Account key registration throwing curl error 52
-
Any idea why my attempts to register new account keys all seem to fail with a
curl
error 52, indicating no response from the webserver? I cancurl
the staging server without issue from the command line. From what I can suss from/tmp/acme/_registerkey/acme_issuecert.log
, thePOST
to/acme/new-nonce
succeeds, but then thePOST
to/acme/new-acct
fails with error 52.And, as mentioned here, the GUI silently swallows the error.
Here's the log output:
[Thu Jul 19 16:49:03 CDT 2018] Registering account [Thu Jul 19 16:49:03 CDT 2018] url='https://acme-staging-v02.api.letsencrypt.org/acme/new-acct' [Thu Jul 19 16:49:03 CDT 2018] payload='{"termsOfServiceAgreed": true}' [Thu Jul 19 16:49:03 CDT 2018] Use cached jwk for file: /tmp/acme/_registerkey//ca/acme-staging-v02.api.letsencrypt.org/account.key [Thu Jul 19 16:49:03 CDT 2018] base64 single line. [Thu Jul 19 16:49:03 CDT 2018] payload64='ey<snip>V9' [Thu Jul 19 16:49:03 CDT 2018] _request_retry_times='1' [Thu Jul 19 16:49:03 CDT 2018] Get nonce. ACME_NEW_NONCE='https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce' [Thu Jul 19 16:49:03 CDT 2018] HEAD [Thu Jul 19 16:49:03 CDT 2018] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce' [Thu Jul 19 16:49:03 CDT 2018] body [Thu Jul 19 16:49:03 CDT 2018] _postContentType='application/jose+json' [Thu Jul 19 16:49:03 CDT 2018] curl exists=0 [Thu Jul 19 16:49:04 CDT 2018] wget exists=127 [Thu Jul 19 16:49:04 CDT 2018] _CURL='curl -L --silent --dump-header /tmp/acme/_registerkey//http.header -g ' [Thu Jul 19 16:49:04 CDT 2018] _ret='0' [Thu Jul 19 16:49:04 CDT 2018] _headers='HTTP/1.1 204 No Content Server: nginx Replay-Nonce: Lq<snip>HA X-Frame-Options: DENY Strict-Transport-Security: max-age=604800 Expires: Thu, 19 Jul 2018 21:49:04 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 19 Jul 2018 21:49:04 GMT Connection: keep-alive ^M' [Thu Jul 19 16:49:04 CDT 2018] _CACHED_NONCE='Lq<snip>HA' [Thu Jul 19 16:49:04 CDT 2018] nonce='Lq<snip>HA' [Thu Jul 19 16:49:04 CDT 2018] protected='{"nonce": "Lq<snip>HA", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct", "alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "qQ<snip>-M"}}' [Thu Jul 19 16:49:04 CDT 2018] base64 single line. [Thu Jul 19 16:49:04 CDT 2018] protected64='ey<snip>X0' [Thu Jul 19 16:49:04 CDT 2018] base64 single line. [Thu Jul 19 16:49:04 CDT 2018] _sig_t='NA<snip>ls=' [Thu Jul 19 16:49:04 CDT 2018] sig='NA<snip>ls' [Thu Jul 19 16:49:04 CDT 2018] body='{"protected": "ey<snip>X0", "payload": "ey<snip>V9", "signature": "NA<snip>ls"}' [Thu Jul 19 16:49:04 CDT 2018] POST [Thu Jul 19 16:49:04 CDT 2018] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/new-acct' [Thu Jul 19 16:49:04 CDT 2018] body='{"protected": "ey<snip>X0", "payload": "ey<snip>V9", "signature": "NA<snip>ls"}' [Thu Jul 19 16:49:04 CDT 2018] _postContentType='application/jose+json' [Thu Jul 19 16:49:04 CDT 2018] Http already initialized. [Thu Jul 19 16:49:04 CDT 2018] _CURL='curl -L --silent --dump-header /tmp/acme/_registerkey//http.header -g ' [Thu Jul 19 16:51:04 CDT 2018] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 52 [Thu Jul 19 16:51:04 CDT 2018] _ret='52' [Thu Jul 19 16:51:04 CDT 2018] original [Thu Jul 19 16:51:04 CDT 2018] responseHeaders='HTTP/1.1 100 Continue Expires: Thu, 19 Jul 2018 21:49:04 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache ^M' [Thu Jul 19 16:51:04 CDT 2018] response [Thu Jul 19 16:51:04 CDT 2018] code='100' [Thu Jul 19 16:51:04 CDT 2018] Register account Error:
-
I can't seem to reproduce that issue here. I can make a new key and register it against either the v1 or v2 servers and do not receive an error.
What version of pfSense are you running, and what version of the ACME package?
-
I'm on the latest 2.4.3_1.
My suspicion is the
100 Continue
response is throwing a wrench in things, but I have no idea why, much less a cause. -
No, I see a
100 continue
as well and then it keeps going. There may be something about the parameters you are submitting it doesn't like, perhaps. The cURL error you get means the server sent back an empty response which is unusual. -
I'm thoroughly baffled by this. I'm just using the web form and not entering any unusual data, from what I can tell. From my cursory look at the crypto generated it seems reasonable.
Any other thoughts at where I can even begin to troubleshoot?
-
Is this the only one you've tried? How many times have you tried it?
I wonder if maybe you've hit one of their rate limits. Though the staging servers shouldn't have rate limits.
Try using the v1 servers and not v2, see what happens. If that fails, try leaving off the e-mail address.
-
I've tried all 4 servers to no avail. While I have tried multiple times, it's never been more than 10 a day, and only that many on the staging servers.
I am behind a NAT, but nothing else here should be talking to the servers, and certainly not all 4 of them.
Removing or changing the email address doesn't seem to change anything.
I have to think it's something with my config, but don't have a clue what could be affecting this.
-
And you are certain whatever is ahead of you doesn't interfere with web requests in any way? No proxy or MITM interception type thing going on?
Looking at the portion of the log you posted vs what I get, they are identical (Except for the randomized parts) until yours hits the cURL error.
-
My gateway is load-balanced between two DSL modems, I have a NAT, DDNS, and incoming forwarding of http/s & ssh to a server. Since the traffic is coming from the router and not the LAN, maybe the firewall is treating it differently in some way? I'm not sure why the first
curl
would work but not the second. -
You mentioned Load Balancing. Is it possible your first request goes out WAN1, then the second out WAN2? ACME may drop that since the request didn't come from the same address.
-
I have the 'sticky connections' flag set in the configuration, so I think that should prevent this scenario. I even turned the 'tracking timeout' up to 120 seconds just to be certain (which matches the curl timeout).
Is there a chance this could be failing because the traffic is coming from the router and not the LAN?
-
Does the plugin run as a user on the OS? If so, I would assume all the traffic from the router itself would just use the default OS route, which is simply one of the pppoe interfaces. I do see that both my pppoe interfaces have the same gateway (despite wildly different IPs), but
netstat -rn
only showspppoe0
in use.Incidentally, in the Status / Gateways /Gateways GUI, I think both interfaces having the same Monitor IP (by virtue of both having the same gateway) is causing an incorrect status to be displayed for one of the gateways.
-
Well I don't know WTF changed, but this problem has automagically resolved itself after a reboot. My guess is some stale routing state somewhere.
The GUI changes in latest ACME package work well, though!