Author |
|
bagu
Joined: 06 Jan 2011 Posts: 193 Location: France
|
Posted: Thu 16 Nov '17 0:54 Post subject: Mod_md and new agreement -> SOLVED |
|
|
Mod_md work well since september, but, i get this message :
Code: | the CA requires you to accept the terms-of-service as specified in <https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf>. Please read the document that you find at that URL and, if you agree to the conditions, configure "MDCertificateAgreement url" with exactly that URL in your Apache. Then (graceful) restart the server to activate. |
I put this :
Code: | # Container for directives applied to the same managed domains
MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf |
But i still get the error message.
Can you explain me what's wrong ?
EDIT : more information :
Code: | [Thu Nov 16 00:17:32.320964 2017] [md:debug] [pid 6172:tid 3640] md_acme_acct.c(417): needs to agree to terms-of-service 'https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf', has already agreed to 'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'
[Thu Nov 16 00:17:32.320964 2017] [md:debug] [pid 6172:tid 3640] md_acme.c(425): req sent
[Thu Nov 16 00:17:32.321931 2017] [md:info] [pid 6172:tid 3640] bagu.fr: check Terms-of-Service agreement
[Thu Nov 16 00:17:32.321931 2017] [md:error] [pid 6172:tid 3640] (70008)Partial results are valid but processing is incomplete: bagu.fr: the CA requires you to accept the terms-of-service as specified in <https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf>. Please read the document that you find at that URL and, if you agree to the conditions, configure "MDCertificateAgreement url" with exactly that URL in your Apache. Then (graceful) restart the server to activate.
[Thu Nov 16 00:17:32.322931 2017] [md:debug] [pid 6172:tid 3640] md_acme_drive.c(888): (70008)Partial results are valid but processing is incomplete: bagu.fr: ACME, check agreement
[Thu Nov 16 00:17:32.322931 2017] [md:debug] [pid 6172:tid 3640] md_reg.c(893): (70008)Partial results are valid but processing is incomplete: bagu.fr: staging done |
Last edited by bagu on Thu 16 Nov '17 19:55; edited 1 time in total |
|
Back to top |
|
icing
Joined: 22 Sep 2015 Posts: 41 Location: Münster, Germany
|
Posted: Thu 16 Nov '17 11:54 Post subject: |
|
|
This sounds like https://github.com/icing/mod_md/issues/62 where someone started mod_md without configuring the agreement, then added it but the managed domain is stuck.
The latest version is supposed to fix this. But you can also just remove the directory in the md store Code: | md/staging/<your-domain> | and reload Apache. |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3092 Location: Hilversum, NL, EU
|
Posted: Thu 16 Nov '17 12:40 Post subject: |
|
|
Same here.
having
MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
Removing md/staging does not help.
Also
same with latest 1.0.2-git
Relevant log:
[md:error] [pid 10032:tid 1964] (70008)Partial results are valid but processing is incomplete: vosadministraties.nl: the CA requires you to accept the terms-of-service as specified in <https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf>. Please read the document that you find at that URL and, if you agree to the conditions, configure "MDCertificateAgreement url" with exactly that URL in your Apache. Then (graceful) restart the server to activate.
md_acme_acct.c(417): needs to agree to terms-of-service 'https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf', has already agreed to 'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'
[md:error] [pid 10032:tid 1964] (70008)Partial results are valid but processing is incomplete: AH10056: processing vosadministraties.nl |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3092 Location: Hilversum, NL, EU
|
Posted: Thu 16 Nov '17 13:44 Post subject: |
|
|
Extra info after deleted staging and new MDCertificateAgreement
In staging/<domain>I see only one file md.json :
"agreement": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
And in domains/<domain> I see three files two "old"certificates and updated md.json :
"agreement": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf" |
|
Back to top |
|
icing
Joined: 22 Sep 2015 Posts: 41 Location: Münster, Germany
|
Posted: Thu 16 Nov '17 14:19 Post subject: |
|
|
I see. Thanks for the detailed information.
When domains contains the new info, staging *should* reset, but apparently does not. That is a bug.
I need to setup some good test cases around this to get a real fix.
Workaround before next release:
- Configure the new MDCertificateAgreement as https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf, remove the domains staging directory, reload the server.
This should then create a new staging with the new agreement url in md.json and the process should continue. |
|
Back to top |
|
bagu
Joined: 06 Jan 2011 Posts: 193 Location: France
|
Posted: Thu 16 Nov '17 14:21 Post subject: |
|
|
Steffen wrote: | Extra info after deleted staging and new MDCertificateAgreement
In staging/<domain>I see only one file md.json :
"agreement": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
And in domains/<domain> I see three files two "old"certificates and updated md.json :
"agreement": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf" |
Same here
icing wrote: | I see. Thanks for the detailed information.
When domains contains the new info, staging *should* reset, but apparently does not. That is a bug.
I need to setup some good test cases around this to get a real fix.
Workaround before next release:
- Configure the new MDCertificateAgreement as https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf, remove the domains staging directory, reload the server.
This should then create a new staging with the new agreement url in md.json and the process should continue. |
Don't work...Result shown before this quote.
In the new md/staging, i get :
Code: | "ca": {
"account": "ACME-.letsencrypt.org-0000",
"proto": "ACME",
"url": "https://acme-v01.api.letsencrypt.org/directory",
"agreement": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf",
"challenges": [
"http-01"
]
}, |
|
|
Back to top |
|
icing
Joined: 22 Sep 2015 Posts: 41 Location: Münster, Germany
|
Posted: Thu 16 Nov '17 14:33 Post subject: |
|
|
Hmm, where is that URL coming from, I wonder?
Can you, for testing purposes, stop the server, remove everything under staging and then start gain? Thanks. |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3092 Location: Hilversum, NL, EU
|
Posted: Thu 16 Nov '17 14:39 Post subject: |
|
|
Done already above.
Maybe URL from letsencrypt.org, they know what is already agree.
@bagu Your mailserver is not reasponding bagu@bagu.biz (399 TCP Read failed (Connection was closed. after 0 seconds) 0 sec)
Last edited by Steffen on Thu 16 Nov '17 14:41; edited 1 time in total |
|
Back to top |
|
bagu
Joined: 06 Jan 2011 Posts: 193 Location: France
|
Posted: Thu 16 Nov '17 14:41 Post subject: |
|
|
I think the key of the problem is there :
Code: | [md:debug] [pid 6728:tid 3640] md_acme_acct.c(417): needs to agree to terms-of-service 'https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf', has already agreed to 'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'
|
Maybe the old certificate with old agreement need to be revoke ?
@Steffen : My mail server only accept connection from France, USA, and a few other countries...
EDIT : @Steffen : I just add NL to whitelist, you can try again |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3092 Location: Hilversum, NL, EU
|
Posted: Thu 16 Nov '17 14:46 Post subject: |
|
|
On mod_md git:
People experiencing this problem, please perform the following steps until I can make a new release:
Configure the new MDCertificateAgreement url in your Apache config
remove all directories in the md store underneath staging
reload your server
This does not solve the issue ! |
|
Back to top |
|
icing
Joined: 22 Sep 2015 Posts: 41 Location: Münster, Germany
|
Posted: Thu 16 Nov '17 14:51 Post subject: |
|
|
Steffen, yes, everything is work in progress.
Has anyone of you found the time to test if stop+remove+start solves the issue? |
|
Back to top |
|
bagu
Joined: 06 Jan 2011 Posts: 193 Location: France
|
Posted: Thu 16 Nov '17 14:53 Post subject: |
|
|
icing wrote: | Steffen, yes, everything is work in progress.
Has anyone of you found the time to test if stop+remove+start solves the issue? |
As already say, i try :
-Make change in apache mod_md config to reflect new agreement
-Remove md/staging/*
-Restart server
Problem is still here. |
|
Back to top |
|
icing
Joined: 22 Sep 2015 Posts: 41 Location: Münster, Germany
|
Posted: Thu 16 Nov '17 14:55 Post subject: |
|
|
Sorry, but I asked you to *stop*, then remove, then start.
(Sorry, for being a pain. |
|
Back to top |
|
bagu
Joined: 06 Jan 2011 Posts: 193 Location: France
|
Posted: Thu 16 Nov '17 14:57 Post subject: |
|
|
icing wrote: | Sorry, but I asked you to *stop*, then remove, then start.
(Sorry, for being a pain. |
Sorry, miskate in my post.
change -> stop -> remove -> start
Problem still here
EDIT : you can count on me to test untill 15h (france) |
|
Back to top |
|
icing
Joined: 22 Sep 2015 Posts: 41 Location: Münster, Germany
|
Posted: Thu 16 Nov '17 14:58 Post subject: |
|
|
Thanks.
This is weird. I need to write a reproducable test case for this. Might take a while. |
|
Back to top |
|
icing
Joined: 22 Sep 2015 Posts: 41 Location: Münster, Germany
|
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3092 Location: Hilversum, NL, EU
|
Posted: Thu 16 Nov '17 19:08 Post subject: |
|
|
Good medicine, no errors anymore.
Works ! |
|
Back to top |
|
bagu
Joined: 06 Jan 2011 Posts: 193 Location: France
|
Posted: Thu 16 Nov '17 19:18 Post subject: |
|
|
The download link here :
Lead to the 1.0.1-git version |
|
Back to top |
|
admin Site Admin
Joined: 15 Oct 2005 Posts: 692
|
Posted: Thu 16 Nov '17 19:22 Post subject: |
|
|
Checked: it is 1.0.3-git, maybe clear your browser cache. |
|
Back to top |
|
bagu
Joined: 06 Jan 2011 Posts: 193 Location: France
|
Posted: Thu 16 Nov '17 19:54 Post subject: |
|
|
Work fine...Need to use an other web crawler...Firefox is stuck to the old version ^^ (even if i remove the cache Oo ) |
|
Back to top |
|