Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SOLVED - Let's Encrypt - Can not init api (error code: 3)

    Scheduled Pinned Locked Moved ACME
    11 Posts 4 Posters 4.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hakkers
      last edited by

      Hi,
      A continuation of the original bug report: https://redmine.pfsense.org/issues/8312

      • The right key is selected and LE-production server is selected (though i don't think that should matter)

      • A new account-key has been generated and registered

      Same error is still being thrown.

      Anything else i can provide?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Post the settings you have for the key and for the certificate (you can hide passwords or anything private). The settings that show in the GUI may not tell enough, so look in a config.xml backup at the <acme>section. Again, you can delete or hide any actual keys or private data.</acme>

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • H
          hakkers
          last edited by

          Hi Jim,
          Attached are the requested parts.

          Kind regards.

          acme_config.txt

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            That all appears to be in order, yet somehow the URL is ending up blank. Tracing through the code I'm still not seeing how that could happen.

            Did this ever work?

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • H
              hakkers
              last edited by

              Sorry for the late reply. Yes, it has been working just fine and has not been touched for a while.
              Other keys and certs have been added after it though.

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                Do you have other entries on the same system that still work? Just this one fails?

                Or is everything failing in the same way?

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • H
                  hakkers
                  last edited by

                  Hi Jim,
                  We have other entries that work (renewed one today), it's just this one afaict.

                  Kind regards.

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    Strange. Can you try to recreate that entry, perhaps with a different name, to see if it works? Maybe add the domains back to it one by one to see if a certain one triggers it.

                    If you do that against a staging server key it shouldn't hurt anything.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • L
                      lftiv
                      last edited by

                      I was able to re-create this after abusing my configuration for a while.

                      [Wed Feb 14 15:08:03 EST 2018] ACME_DIRECTORY='/directory'
                      [Wed Feb 14 15:08:03 EST 2018] _ACME_SERVER_HOST='directory'

                      Suppose the following

                      Account Keys Tab
                      AccountKey1 = production
                      AccountKey2 = staging
                      Certificates Tab
                      Certificate1 uses AccountKey1
                      Certificate2 uses AccountKey2

                      In my setup both were working fine, certs issued and renewing.

                      Steps to recreate
                      1. Edit AccountKey2 change the name in any way, add the word Staging for example.
                      2. Renew Certificate2
                      3. Observe failure with symptoms.

                      Cause: When You edit the name of an Account Key that is not the FIRST Account Key in the list, any Certificate using that account key will have its 'Acme Account' setting silently changed\reverted to the FIRST Account key listed on the Account keys tab.

                      As a test:
                      1. Edit AccountKey2 change the name in any way, add the word Staging for example.
                      2. Edit Certificate2 and observer the Acme Account field has changed to the FIRST account key listed on the account keys tab.

                      Solution: Set the Acme Account to the NEW edited name of the proper account key, save, and renew.

                      I'm unsure if prod/staging matters for the specific errors, but renewing with an improper Acme Account set for the certificate causes all the symptoms seen in posted logs, there is no indication of the AccountKey1 being used in the logs, only the /directory instead of a full URL.

                      I also tested simply editing my Certificate2 and setting it to use AccountKey1, this resulted in a production certificate being issued to my Certificate2 (Staging) config, checked cert manager and indeed the cert is no longer a staging cert, I have only certificates signed by production CA's.
                      (Two bugs for the price of one? or this is simply coincidence since all other settings are identical?)
                      So, the rename changing the Certificate2 Account to AccountKey1 has different results than manually making that change.
                      Additionally, after making this change on the Certificates tab in the account column Certificate1 reads AccountKey2, Certificate2 reads AccountKey1.
                      BUT, if I now click edit on Certificate1, the Acme Account drop down still reads AccountKey1!!!! not cool.

                      Now if I hit Renew on Certificate1, I get the Same 'Cannot init API (error code 3).

                      So, Root cause the key that is 'expected' (Listed in the 'Account' column of the Certificate in question on the Certificates tab) does not match what is seen in the 'Acme Account' drop down if you click edit on the Certificate in question.

                      It appears I've found at least two ways to get these out of sync.

                      I changed Certificate2 Acme Account back to my test account, renewal works as expected and I now have a staging cert in cert manager.
                      I similarly clicked edit on Certificate1 merely clicked save since the Acme Account was already correct, (It was the Account Column that was mismatched.)

                      Short Version:
                      1. Edit the name of an Any Account Key.
                      2. View Certificates Tab and observer the 'Account' column still has the old account name. Clicking Edit reveals 1. The new Account name if you edited AccountKey1, OR the name of AccountKey1 if you edited a subsequent Account Key.
                      3.Profit!

                      Don't edit your account names :)

                      screen shots if it helps.

                      and now for a recreational beverage or 2.

                      -Forrest

                      ![2018-02-14 15_48_01-hail.cleverintuiton.com - Services_ Acme_ Certificates.png](/public/imported_attachments/1/2018-02-14 15_48_01-hail.cleverintuiton.com - Services_ Acme_ Certificates.png)
                      ![2018-02-14 15_48_01-hail.cleverintuiton.com - Services_ Acme_ Certificates.png_thumb](/public/imported_attachments/1/2018-02-14 15_48_01-hail.cleverintuiton.com - Services_ Acme_ Certificates.png_thumb)
                      ![2018-02-14 15_35_32-hail.cleverintuiton.com - Services_ Acme_ Certificate options_ Edit.png](/public/imported_attachments/1/2018-02-14 15_35_32-hail.cleverintuiton.com - Services_ Acme_ Certificate options_ Edit.png)
                      ![2018-02-14 15_35_32-hail.cleverintuiton.com - Services_ Acme_ Certificate options_ Edit.png_thumb](/public/imported_attachments/1/2018-02-14 15_35_32-hail.cleverintuiton.com - Services_ Acme_ Certificate options_ Edit.png_thumb)
                      ![2018-02-14 15_35_14-hail.cleverintuiton.com - Services_ Acme_ Certificate options_ Edit.png](/public/imported_attachments/1/2018-02-14 15_35_14-hail.cleverintuiton.com - Services_ Acme_ Certificate options_ Edit.png)
                      ![2018-02-14 15_35_14-hail.cleverintuiton.com - Services_ Acme_ Certificate options_ Edit.png_thumb](/public/imported_attachments/1/2018-02-14 15_35_14-hail.cleverintuiton.com - Services_ Acme_ Certificate options_ Edit.png_thumb)
                      ![2018-02-14 15_35_02-hail.cleverintuiton.com - Services_ Acme_ Certificates.png](/public/imported_attachments/1/2018-02-14 15_35_02-hail.cleverintuiton.com - Services_ Acme_ Certificates.png)
                      ![2018-02-14 15_35_02-hail.cleverintuiton.com - Services_ Acme_ Certificates.png_thumb](/public/imported_attachments/1/2018-02-14 15_35_02-hail.cleverintuiton.com - Services_ Acme_ Certificates.png_thumb)


                      The first principle is that you must not fool yourself – and you are the easiest person to fool.
                           -Richard Phillips Feynman

                      F 1 Reply Last reply Reply Quote 1
                      • H
                        hakkers
                        last edited by

                        @lftiv: thorough report, thanx for investigating & confirming. Will not change account keys anymore  ;)
                        @jimp: thanks for your time and work

                        1 Reply Last reply Reply Quote 0
                        • F
                          Fry-kun @lftiv
                          last edited by

                          @lftiv Thanks so much for that! I had renamed the keys at some point since last renewal and was at my wits end why it wasn't working.
                          So sad that this is still a problem!

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.