NetTalk Central

Author Topic: NT10 Let's Encrypt question  (Read 6832 times)

Poul Jensen

  • Full Member
  • ***
  • Posts: 191
    • View Profile
    • Email
NT10 Let's Encrypt question
« on: August 22, 2017, 11:30:12 AM »
Hi,

Wizarded an app just to check the new Let's Encrypt possibilites.

When hitting the Certificates button to generate the certificate everything seem to work - from watching the log windows - apart from not getting any from/to dates.
Then the process starts automatically another 6 times until I get a communication error: Server Responce When requesting Certificate  429

domain.crt file has been generated.

Log:for one iteration:

 Dates: xyzsoft.dk From:            To:                                         
 Certificate received For xyzsoft.dk                                             
 Fetching Certificate For xyzsoft.dk                                             
 Requesting Certificate For xyzsoft.dk                                           
 Status: "valid"                                                                 
 Checking Status                                                                 
 Status: "pending"                                                               
 Checking Status                                                                 
 Notify Server Challenge is Ready                                               
 Challenge Token Saved C:\PStellar7\MariSoft\WebSSL\web\.well-known\acme-challenge\gnmHr....
 Authorize Request xyzsoft.dk                                                   
 Registering Account MariSoft                                                   
 C:\PStellar7\MariSoft\WebSSL\certificates\xyzsoft.dk.crt does not exist         
 Created C:\PStellar7\MariSoft\WebSSL\certificates\xyzsoft.dk.csr               
 Created C:\PStellar7\MariSoft\WebSSL\certificates\xyzsoft.dk.key               


What could be in play here.

Cheers
/Poul

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11250
    • View Profile
Re: NT10 Let's Encrypt question
« Reply #1 on: August 22, 2017, 11:35:12 PM »
Hi Poul,

tip: I'm hesitant to pass on this tip, because it's going to cause some pain sooner or later, BUT....
LE has a "production" server and a "practice" server (called staging). If you are just fooling around you might want to use the staging server.

s_web.acme.staging = true

Note that certificates you get from the staging server are NOT TRUSTED. So when you access a site with them you WILL get a browser error. You MUST set it back to production for, well, production.

now to your specific question;

>> Then the process starts automatically another 6 times until I get a communication error: Server Response When requesting Certificate  429

The LE Production server is "rate limited" precisely to avoid problems like this. I think it's per week, so you'll need to wait a week before trying again. (or switch to staging if you want to play some more.)

>> apart from not getting any from/to dates.

That would be the key problem. If NetTalk can't extract dates from the certificate then that would cause the issue you saw. As to _why_ it can't get the dates, that's a separate question. Email me directly and we can do a Team Viewer session or something to see what can be seen. Perhaps it has something to do with the date format etc.

Cheers
Bruce




Poul Jensen

  • Full Member
  • ***
  • Posts: 191
    • View Profile
    • Email
Re: NT10 Let's Encrypt question
« Reply #2 on: August 23, 2017, 12:21:13 AM »
Thanks Bruce,

s_web.acme.staging = true did it.  I am now getting a cerificate and this is logged:

[ 8/23/17-10:09:02]  Dates: xyzsoft.dk From:23 AUG 2017 To:21 NOV 2017
[ 8/23/17-10:09:02]  Certificate received For xyzsoft.dk


The certificate has two sections with the same information. First block with 76 characters per line the next with everything in one line.
Is this correct?

-----BEGIN CERTIFICATE-----
MIIF4DCCBMigAwIBAgITAPo/csGz3TaozMMs2UU8tXFHrDANBgkqhkiG9w0BAQsFADAiMSAwHgYD
VQQDDBdGYWtlIExFIEludGVybWVkaWF0ZSBYMTAeFw0xNzA4MjMwNzA5MDBaFw0xNzExMjEwNzA5
...
...
n6ohLADJt/CurWMAuVIE1Zmg+5CB+XV50h8=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----<13.10>MIIEkjCC............/DNFu0Qg==<13.10>-----END CERTIFICATE-----<13.10>

Cheers
/Poul

Poul Jensen

  • Full Member
  • ***
  • Posts: 191
    • View Profile
    • Email
Re: NT10 Let's Encrypt question
« Reply #3 on: August 28, 2017, 10:43:53 AM »
Hi Bruce,

Since it seems to work using staging can I assusme that it will work in production after 8 days ?

Cheers
/Poul

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11250
    • View Profile
Re: NT10 Let's Encrypt question
« Reply #4 on: August 28, 2017, 11:23:15 PM »
I think so yes.

cheers
Bruce

Poul Jensen

  • Full Member
  • ***
  • Posts: 191
    • View Profile
    • Email
Re: NT10 Let's Encrypt question
« Reply #5 on: August 29, 2017, 12:17:16 AM »
Thanks - will test it.

Cheers
/Poul

Poul Jensen

  • Full Member
  • ***
  • Posts: 191
    • View Profile
    • Email
Re: NT10 Let's Encrypt question
« Reply #6 on: September 08, 2017, 06:26:58 AM »
Sorry - someone hit the Enter button.....


Hi again,

Plenty of days has passed but it seem that LE wil not even try to issue new certificates.
If i click on the CERTIFICATES button this is shown In the log
[ 9/08/17-16:22:38]  Dates: xyzsoft.dk From:23 AUG 2017 To:21 NOV 2017

So it seems that the last request date is stored somewhere.
Have tried to reset this in the serversettings.xml but no luck:
set.lastcertificatecheckdate

How should I proceed.

Cheers
/Poul

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11250
    • View Profile
Re: NT10 Let's Encrypt question
« Reply #7 on: September 10, 2017, 10:29:22 PM »
>>  it seem that LE wil not even try to issue new certificates.

Actually, the reverse - NetTalk is not asking for them. NetTalk checks the dates, and only asks for new ones if it is in the "renew" window.

If you want to force an update, delete the certs from the certificates folder.

cheers
Bruce

Poul Jensen

  • Full Member
  • ***
  • Posts: 191
    • View Profile
    • Email
Re: NT10 Let's Encrypt question
« Reply #8 on: September 11, 2017, 11:49:21 AM »
Deleted all certificates files and the process did start when starting the server.
But same problem.
All seem to go well as per the log below but then the process starts over and over and finally fails with the original error 429.
As you can see the From / To dates entries are empty, so there may be a clue ?
Attached image shows the created files that all look OK to me.

[ 9/11/17-21:35:13]  Registering Account MariSoft at  https://acme-v01.api.letsencrypt.org/acme/new-reg
[ 9/11/17-21:35:13]  Dates: xyzsoft.dk.dk From:            To:
[ 9/11/17-21:35:13]  Certificate received For xyzsoft.dk.dk
[ 9/11/17-21:35:13]  Fetching Certificate For xyzsoft.dk.dk
[ 9/11/17-21:35:12]  Requesting Certificate For xyzsoft.dk.dk
[ 9/11/17-21:35:12]  Status: "valid"
[ 9/11/17-21:35:12]  Checking Status
[ 9/11/17-21:35:07]  Status: "pending"
[ 9/11/17-21:35:06]  Checking Status
[ 9/11/17-21:35:06]  Notify Server Challenge is Ready
[ 9/11/17-21:35:06]  Challenge Token Saved C:\PStellar7\MariSoft\WebSSL\web\.well-known\acme-challenge\CeAjRgXe89kps7hLIfzj7Qjc-XL7ljGHfo8eL1bTE9I
[ 9/11/17-21:35:05]  Authorize Request xyzsoft.dk.dk
[ 9/11/17-21:35:05]  Registering Account MariSoft at  https://acme-v01.api.letsencrypt.org/acme/new-reg
[ 9/11/17-21:35:04]  C:\PStellar7\MariSoft\WebSSL\certificates\xyzsoft.dk.dk.crt does not exist
[ 9/11/17-21:35:04]  Created C:\PStellar7\MariSoft\WebSSL\certificates\xyzsoft.dk.dk.csr
[ 9/11/17-21:35:04]  Created C:\PStellar7\MariSoft\WebSSL\certificates\xyzsoft.dk.dk.key
[ 9/11/17-21:34:59]  Created C:\PStellar7\MariSoft\WebSSL\certificates\MariSoft-LE.key
[ 9/11/17-21:34:55]  Failed to Create C:\PStellar7\MariSoft\WebSSL\certificates\MariSoft-CA.crt
[ 9/11/17-21:34:55]  Created C:\PStellar7\MariSoft\WebSSL\certificates\MariSoft-CA.key


Cheers
/Poul

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11250
    • View Profile
Re: NT10 Let's Encrypt question
« Reply #9 on: September 11, 2017, 10:09:10 PM »
Hi Poul,
your domain looks funny.
xyzsoft.dk.dk
is that the actual domain? with 2 trailing .dk statements?

>> As you can see the From / To dates entries are empty, so there may be a clue ?

yes, I think that's a clue.

Next time stop it after one iteration, and then email me so I can TeamViewer into the machine to take a look.

cheers
Bruce

Poul Jensen

  • Full Member
  • ***
  • Posts: 191
    • View Profile
    • Email
Re: NT10 Let's Encrypt question
« Reply #10 on: September 11, 2017, 10:32:46 PM »
Hi Bruce,

No the real domain is stellarsoft.dk - I edited the log  (not very succesfully).

I upgraded to NT10.06 and now even the staging (new test checkbox) won't complete.

So should I wait another 8 days before testing and having you on-line ?

/Poul


Poul Jensen

  • Full Member
  • ***
  • Posts: 191
    • View Profile
    • Email
Re: NT10 Let's Encrypt question
« Reply #11 on: September 30, 2017, 10:39:15 AM »
Hi again,

Just a quick follow up af upgrading to 10.07.

Redid the app (wizard)  to get the new settings control template to populate properly but still no luck.

When I start the NT server it tries a number of times to get the certificates but finally ends with error 429.

If I tick the "Testing" flag and hit "Certificates" everything runs what I believe is normal and ends with below log, so I am confused why this testing works and it does not work when not testing.

Realise you all are heading off to CIDC, but would appreciate to get some progress on this when you are back.

Cheers
/Poul

[ 9/30/17-20:24:36]  Dates: mobilservice.dynu.com From:30 SEP 2017 To:29 DEC 2017
[ 9/30/17-20:24:36]  Dates: stellarsoft.dk From:30 SEP 2017 To:29 DEC 2017
[ 9/30/17-20:24:36]  Certificate received For mobilservice.dynu.com
[ 9/30/17-20:24:36]  Fetching Certificate For mobilservice.dynu.com
[ 9/30/17-20:24:36]  Requesting Certificate For mobilservice.dynu.com
[ 9/30/17-20:24:36]  Status: "valid"
[ 9/30/17-20:24:36]  Checking Status
[ 9/30/17-20:24:31]  Status: "pending"
[ 9/30/17-20:24:30]  Checking Status
[ 9/30/17-20:24:30]  Notify Server Challenge is Ready
[ 9/30/17-20:24:30]  Challenge Token Saved C:\PStellar7\MariSoft\WebSSL\web\.well-known\acme-challenge\TcO8kX2MsPIKbVJ0HtMT36Kg_VI4atOFmjzlRYdDxcw
[ 9/30/17-20:24:30]  Authorize Request mobilservice.dynu.com
[ 9/30/17-20:24:30]  Registering Account MariSoft at  https://acme-staging.api.letsencrypt.org/acme/new-reg
[ 9/30/17-20:24:29]  C:\PStellar7\MariSoft\WebSSL\certificates\mobilservice.dynu.com.crt does not exist
[ 9/30/17-20:24:29]  Dates: stellarsoft.dk From:30 SEP 2017 To:29 DEC 2017
[ 9/30/17-20:24:29]  Certificate received For stellarsoft.dk
[ 9/30/17-20:24:29]  Fetching Certificate For stellarsoft.dk
[ 9/30/17-20:24:29]  Requesting Certificate For stellarsoft.dk