ACME Lets Encrypt HE.net unable to renew: Can not find account id url

bartkowski · Jan 28, 2022, 4:20 PM

@gertjan When I go to the above address in the browser, I get redirected to:

From console, (I could not post directly, tagged as possible spam):

(

Gertjan · Jan 28, 2022, 4:21 PM

@bartkowski
Ok, that looks fine.

The "https://curl.haxx.se/libcurl/c/libcurl-errors.html" just lists a page with numbers that explain what the possible issues might be.
I saw issue "92" buit don't know what it means.

The pfSense acme.sh package (latest version) work fine for me right now.

bartkowski · Jan 28, 2022, 4:40 PM

@gertjan This is the error text from that page:
CURLE_HTTP2_STREAM (92)

Stream error in the HTTP/2 framing layer.

Edit:
I wonder if it has something to do with Cloudflare.
DNS lookup of staging.api.letsencrypt.org:

Result	Record type
172.65.46.172	A
2606:4700:60::f41b:d4fe:4325:6026	AAAA
56a5f4b0bc8146689ec3e272c43525f9.pacloudflare.com	CNAME

Gertjan · Feb 1, 2022, 4:04 PM

@bartkowski said in ACME Lets Encrypt HE.net unable to renew: Can not find account id url:

@gertjan This is the error text from that page:
CURLE_HTTP2_STREAM (92)
Stream error in the HTTP/2 framing layer.

Yep. Saw that.
As said : dono what that means.

And I'm not a cloudflare man.
I'm doing my own "domain name servers stuff" : Its a way of doing complicated things myself, but things like "acme.sh" (Letenscrypt) becomes easy as I control both sides.

bartkowski · Feb 1, 2022, 4:04 PM

@gertjan I posted my log on LetsEncrypt forum and someone said there should NOT be a double slash here:

--dump-header /tmp/acme/_registerkey//http.header

Is that a bug with the package?

bartkowski · Feb 1, 2022, 5:47 PM

I found the issue. I had to disable Limiters (FQ_Codel; tail drop) rules on WAN (Floating) interface and the registration and cert renewal succeeded.

Gertjan · Feb 2, 2022, 3:52 PM

@bartkowski said in ACME Lets Encrypt HE.net unable to renew: Can not find account id url:

I found the issue.

"FQ_Codel" Limiters on WAN using 'tail_drop' : I'm using them right now.
I got them from the huge thread on this forum, somewhere from here.
Main reason I use them : "buffer bloat".

Btw : if your "limiters" setup starts to throw away legal traffic, you have an issue .....

bartkowski · Feb 2, 2022, 3:58 PM

@gertjan said in ACME Lets Encrypt HE.net unable to renew: Can not find account id url:

I got them from the huge thread on this forum

Me too, from here. But, I had those in place for more than a year and prior renewals succeeded, so I don't know what changed. I created a thread in the traffic shaping forum, let's see if that brings new knowledge to light.

Gertjan · Feb 2, 2022, 4:10 PM

@bartkowski

Certificate renewal, or 'whatever acme.sh" does, looks like rocket science, but it's actually the same traffic as, fore example, collecting a mail or looking at a web server page.

Limiters a WAN interface (floating, or not) should not have any influence on the traffic except for delaying some packets. Not dropping them. As this would have a huge impact on all traffic.
A limiter doesn't know a packet came from a process (script) calling 'acme.sh'.

The limiter rules "on that thread" are used by a lot of people.
My acme.sh package renews certs for years now, every 30 days.

I'm pretty sure that the /tmp/acme/logfile .... will show you what the real issue was. That's why these log files exists : to show you what goes well (and we don't care) and what goes wrong.

bartkowski · Feb 2, 2022, 4:30 PM

@gertjan Here is my thread on Let's Encrypt forum. Someone mentioned the curl POST was failing.
I have the full log posted there.