ACME Lets Encrypt HE.net unable to renew: Can not find account id url
-
@bartkowski said in ACME Lets Encrypt HE.net unable to renew: Can not find account id url:
Please check log file for more details: /tmp/acme/pfsense-home-mydomain-com/acme_issuecert.log
?
The interesting part is just before this happened :
Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 92
-
-
Can you execute this on the command line - console (or SSH) , option 8 :
curl https://curl.haxx.se/libcurl/c/libcurl-errors.htmlWhen you paste "https://curl.se/libcurl/c/libcurl-errors.html" in a browser, you'll see a web page.
"curl" does the same thing : it should shows you the same thing, without the inline images - only the html info. -
@gertjan When I go to the above address in the browser, I get redirected to:
From console, (I could not post directly, tagged as possible spam):
(
-
@bartkowski
Ok, that looks fine.The "https://curl.haxx.se/libcurl/c/libcurl-errors.html" just lists a page with numbers that explain what the possible issues might be.
I saw issue "92" buit don't know what it means.The pfSense acme.sh package (latest version) work fine for me right now.
-
@gertjan This is the error text from that page:
CURLE_HTTP2_STREAM (92)Stream error in the HTTP/2 framing layer.
Edit:
I wonder if it has something to do with Cloudflare.
DNS lookup of staging.api.letsencrypt.org:Result Record type 172.65.46.172 A 2606:4700:60::f41b:d4fe:4325:6026 AAAA 56a5f4b0bc8146689ec3e272c43525f9.pacloudflare.com CNAME -
@bartkowski said in ACME Lets Encrypt HE.net unable to renew: Can not find account id url:
@gertjan This is the error text from that page:
CURLE_HTTP2_STREAM (92)
Stream error in the HTTP/2 framing layer.Yep. Saw that.
As said : dono what that means.And I'm not a cloudflare man.
I'm doing my own "domain name servers stuff" : Its a way of doing complicated things myself, but things like "acme.sh" (Letenscrypt) becomes easy as I control both sides. -
@gertjan I posted my log on LetsEncrypt forum and someone said there should NOT be a double slash here:
--dump-header /tmp/acme/_registerkey//http.header
Is that a bug with the package?
-
I found the issue. I had to disable Limiters (FQ_Codel; tail drop) rules on WAN (Floating) interface and the registration and cert renewal succeeded.
-
@bartkowski said in ACME Lets Encrypt HE.net unable to renew: Can not find account id url:
I found the issue.
"FQ_Codel" Limiters on WAN using 'tail_drop' : I'm using them right now.
I got them from the huge thread on this forum, somewhere from here.
Main reason I use them : "buffer bloat".Btw : if your "limiters" setup starts to throw away legal traffic, you have an issue .....
-
@gertjan said in ACME Lets Encrypt HE.net unable to renew: Can not find account id url:
I got them from the huge thread on this forum
Me too, from here. But, I had those in place for more than a year and prior renewals succeeded, so I don't know what changed. I created a thread in the traffic shaping forum, let's see if that brings new knowledge to light.
-
Certificate renewal, or 'whatever acme.sh" does, looks like rocket science, but it's actually the same traffic as, fore example, collecting a mail or looking at a web server page.
Limiters a WAN interface (floating, or not) should not have any influence on the traffic except for delaying some packets. Not dropping them. As this would have a huge impact on all traffic.
A limiter doesn't know a packet came from a process (script) calling 'acme.sh'.The limiter rules "on that thread" are used by a lot of people.
My acme.sh package renews certs for years now, every 30 days.I'm pretty sure that the /tmp/acme/logfile .... will show you what the real issue was. That's why these log files exists : to show you what goes well (and we don't care) and what goes wrong.
-
