win-acme: custom renewal length is forbidden
Since I have not seen this issue reported here, I’m probably the first person trying to use win-acme with Digicert ACME API.
Digicert ACME API works by providing per-user, per-certificate-type URI that looks like this: https://acme.digicert.com/v2/acme/directory/nOTaReaLUrI-ItsjUst-anExample
Trying to use it with win-acme results with:
D:\Work\win-acme>wacs.exe --verbose --baseuri "https://acme.digicert.com/v2/acme/directory/nOTaReaLUrI-ItsjUst-anExample"
[VERB] Verbose mode logging enabled
[VERB] Looking for settings.json in D:\Work\win-acme
[DBUG] Config folder: C:\ProgramData\win-acme\acme.digicert.comv2acmedirectorynOTaReaLUrI-ItsjUst-anExample
[DBUG] Log path: C:\ProgramData\win-acme\acme.digicert.comv2acmedirectorynOTaReaLUrI-ItsjUst-anExample\Log
[DBUG] Cache path: C:\ProgramData\win-acme\acme.digicert.comv2acmedirectorynOTaReaLUrI-ItsjUst-anExample\Certificates
[VERB] Arguments: --verbose --baseuri https://acme.digicert.com/v2/acme/directory/nOTaReaLUrI-ItsjUst-anExample
[DBUG] Renewal period: 55 days
[INFO] A simple Windows ACMEv2 client (WACS)
[INFO] Software version 2.1.4.710 (RELEASE, PLUGGABLE)
[INFO] ACME server http://acme.digicert.com/v2/acme/directory/nOTaReaLUrI-ItsjUst-anExample
[EROR] Error connecting to ACME server
System.Net.Http.HttpRequestException: Response status code does not indicate success: 403 (Forbidden).
at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
at System.Net.Http.HttpClient.GetStringAsyncCore(Task`1 getTask)
at PKISharp.WACS.Clients.Acme.AcmeClient.CheckNetwork()
[INFO] IIS version 8.5
[INFO] Running with administrator credentials
[WARN] Scheduled task not configured yet
[INFO] Please report issues at https://github.com/PKISharp/win-acme
[VERB] Test for international support: 語言 Ñзык لغة
N: Create new certificate (simple for IIS)
M: Create new certificate (full options)
R: Run scheduled renewals (0 currently due)
A: Manage renewals (0 total)
O: More options...
Q: Quit
Please choose from the menu: <Enter>
^C
Doing Wireshark capture reveals that win-acme tries to open connection to “http://acme.digicert.com/v2/acme/directory/directory” and gets 403 forbidden, since Digicert doesn’t allow to peek in this directory.
Frame 4663: 124 bytes on wire (992 bits), 124 bytes captured (992 bits) on interface <cut>
Internet Protocol Version 4, Src: <cut>, Dst: 64.78.193.234
Transmission Control Protocol, Src Port: 63247, Dst Port: 80, Seq: 1, Ack: 1, Len: 70
Hypertext Transfer Protocol
GET /v2/acme/directory/directory HTTP/1.1\r\n
[Expert Info (Chat/Sequence): GET /v2/acme/directory/directory HTTP/1.1\r\n]
Request Method: GET
Request URI: /v2/acme/directory/directory
Request Version: HTTP/1.1
Host: acme.digicert.com\r\n
\r\n
[Full request URI: http://acme.digicert.com/v2/acme/directory/directory]
[HTTP request 1/1]
[Response in frame: 4692]
Frame 4692: 249 bytes on wire (1992 bits), 249 bytes captured (1992 bits) on interface <cut>
Internet Protocol Version 4, Src: 64.78.193.234, Dst: <cut>
Transmission Control Protocol, Src Port: 80, Dst Port: 63247, Seq: 1, Ack: 71, Len: 195
Hypertext Transfer Protocol
HTTP/1.1 403 Forbidden\r\n
[Expert Info (Chat/Sequence): HTTP/1.1 403 Forbidden\r\n]
Response Version: HTTP/1.1
Status Code: 403
[Status Code Description: Forbidden]
Response Phrase: Forbidden
Server: nginx\r\n
Date: Wed, 04 Mar 2020 12:14:37 GMT\r\n
Content-Type: application/octet-stream\r\n
Content-Length: 33\r\n
Connection: keep-alive\r\n
\r\n
[HTTP response 1/1]
[Time since request: 0.263090000 seconds]
[Request in frame: 4663]
[Request URI: http://acme.digicert.com/v2/acme/directory/directory]
File Data: 33 bytes
Data (33 bytes)
I tried proceeding regardless, but only got error message:
(AcmeProtocolException): unknown account ID: "directory"
win-acme version: v2.1.4.710 (x64, ReleasePluggable)
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 21 (10 by maintainers)
Sure, will do!
pt., 3 kwi 2020, 02:54 użytkownik Christopher Cook notifications@github.com napisał: