SOLVED - Let's Encrypt - Can not init api (error code: 3)

hakkers

Hi,
A continuation of the original bug report: https://redmine.pfsense.org/issues/8312

• The right key is selected and LE-production server is selected (though i don't think that should matter)

• A new account-key has been generated and registered

Same error is still being thrown.

Anything else i can provide?

jimp

Post the settings you have for the key and for the certificate (you can hide passwords or anything private). The settings that show in the GUI may not tell enough, so look in a config.xml backup at the <acme>section. Again, you can delete or hide any actual keys or private data.</acme>

hakkers

Hi Jim,
Attached are the requested parts.

Kind regards.

acme_config.txt

jimp

That all appears to be in order, yet somehow the URL is ending up blank. Tracing through the code I'm still not seeing how that could happen.

Did this ever work?

hakkers

Sorry for the late reply. Yes, it has been working just fine and has not been touched for a while.
Other keys and certs have been added after it though.

jimp

Do you have other entries on the same system that still work? Just this one fails?

Or is everything failing in the same way?

hakkers

Hi Jim,
We have other entries that work (renewed one today), it's just this one afaict.

Kind regards.

jimp

Strange. Can you try to recreate that entry, perhaps with a different name, to see if it works? Maybe add the domains back to it one by one to see if a certain one triggers it.

If you do that against a staging server key it shouldn't hurt anything.

lftiv

I was able to re-create this after abusing my configuration for a while.

[Wed Feb 14 15:08:03 EST 2018] ACME_DIRECTORY='/directory'
[Wed Feb 14 15:08:03 EST 2018] _ACME_SERVER_HOST='directory'

Suppose the following

Account Keys Tab
AccountKey1 = production
AccountKey2 = staging
Certificates Tab
Certificate1 uses AccountKey1
Certificate2 uses AccountKey2

In my setup both were working fine, certs issued and renewing.

Steps to recreate
1. Edit AccountKey2 change the name in any way, add the word Staging for example.
2. Renew Certificate2
3. Observe failure with symptoms.

Cause: When You edit the name of an Account Key that is not the FIRST Account Key in the list, any Certificate using that account key will have its 'Acme Account' setting silently changed\reverted to the FIRST Account key listed on the Account keys tab.

As a test:
1. Edit AccountKey2 change the name in any way, add the word Staging for example.
2. Edit Certificate2 and observer the Acme Account field has changed to the FIRST account key listed on the account keys tab.

Solution: Set the Acme Account to the NEW edited name of the proper account key, save, and renew.

I'm unsure if prod/staging matters for the specific errors, but renewing with an improper Acme Account set for the certificate causes all the symptoms seen in posted logs, there is no indication of the AccountKey1 being used in the logs, only the /directory instead of a full URL.

I also tested simply editing my Certificate2 and setting it to use AccountKey1, this resulted in a production certificate being issued to my Certificate2 (Staging) config, checked cert manager and indeed the cert is no longer a staging cert, I have only certificates signed by production CA's.
(Two bugs for the price of one? or this is simply coincidence since all other settings are identical?)
So, the rename changing the Certificate2 Account to AccountKey1 has different results than manually making that change.
Additionally, after making this change on the Certificates tab in the account column Certificate1 reads AccountKey2, Certificate2 reads AccountKey1.
BUT, if I now click edit on Certificate1, the Acme Account drop down still reads AccountKey1!!!! not cool.

Now if I hit Renew on Certificate1, I get the Same 'Cannot init API (error code 3).

So, Root cause the key that is 'expected' (Listed in the 'Account' column of the Certificate in question on the Certificates tab) does not match what is seen in the 'Acme Account' drop down if you click edit on the Certificate in question.

It appears I've found at least two ways to get these out of sync.

I changed Certificate2 Acme Account back to my test account, renewal works as expected and I now have a staging cert in cert manager.
I similarly clicked edit on Certificate1 merely clicked save since the Acme Account was already correct, (It was the Account Column that was mismatched.)

Short Version:
1. Edit the name of an Any Account Key.
2. View Certificates Tab and observer the 'Account' column still has the old account name. Clicking Edit reveals 1. The new Account name if you edited AccountKey1, OR the name of AccountKey1 if you edited a subsequent Account Key.
3.Profit!

Don't edit your account names :)

screen shots if it helps.

and now for a recreational beverage or 2.

-Forrest


hakkers

@lftiv: thorough report, thanx for investigating & confirming. Will not change account keys anymore  ;)
@jimp: thanks for your time and work

Fry-kun

@lftiv Thanks so much for that! I had renamed the keys at some point since last renewal and was at my wits end why it wasn't working.
So sad that this is still a problem!