logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



Mod_md and new agreement -> SOLVED

 
Post new topic   Reply to topic    Apache Forum Index -> Apache third-party Modules



View previous topic :: View next topic  
Author Message
bagu



Joined: 06 Jan 2011
Posts: 129
Location: France

PostPosted: Thu 16 Nov '17 0:54    Post subject: Mod_md and new agreement -> SOLVED Reply with quote

Mod_md work well since september, but, i get this message :

Code:
the CA requires you to accept the terms-of-service as specified in <https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf>. Please read the document that you find at that URL and, if you agree to the conditions, configure "MDCertificateAgreement url" with exactly that URL in your Apache. Then (graceful) restart the server to activate.


I put this :
Code:
# Container for directives applied to the same managed domains
MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf


But i still get the error message.

Can you explain me what's wrong ?

EDIT : more information :

Code:
[Thu Nov 16 00:17:32.320964 2017] [md:debug] [pid 6172:tid 3640] md_acme_acct.c(417): needs to agree to terms-of-service 'https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf', has already agreed to 'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'
[Thu Nov 16 00:17:32.320964 2017] [md:debug] [pid 6172:tid 3640] md_acme.c(425): req sent
[Thu Nov 16 00:17:32.321931 2017] [md:info] [pid 6172:tid 3640] bagu.fr: check Terms-of-Service agreement
[Thu Nov 16 00:17:32.321931 2017] [md:error] [pid 6172:tid 3640] (70008)Partial results are valid but processing is incomplete: bagu.fr: the CA requires you to accept the terms-of-service as specified in <https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf>. Please read the document that you find at that URL and, if you agree to the conditions, configure "MDCertificateAgreement url" with exactly that URL in your Apache. Then (graceful) restart the server to activate.
[Thu Nov 16 00:17:32.322931 2017] [md:debug] [pid 6172:tid 3640] md_acme_drive.c(888): (70008)Partial results are valid but processing is incomplete: bagu.fr: ACME, check agreement
[Thu Nov 16 00:17:32.322931 2017] [md:debug] [pid 6172:tid 3640] md_reg.c(893): (70008)Partial results are valid but processing is incomplete: bagu.fr: staging done


Last edited by bagu on Thu 16 Nov '17 19:55; edited 1 time in total
Back to top
icing



Joined: 22 Sep 2015
Posts: 38
Location: Münster, Germany

PostPosted: Thu 16 Nov '17 11:54    Post subject: Reply with quote

This sounds like https://github.com/icing/mod_md/issues/62 where someone started mod_md without configuring the agreement, then added it but the managed domain is stuck.

The latest version is supposed to fix this. But you can also just remove the directory in the md store
Code:
md/staging/<your-domain>
and reload Apache.
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2580
Location: Hilversum, NL, EU

PostPosted: Thu 16 Nov '17 12:40    Post subject: Reply with quote

Same here.

having
MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
Removing md/staging does not help.

Also

same with latest 1.0.2-git

Relevant log:

[md:error] [pid 10032:tid 1964] (70008)Partial results are valid but processing is incomplete: vosadministraties.nl: the CA requires you to accept the terms-of-service as specified in <https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf>. Please read the document that you find at that URL and, if you agree to the conditions, configure "MDCertificateAgreement url" with exactly that URL in your Apache. Then (graceful) restart the server to activate.

md_acme_acct.c(417): needs to agree to terms-of-service 'https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf', has already agreed to 'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'

[md:error] [pid 10032:tid 1964] (70008)Partial results are valid but processing is incomplete: AH10056: processing vosadministraties.nl
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2580
Location: Hilversum, NL, EU

PostPosted: Thu 16 Nov '17 13:44    Post subject: Reply with quote

Extra info after deleted staging and new MDCertificateAgreement

In staging/<domain>I see only one file md.json :

"agreement": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"

And in domains/<domain> I see three files two "old"certificates and updated md.json :

"agreement": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
Back to top
icing



Joined: 22 Sep 2015
Posts: 38
Location: Münster, Germany

PostPosted: Thu 16 Nov '17 14:19    Post subject: Reply with quote

I see. Thanks for the detailed information.

When domains contains the new info, staging *should* reset, but apparently does not. That is a bug.

I need to setup some good test cases around this to get a real fix.

Workaround before next release:
- Configure the new MDCertificateAgreement as https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf, remove the domains staging directory, reload the server.

This should then create a new staging with the new agreement url in md.json and the process should continue.
Back to top
bagu



Joined: 06 Jan 2011
Posts: 129
Location: France

PostPosted: Thu 16 Nov '17 14:21    Post subject: Reply with quote

Steffen wrote:
Extra info after deleted staging and new MDCertificateAgreement

In staging/<domain>I see only one file md.json :

"agreement": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"

And in domains/<domain> I see three files two "old"certificates and updated md.json :

"agreement": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"


Same here Wink

icing wrote:
I see. Thanks for the detailed information.

When domains contains the new info, staging *should* reset, but apparently does not. That is a bug.

I need to setup some good test cases around this to get a real fix.

Workaround before next release:
- Configure the new MDCertificateAgreement as https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf, remove the domains staging directory, reload the server.

This should then create a new staging with the new agreement url in md.json and the process should continue.


Don't work...Result shown before this quote.

In the new md/staging, i get :

Code:
  "ca": {
    "account": "ACME-.letsencrypt.org-0000",
    "proto": "ACME",
    "url": "https://acme-v01.api.letsencrypt.org/directory",
    "agreement": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf",
    "challenges": [
      "http-01"
    ]
  },
Back to top
icing



Joined: 22 Sep 2015
Posts: 38
Location: Münster, Germany

PostPosted: Thu 16 Nov '17 14:33    Post subject: Reply with quote

Hmm, where is that URL coming from, I wonder?

Can you, for testing purposes, stop the server, remove everything under staging and then start gain? Thanks.
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2580
Location: Hilversum, NL, EU

PostPosted: Thu 16 Nov '17 14:39    Post subject: Reply with quote

Done already above.

Maybe URL from letsencrypt.org, they know what is already agree.

@bagu Your mailserver is not reasponding bagu@bagu.biz (399 TCP Read failed (Connection was closed. after 0 seconds) 0 sec)


Last edited by Steffen on Thu 16 Nov '17 14:41; edited 1 time in total
Back to top
bagu



Joined: 06 Jan 2011
Posts: 129
Location: France

PostPosted: Thu 16 Nov '17 14:41    Post subject: Reply with quote

I think the key of the problem is there :

Code:
[md:debug] [pid 6728:tid 3640] md_acme_acct.c(417): needs to agree to terms-of-service 'https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf', has already agreed to 'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'


Maybe the old certificate with old agreement need to be revoke ?

@Steffen : My mail server only accept connection from France, USA, and a few other countries...

EDIT : @Steffen : I just add NL to whitelist, you can try again
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2580
Location: Hilversum, NL, EU

PostPosted: Thu 16 Nov '17 14:46    Post subject: Reply with quote

On mod_md git:

People experiencing this problem, please perform the following steps until I can make a new release:
Configure the new MDCertificateAgreement url in your Apache config
remove all directories in the md store underneath staging
reload your server

This does not solve the issue !
Back to top
icing



Joined: 22 Sep 2015
Posts: 38
Location: Münster, Germany

PostPosted: Thu 16 Nov '17 14:51    Post subject: Reply with quote

Steffen, yes, everything is work in progress.

Has anyone of you found the time to test if stop+remove+start solves the issue?
Back to top
bagu



Joined: 06 Jan 2011
Posts: 129
Location: France

PostPosted: Thu 16 Nov '17 14:53    Post subject: Reply with quote

icing wrote:
Steffen, yes, everything is work in progress.

Has anyone of you found the time to test if stop+remove+start solves the issue?


As already say, i try :
-Make change in apache mod_md config to reflect new agreement
-Remove md/staging/*
-Restart server

Problem is still here.
Back to top
icing



Joined: 22 Sep 2015
Posts: 38
Location: Münster, Germany

PostPosted: Thu 16 Nov '17 14:55    Post subject: Reply with quote

Sorry, but I asked you to *stop*, then remove, then start.

(Sorry, for being a pain.Smile
Back to top
bagu



Joined: 06 Jan 2011
Posts: 129
Location: France

PostPosted: Thu 16 Nov '17 14:57    Post subject: Reply with quote

icing wrote:
Sorry, but I asked you to *stop*, then remove, then start.

(Sorry, for being a pain.Smile


Sorry, miskate in my post.

change -> stop -> remove -> start

Problem still here

EDIT : you can count on me to test untill 15h (france) Wink
Back to top
icing



Joined: 22 Sep 2015
Posts: 38
Location: Münster, Germany

PostPosted: Thu 16 Nov '17 14:58    Post subject: Reply with quote

Thanks.

This is weird. I need to write a reproducable test case for this. Might take a while.
Back to top
icing



Joined: 22 Sep 2015
Posts: 38
Location: Münster, Germany

PostPosted: Thu 16 Nov '17 18:32    Post subject: Reply with quote

Ok, reproduced the problem and applied some medicine. Please try out v1.0.3 at https://github.com/icing/mod_md/releases/tag/v1.0.3.
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2580
Location: Hilversum, NL, EU

PostPosted: Thu 16 Nov '17 19:08    Post subject: Reply with quote

Good medicine, no errors anymore.

Works !
Back to top
bagu



Joined: 06 Jan 2011
Posts: 129
Location: France

PostPosted: Thu 16 Nov '17 19:18    Post subject: Reply with quote

The download link here :

Lead to the 1.0.1-git version Wink
Back to top
admin
Site Admin


Joined: 15 Oct 2005
Posts: 549

PostPosted: Thu 16 Nov '17 19:22    Post subject: Reply with quote

Checked: it is 1.0.3-git, maybe clear your browser cache.
Back to top
bagu



Joined: 06 Jan 2011
Posts: 129
Location: France

PostPosted: Thu 16 Nov '17 19:54    Post subject: Reply with quote

Work fine...Need to use an other web crawler...Firefox is stuck to the old version ^^ (even if i remove the cache Oo )
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache third-party Modules
Page 1 of 1