mORMot Open Source

lfyey121

Member

From: china

Registered: 2022-08-25

Posts: 66

mormot.net.acme error

An error occurred while calling the completedomainregistero function:

   EXC   EJwsHttp {Message:"Error 400 [Error parsing certificate request: asn1: structure error: tags don't match (16 vs {class:0 tag:13 length:45 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} certificateRequest @2] while querying https://acme-v02.api.letsencrypt.org/acme/finalize/1349321746/213579860876"} [CheckCertificates] at 4c4526

Chaa

Member

Registered: 2011-03-26

Posts: 249

Re: mormot.net.acme error

Please try the following changes:

--- a/src/net/mormot.net.acme.pas
+++ b/src/net/mormot.net.acme.pas
@@ -868,8 +868,8 @@ var
 begin
   try
     // Generate a new PKCS#10 Certificate Signing Request
-    csr := fHttpClient.fCert.CertAlgo.CreateSelfSignedCsr(
-      fSubjects, aPrivateKeyPassword, pk);
+    csr := PemToDer(fHttpClient.fCert.CertAlgo.CreateSelfSignedCsr(
+      fSubjects, aPrivateKeyPassword, pk));
     // Before sending a POST request to the server, an ACME client needs to
     // have a fresh anti-replay nonce to put in the "nonce" header of the JWS
     fHttpClient.Head(fNewNonce);

Note, there is added PemToDer conversion.

lfyey121

Member

From: china

Registered: 2022-08-25

Posts: 66

Re: mormot.net.acme error

Yes, it works correctly and the certificate file has been generated

thanks

ab

Administrator

From: France

Registered: 2010-06-21

Posts: 14,659

Website

Re: mormot.net.acme error

Thanks a lot Chaa for the fix.

Please try with https://github.com/synopse/mORMot2/commit/b8a5e82b

By the way, it may be a good idea to add a sample about mormot.net.acme.
Like a self-hosted HTTPS server based on THttpAsyncServer, with automated Let's Encrypt certificates renewal.

lfyey121

Member

From: china

Registered: 2022-08-25

Posts: 66

Re: mormot.net.acme error

I use nginx, the Settings are as follows, but https is not accessible,, I don't know what the problem is

server {
        listen       443 ssl;
        server_name  xxx.xx.com;
        ssl_certificate      d://sslkeystore//xxx.xx.com.crt.pem;
        ssl_certificate_key  d://sslkeystore//xxx.xx.com.key.pem;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
       

        location / {
            proxy_pass   http://127.0.0.1:81;
            proxy_redirect     default;
            proxy_set_header   Host             $host;
            proxy_set_header   X-Real-IP        $remote_addr;
            proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
            proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
            proxy_max_temp_file_size 0;
            proxy_connect_timeout      180;
            proxy_send_timeout         180;
            proxy_read_timeout         180;
            proxy_buffer_size          4k;
            proxy_buffers              4 32k;
            proxy_busy_buffers_size    64k;
            proxy_temp_file_write_size 64k;
        }
    }

lfyey121

Member

From: china

Registered: 2022-08-25

Posts: 66

Re: mormot.net.acme error

d:\sslkeystore\xxx.xx.com.crt.pem;
d:\sslkeystore\xxx.xx.com.crt.pem;

This is the file generated by mormot.net.acme

ab

Administrator

From: France

Registered: 2010-06-21

Posts: 14,659

Website

Re: mormot.net.acme error

Can you telnet to the port 443 from localhost ?

lfyey121

Member

From: china

Registered: 2022-08-25

Posts: 66

Re: mormot.net.acme error

After the test, you cannot set the password when applying for a certificate. After the password is set, the https service cannot run. After removing the password and re-applying for a certificate, it can run normally

lfyey121

Member

From: china

Registered: 2022-08-25

Posts: 66

Re: mormot.net.acme error

gAcmeLetsEncryptServer:=TAcmeLetsEncryptServer.create(TsynLog, TacmeDaemonSettings(settings).keyStoreFolder,
      ACME_LETSENCRYPT_URL{ACME_LETSENCRYPT_DEBUG_URL},'',''{There can be no passwords here},-1,'8084');

Chaa

Member

Registered: 2011-03-26

Posts: 249

Re: mormot.net.acme error

You can try ssl_password_file for nginx (https://nginx.org/en/docs/http/ngx_http … sword_file).
May be it helps.

lfyey121

Member

From: china

Registered: 2022-08-25

Posts: 66

Re: mormot.net.acme error

After many attempts, the ssl_password_file parameter does the job, but strangely, the file name specified after this parameter must be in the standard windows path, and the certificate file specified path must replace the '\' in the path with '//'.

lfyey121

Member

From: china

Registered: 2022-08-25

Posts: 66

Re: mormot.net.acme error

Thank you, https is finally working

lfyey121

Member

From: china

Registered: 2022-08-25

Posts: 66

Re: mormot.net.acme error

In TAcmeLetsEncrypt checkCertificates procedure(line 1110), check the expiration date of error code:
  cc. GetNotAfter < expired
should be:
cc.getNotAfter-fRenewBeforeEndDays < NowUtc

ab

Administrator

From: France

Registered: 2010-06-21

Posts: 14,659

Website

Re: mormot.net.acme error

Are you sure?

Current code seems correct to me.
Your code will trigger the renew too late.

lfyey121

Member

From: china

Registered: 2022-08-25

Posts: 66

Re: mormot.net.acme error

Am I wrong? How do I feel that your code will trigger renew after the expiration of rnewBeforeEndDays? My previous program has not triggered after the expiration, and I need to delete all certificate files each time before I can get it again.

lfyey121

Member

From: china

Registered: 2022-08-25

Posts: 66

Re: mormot.net.acme error

For example, if the certificate expired yesterday (cc.GetNotAfter), your code: Expired := NowUtc-fRenewBeforeEndDays; expired is one month ago, cc.getNotAfter<expired is not valid.

calvcol

Member

Registered: 2024-10-31

Posts: 1

Re: mormot.net.acme error

In TAcmeLetsEncrypt checkCertificates procedure(line 1110), check the expiration date of error code:
  cc. GetNotAfter < expired
should be:
cc.getNotAfter-fRenewBeforeEndDays < NowUtc

lfyey121 is right.

This "chart" shows when the value of cc.getNotAfter-fRenewBeforeEndDays < NowUtc changes, and works as expected

     FALSE  FALSE  FALSE  >|<  TRUE  TRUE  TRUE  TRUE  TRUE  TRUE 
---------------------------|----------------------------|--------------
                GetNotAfter-fRenewBeforeEndDays     GetNotAfter       
 NowUtc -->
---------------------------|----------------------------|--------------

The previous expression is equivalent to: cc.getNotAfter < NowUtc+fRenewBeforeEndDays

In actual code a expired value is precaltulated before entring the loop, and then the renewal of each certificate is checked with cc.GetNotAfter < expired, so line 1154 should be:

   expired := NowUtc + fRenewBeforeEndDays;

ab

Administrator

From: France

Registered: 2010-06-21

Posts: 14,659

Website

Re: mormot.net.acme error

Make sense.

Please try
https://github.com/synopse/mORMot2/commit/0640cb64

Thanks a lot, you all, for your input!