/win-acme-s8t9q/builds/49838660/artifacts

EDIT: do not use that build, it contains #2584

[iztokba]

yes, this version work ok for me

[SteffenAL]

All fine with build 1683.

[iztokba]

but when i do a nev certificate i still get error

Error requesting certificate "[Manual] project.iztoknet.com"
System.Security.Cryptography.CryptographicException: Keyset does not exist
at System.Security.Cryptography.X509Certificates.StorePal.Export(X509ContentType contentType, SafePasswordHandle password)
at System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Export(X509ContentType contentType)
at PKISharp.WACS.DomainObjects.CertificateInfo..ctor(X509Certificate2Collection rawCollection)
at PKISharp.WACS.DomainObjects.CertificateInfoBc.GenerateInner(Pkcs12Store store, X509KeyStorageFlags flags)
at PKISharp.WACS.DomainObjects.CertificateInfoBc..ctor(Pkcs12Store store)
at PKISharp.WACS.Services.CertificateService.CreateAlternative(Byte[] bytes, String friendlyName, AsymmetricKeyParameter pk)
at PKISharp.WACS.Services.CertificateService.DownloadCertificate(AcmeOrderDetails order, String friendlyName, AsymmetricKeyParameter pk)
at PKISharp.WACS.Services.CertificateService.RequestCertificate(ICsrPlugin csrPlugin, Order order)
at PKISharp.WACS.OrderProcessor.GetFromServer(OrderContext context)

[WouterTinus]

That's a separate and unrelated issue, let's discuss it here: #2584

[MaksSavin]

Renewal failed with version 2.2.5.1541 17/05/2024
After update (v2.2.9.1680 x64) got i error and next message in system log for both versions (trimmed and pluggable). I'm using IIS 8.5 if that matters.

Error getting renewal information from server
ACMESharp.Protocol.AcmeProtocolException: While parsing ARI CertID an error occurred :: Invalid path
   at ACMESharp.Protocol.AcmeProtocolClient.SendAcmeAsync(String relativeUri, HttpMethod method, String message, HttpStatusCode[] expectedStatuses, String opName)
   at ACMESharp.Protocol.AcmeProtocolClient.SendAcmeAsync[TResponse](String uri, JsonTypeInfo`1 responseType, String message, HttpMethod method, HttpStatusCode[] expectedStatuses, String opName)
   at ACMESharp.Protocol.AcmeProtocolClient.GetRenewalInfo(Byte[] certificateId)
   at PKISharp.WACS.Clients.Acme.AcmeClientExtensions.<>c__DisplayClass1_0`1.<<Retry>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at PKISharp.WACS.Clients.Acme.AcmeClientExtensions.Backoff[T](AcmeProtocolClient client, Func`1 executor, ILogService log, Int32 attempt)
   at PKISharp.WACS.Clients.Acme.AcmeClientExtensions.Backoff[T](AcmeProtocolClient client, Func`1 executor, ILogService log, Int32 attempt)
   at PKISharp.WACS.Clients.Acme.AcmeClientExtensions.Retry[T](AcmeProtocolClient client, Func`1 executor, ILogService log, Int32 attempt)
   at PKISharp.WACS.Clients.Acme.AcmeClientExtensions.Retry[T](AcmeProtocolClient client, Func`1 executor, ILogService log, Int32 attempt)
   at PKISharp.WACS.Clients.Acme.AcmeClient.GetRenewalInfo(ICertificateInfo certificate)
   at PKISharp.WACS.OrderProcessor.PrepareOrders(List`1 orderContexts, List`1 orderInfos)

[WouterTinus]

The build with the fix is 1683 and it has not been released yet. See the link in my comment above if you want to test it.

[MaksSavin]

I used 1683 and got many problems:
first, I tried force renewal and got new error:

System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
   at System.Security.Cryptography.X509Certificates.StorePal.FromBlobOrFile(ReadOnlySpan`1 rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Import(ReadOnlySpan`1 rawData, ReadOnlySpan`1 password, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Import(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)
   at PKISharp.WACS.DomainObjects.CertificateInfoBc.GenerateInner(Pkcs12Store store, X509KeyStorageFlags flags)
   at PKISharp.WACS.DomainObjects.CertificateInfoBc..ctor(Pkcs12Store store)
   at PKISharp.WACS.Services.CertificateService.CreateAlternative(Byte[] bytes, String friendlyName, AsymmetricKeyParameter pk)
   at PKISharp.WACS.Services.CertificateService.DownloadCertificate(AcmeOrderDetails order, String friendlyName, AsymmetricKeyParameter pk)
   at PKISharp.WACS.Services.CertificateService.RequestCertificate(ICsrPlugin csrPlugin, Order order)
   at PKISharp.WACS.OrderProcessor.GetFromServer(OrderContext context)

I tried force renewal with no cache but it doesn't work: warning "Cached order available but not used with --"nocache" option."
Next, I got warning "[HTTP] Request completed with status Conflict" and "This order has already been replaced, possibly due to multiple renewals generating the same certificate. You may use the Renewal Manager to scan for duplicates."
Finally I got "[HTTP] Request completed with status TooManyRequests"

Screenshot with client messages (I erased domain names)

[WouterTinus]

I'm currently working on a new version of 2.2.9 (which implements ARIv3) to fix #2584. Anyone feeling adventurous (or desperate 😄) can try build 1688 here: https://ci.appveyor.com/project/WouterTinus/win-acme-s8t9q/builds/49844762/artifacts

EDIT: see below for the latest build

[iztokba]

it works for me, i craete new and i dont get any errors

[jamiematrix]

Joining the party with the issue (I presume it's the same issue).

Running win-acme for the first time on IIS.

When opening win-acme I get:

 A simple Windows ACMEv2 client (WACS)
 Software version 2.2.8.1635 (release, trimmed, standalone, 64-bit)
 Connecting to https://acme-v02.api.letsencrypt.org/...
 Connection OK!
 Scheduled task looks healthy
 Please report issues at https://github.com/win-acme/win-acme

When I try to run the renewals I get:

 Plugin IIS generated source subdomain.domain.com with 1 identifiers
 Plugin Single created 1 order
 [HTTP] Request completed with status BadRequest
 Error getting renewal information from server
 Renewal [IIS] IIS-SITE, (any host) is due after 2024/7/15

This was after creating a new certificate and getting a similar error. The server is on AWS Lightsail. I've added/opened port 443 thinking it was that. It's also with Cloudflare, but with the proxy off - not sure if either of those make a difference.

[MaksSavin]

I don't create new certificate and don't try it, but I was able to renew current certificate (force renewal). I don't know how it worked. All HTTP requests contained errors:

2024-05-21 08:16:38.821 +05:00 [WRN] [HTTP] Request completed with status "BadRequest"
2024-05-21 08:16:38.822 +05:00 [VRB] [HTTP] Response content: {
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "While parsing ARI CertID an error occurred :: Invalid path",
  "status": 400
}
2024-05-21 08:16:38.906 +05:00 [ERR] Error getting renewal information from server
ACMESharp.Protocol.AcmeProtocolException: While parsing ARI CertID an error occurred :: Invalid path

but creating private key, downloading and parsing completed with status "OK". I used 2.2.8.1635 after problems with 2.2.9.1683.

[WouterTinus]

So to repeat and be 100% clear: all errors about ARI are harmless and do not affect the normal operation of the program. ARI is only used in very exceptional circumstances (e.g. a security breach at Let's Encrypt). We should have a new 2.2.9 release that fixes ARI soon once the other issue is resolved.

[WouterTinus]

There is (probably?) bugfree build (1700) available now here: https://ci.appveyor.com/project/WouterTinus/win-acme-s8t9q/builds/49859984/artifacts. Barring any user reports to the contrary I'll release this as version 2.2.9.1 in a couple of days.

Found a little bug, so here's 1701: https://ci.appveyor.com/project/WouterTinus/win-acme-s8t9q/builds/49861780/artifacts

[jamiematrix]

There must be something else at play for me then. The site I'm using win-acme on isn't serving on HTTPS, even with the bindings in place.

[sunstarjeff]

Renewals are failing on multiple servers (using v2.2.9.1680):

Information - Plugin "IIS" generated source [Site] with 1 identifiers
Information - Plugin "Single" created 1 order
Warning - [HTTP] Request completed with status BadRequest
Error - Error getting renewal information from server
Information - Renewing "[IIS] [SiteName], [Site]"
Warning - Using cache. To force a new order within 1 days, run with --"nocache". Beware that you might run into rate limits.
Information - Downloading certificate "[IIS] [SiteName], [Site]"
Error - Error requesting certificate "[IIS] [SiteName], [Site]"
Error - Renewal for "[IIS] [SiteName], [Site]" failed, will retry on next run
Error - No certificate generated

Do you recommend reverting to prior version, or wait until the "new" 2.2.9 is released?

[WouterTinus]

I'd recommend trying build 1701 and posting a full log if that also fails. This partial output looks suspicious (as in, might be a bug) but I can't explain what's happening without more details.

[sunstarjeff]

Thank you, I am confirming that with build 1701, renewals are no longer failing, and adding new certificates also worked perfectly.

[WouterTinus]

Build 1701 has just been released as version 2.2.9.1.