ACME Lets Encrypt HE.net unable to renew: Can not find account id url

bartkowski

Does anyone know what the issue may be?
Here are the logs for the failed attempt.

pfsense-home-mydomain-com
Renewing certificate 
account: mydomain-com-acme 
server: letsencrypt-production-2 

/usr/local/pkg/acme/acme.sh  --issue  --domain 'pfsense.home.mydomain.com' --dns 'dns_he'  --home '/tmp/acme/pfsense-home-mydomain-com/' --accountconf '/tmp/acme/pfsense-home-mydomain-com/accountconf.conf' --force --reloadCmd '/tmp/acme/pfsense-home-mydomain-com/reloadcmd.sh' --dnssleep '180' --log-level 3 --log '/tmp/acme/pfsense-home-mydomain-com/acme_issuecert.log'
Array
(
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [HE_Username] => my_HE_username
    [HE_Password] => my_HE_password
)
[Mon Jan 24 12:12:29 CST 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Mon Jan 24 12:12:30 CST 2022] Registering account: https://acme-v02.api.letsencrypt.org/directory
[Mon Jan 24 12:13:31 CST 2022] Registered
[Mon Jan 24 12:13:31 CST 2022] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 92
[Mon Jan 24 12:13:31 CST 2022] Can not find account id url.
[Mon Jan 24 12:13:31 CST 2022] 
[Mon Jan 24 12:13:31 CST 2022] Please check log file for more details: /tmp/acme/pfsense-home-mydomain-com/acme_issuecert.log

ACME ver: 0.6.10
pFsense+ 21.05.1-RELEASE (amd64) on SG2440

bartkowski

I'll add, last time it worked was: Wed, 27 Oct 2021 16:06:22 -0500

bartkowski

@jimp Could this be a bug with the package or a change on Let's Encrypt side? It worked three months ago.
Thanks

Gertjan

@bartkowski said in ACME Lets Encrypt HE.net unable to renew: Can not find account id url:

Please check log file for more details: /tmp/acme/pfsense-home-mydomain-com/acme_issuecert.log

?

The interesting part is just before this happened :

Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 92

bartkowski

@gertjan I since deleted all my settings and uninstalled/installed ACME package. At this stage, I cannot even request a new account key registration; it ends in failure with the same error '92' code.
I posted a log excerpt of that attempt on reddit in comments. Thanks for replying.

Gertjan

@bartkowski

Can you execute this on the command line - console (or SSH) , option 8 :

curl https://curl.haxx.se/libcurl/c/libcurl-errors.html

When you paste "https://curl.se/libcurl/c/libcurl-errors.html" in a browser, you'll see a web page.
"curl" does the same thing : it should shows you the same thing, without the inline images - only the html info.

bartkowski

@gertjan When I go to the above address in the browser, I get redirected to:

From console, (I could not post directly, tagged as possible spam):

(

Gertjan

@bartkowski
Ok, that looks fine.

The "https://curl.haxx.se/libcurl/c/libcurl-errors.html" just lists a page with numbers that explain what the possible issues might be.
I saw issue "92" buit don't know what it means.

The pfSense acme.sh package (latest version) work fine for me right now.

bartkowski

@gertjan This is the error text from that page:
CURLE_HTTP2_STREAM (92)

Stream error in the HTTP/2 framing layer.

Edit:
I wonder if it has something to do with Cloudflare.
DNS lookup of staging.api.letsencrypt.org:

Result	Record type
172.65.46.172	A
2606:4700:60::f41b:d4fe:4325:6026	AAAA
56a5f4b0bc8146689ec3e272c43525f9.pacloudflare.com	CNAME

Gertjan

@bartkowski said in ACME Lets Encrypt HE.net unable to renew: Can not find account id url:

@gertjan This is the error text from that page:
CURLE_HTTP2_STREAM (92)
Stream error in the HTTP/2 framing layer.

Yep. Saw that.
As said : dono what that means.

And I'm not a cloudflare man.
I'm doing my own "domain name servers stuff" : Its a way of doing complicated things myself, but things like "acme.sh" (Letenscrypt) becomes easy as I control both sides.

bartkowski

@gertjan I posted my log on LetsEncrypt forum and someone said there should NOT be a double slash here:

--dump-header /tmp/acme/_registerkey//http.header

Is that a bug with the package?

bartkowski

I found the issue. I had to disable Limiters (FQ_Codel; tail drop) rules on WAN (Floating) interface and the registration and cert renewal succeeded.

Gertjan

@bartkowski said in ACME Lets Encrypt HE.net unable to renew: Can not find account id url:

I found the issue.

"FQ_Codel" Limiters on WAN using 'tail_drop' : I'm using them right now.
I got them from the huge thread on this forum, somewhere from here.
Main reason I use them : "buffer bloat".

Btw : if your "limiters" setup starts to throw away legal traffic, you have an issue .....

bartkowski

@gertjan said in ACME Lets Encrypt HE.net unable to renew: Can not find account id url:

I got them from the huge thread on this forum

Me too, from here. But, I had those in place for more than a year and prior renewals succeeded, so I don't know what changed. I created a thread in the traffic shaping forum, let's see if that brings new knowledge to light.

Gertjan

@bartkowski

Certificate renewal, or 'whatever acme.sh" does, looks like rocket science, but it's actually the same traffic as, fore example, collecting a mail or looking at a web server page.

Limiters a WAN interface (floating, or not) should not have any influence on the traffic except for delaying some packets. Not dropping them. As this would have a huge impact on all traffic.
A limiter doesn't know a packet came from a process (script) calling 'acme.sh'.

The limiter rules "on that thread" are used by a lot of people.
My acme.sh package renews certs for years now, every 30 days.

I'm pretty sure that the /tmp/acme/logfile .... will show you what the real issue was. That's why these log files exists : to show you what goes well (and we don't care) and what goes wrong.

bartkowski

@gertjan Here is my thread on Let's Encrypt forum. Someone mentioned the curl POST was failing.
I have the full log posted there.