Description of problem: acme-tiny fails because Let's encrypt have changed the agreements URL Version-Release number of selected component (if applicable): acme-tiny-0.2-1.20170516gitaf025f5.fc26.noarch How reproducible: $ sudo -u acme /usr/libexec/acme-tiny/sign 7 Actual results: acme_tiny --account-key private/account.key --csr csr/letsencrypt.csr --acme-dir /var/www/challenges/ --chain --out certs/letsencrypt.crt Parsing account key... Parsing CSR... Registering account... Error registering: 400 b'{\n "type": "urn:acme:error:malformed",\n "detail": "Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]",\n "status": 400\n}' Additional info: Upstream done this change: https://github.com/diafygi/acme-tiny/commit/c4940d229a296b7643e86d2e9ab31a6e0099ba71
Changing the URL fixed the issue: [root@demo40 nginx]# diff /usr/sbin/acme_tiny /usr/sbin/acme_tiny.old 85c85 < "agreement": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf" --- > "agreement": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf", [root@demo40 nginx]# sudo -u acme /usr/libexec/acme-tiny/sign 7 acme_tiny --account-key private/account.key --csr csr/letsencrypt.csr --acme-dir /var/www/challenges/ --chain --out certs/letsencrypt.crt Parsing account key... Parsing CSR... Registering account... Registered! Verifying demo40.zegeba.net... demo40.zegeba.net verified! Signing certificate... Certificate signed!
Wow. That is going to be a maintenance headache!
I agree, I am surprised that upstream have not fixed this before now.
Would it be possible to update the package with adding a patch that changes the URL until upstream does a new release? Would also be great if we can reduce the time in Bodhi.
The Ansible openssl_certificate module[1] will produce a empty file as the certificate, since it it also uses acme-tiny, lots of time wasted on debugging... [1] http://docs.ansible.com/ansible/latest/openssl_certificate_module.html
Just changing the URL is the right fix at the moment. For the mini-wrapper I provide (soon to be split from acme-core), I think it should notify the admin when the agreement changes and require intervention. You never know what could be in the new agreement... One simple approach is a special notification for the agreement change problem, and the admin can edit acme-tiny or update the package (if changed there).
acme-tiny-0.2-3.20170516gitaf025f5.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-532467503a
acme-tiny-0.2-3.20170516gitaf025f5.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-0180e6bed2
acme-tiny-0.2-3.20170516gitaf025f5.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-3e288b6e4d
acme-tiny-0.2-3.20170516gitaf025f5.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-35d7ea827a
acme-tiny-0.2-3.20170516gitaf025f5.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-914865416c
Ideally, when the url changes, it should download the agreement, notify the admin, and hold off on renewals until the admin signs off. Maybe by touching a file.
@Stuart I fixed this upstream so that the terms are dynamically fetched[1]. [1]: https://github.com/diafygi/acme-tiny/compare/5a7b4e7...4ed1395
acme-tiny-0.2-3.20170516gitaf025f5.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-914865416c
acme-tiny-0.2-3.20170516gitaf025f5.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-35d7ea827a
acme-tiny-0.2-3.20170516gitaf025f5.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-3e288b6e4d
acme-tiny-0.2-3.20170516gitaf025f5.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-0180e6bed2
acme-tiny-0.2-3.20170516gitaf025f5.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-532467503a
(In reply to Daniel Roesler from comment #13) > @Stuart I fixed this upstream so that the terms are dynamically fetched[1]. > > > [1]: https://github.com/diafygi/acme-tiny/compare/5a7b4e7...4ed1395 I plan to address that, but I also want to notify the admin when the agreement changes. And I need to make acme-core with just acme-tiny less the tiny cron scripts I supplied. And maybe even acme-httpd and acme-nginx.
acme-tiny-0.2-3.20170516gitaf025f5.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
acme-tiny-0.2-3.20170516gitaf025f5.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
acme-tiny-0.2-3.20170516gitaf025f5.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
acme-tiny-0.2-3.20170516gitaf025f5.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
acme-tiny-0.2-3.20170516gitaf025f5.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.