You are not logged in.
Pages: 1
An error occurred while calling the completedomainregistero function:
EXC EJwsHttp {Message:"Error 400 [Error parsing certificate request: asn1: structure error: tags don't match (16 vs {class:0 tag:13 length:45 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} certificateRequest @2] while querying https://acme-v02.api.letsencrypt.org/acme/finalize/1349321746/213579860876"} [CheckCertificates] at 4c4526
Offline
Please try the following changes:
--- a/src/net/mormot.net.acme.pas
+++ b/src/net/mormot.net.acme.pas
@@ -868,8 +868,8 @@ var
begin
try
// Generate a new PKCS#10 Certificate Signing Request
- csr := fHttpClient.fCert.CertAlgo.CreateSelfSignedCsr(
- fSubjects, aPrivateKeyPassword, pk);
+ csr := PemToDer(fHttpClient.fCert.CertAlgo.CreateSelfSignedCsr(
+ fSubjects, aPrivateKeyPassword, pk));
// Before sending a POST request to the server, an ACME client needs to
// have a fresh anti-replay nonce to put in the "nonce" header of the JWS
fHttpClient.Head(fNewNonce);
Note, there is added PemToDer conversion.
Offline
Yes, it works correctly and the certificate file has been generated
thanks
Offline
Thanks a lot Chaa for the fix.
Please try with https://github.com/synopse/mORMot2/commit/b8a5e82b
By the way, it may be a good idea to add a sample about mormot.net.acme.
Like a self-hosted HTTPS server based on THttpAsyncServer, with automated Let's Encrypt certificates renewal.
Offline
I use nginx, the Settings are as follows, but https is not accessible,, I don't know what the problem is
server {
listen 443 ssl;
server_name xxx.xx.com;
ssl_certificate d://sslkeystore//xxx.xx.com.crt.pem;
ssl_certificate_key d://sslkeystore//xxx.xx.com.key.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
location / {
proxy_pass http://127.0.0.1:81;
proxy_redirect default;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_max_temp_file_size 0;
proxy_connect_timeout 180;
proxy_send_timeout 180;
proxy_read_timeout 180;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
}
Offline
d:\sslkeystore\xxx.xx.com.crt.pem;
d:\sslkeystore\xxx.xx.com.crt.pem;
This is the file generated by mormot.net.acme
Offline
After the test, you cannot set the password when applying for a certificate. After the password is set, the https service cannot run. After removing the password and re-applying for a certificate, it can run normally
Offline
gAcmeLetsEncryptServer:=TAcmeLetsEncryptServer.create(TsynLog, TacmeDaemonSettings(settings).keyStoreFolder,
ACME_LETSENCRYPT_URL{ACME_LETSENCRYPT_DEBUG_URL},'',''{There can be no passwords here},-1,'8084');
Offline
You can try ssl_password_file for nginx (https://nginx.org/en/docs/http/ngx_http … sword_file).
May be it helps.
Offline
After many attempts, the ssl_password_file parameter does the job, but strangely, the file name specified after this parameter must be in the standard windows path, and the certificate file specified path must replace the '\' in the path with '//'.
Offline
Thank you, https is finally working
Offline
In TAcmeLetsEncrypt checkCertificates procedure(line 1110), check the expiration date of error code:
cc. GetNotAfter < expired
should be:
cc.getNotAfter-fRenewBeforeEndDays < NowUtc
Offline
Am I wrong? How do I feel that your code will trigger renew after the expiration of rnewBeforeEndDays? My previous program has not triggered after the expiration, and I need to delete all certificate files each time before I can get it again.
Offline
For example, if the certificate expired yesterday (cc.GetNotAfter), your code: Expired := NowUtc-fRenewBeforeEndDays; expired is one month ago, cc.getNotAfter<expired is not valid.
Offline
In TAcmeLetsEncrypt checkCertificates procedure(line 1110), check the expiration date of error code:
cc. GetNotAfter < expired
should be:
cc.getNotAfter-fRenewBeforeEndDays < NowUtc
lfyey121 is right.
This "chart" shows when the value of cc.getNotAfter-fRenewBeforeEndDays < NowUtc changes, and works as expected
FALSE FALSE FALSE >|< TRUE TRUE TRUE TRUE TRUE TRUE
---------------------------|----------------------------|--------------
GetNotAfter-fRenewBeforeEndDays GetNotAfter
NowUtc -->
---------------------------|----------------------------|--------------
The previous expression is equivalent to: cc.getNotAfter < NowUtc+fRenewBeforeEndDays
In actual code a expired value is precaltulated before entring the loop, and then the renewal of each certificate is checked with cc.GetNotAfter < expired, so line 1154 should be:
expired := NowUtc + fRenewBeforeEndDays;
Offline
Make sense.
Please try
https://github.com/synopse/mORMot2/commit/0640cb64
Thanks a lot, you all, for your input!
Offline
Pages: 1