Code Monkey home page Code Monkey logo

simp_le's Introduction

simp_le

Build Status

Simple Let’s Encrypt client.

simp_le --email [email protected] -f account_key.json \
  -f account_reg.json \
  -f fullchain.pem -f key.pem \
  -d example.com -d www.example.com --default_root /var/www/html \
  -d example.net:/var/www/other_html

For more info see simp_le --help.

NOTE: this repository is mostly unmaintained; I will review and merge PRs, but I(@zenhack) am no longer using this tool myself and am thus not motivated to otherwise actively develop it.

Project History

  • @kuba wrote the original https://github.com/kuba/simp_le, at a time when ACME & let's Encrypt were very new; certbot still didn't support nginx, and there was an un-filled niche for a trivial command line ACME client.
  • At some point @kuba stopped maintaining simp_le. A few months later bitrot set in, and PRs fixing the problems went unmerged.
  • When the breakage began to affect https://zenhack.net, I(@zenhack) forked the project, merged the PRs, fixed CI and began maintaining the tool. This continued for several years.
  • I(@zenhack) switched over to using NixOS's acme configuration options, and transitioned the project to its current semi-unmaintained status.

Manifest

  1. UNIX philosophy: Do one thing and do it well!
  2. simp_le --valid_min ${seconds?} -f cert.pem implies that cert.pem is valid for at at least valid_min (defaults to 2592000 seconds / 30 days). Register new ACME CA account if necessary. Issue new certificate if no previous key/certificate/chain found. Renew only if necessary.
  3. (Sophisticated) “manager” for ${webroot?}/.well-known/acme-challenge only. No challenges other than http-01. Existing web-server must be running already.
  4. No magical webserver auto-configuration.
  5. Owner of ${webroot?}/.well-known/acme-challenge must be able to run the script, without privilege escalation (sudo, root, etc.).
  6. crontab friendly: fully automatable - no prompts, etc.
  7. No configuration files. CLI flags as the sole interface! Users should write their own wrapper scripts or use shell aliases if necessary.
  8. Support multiple domains with multiple roots. Always create single SAN certificate per simp_le run.
  9. Flexible storage capabilities. Built-in simp_le -f fullchain.pem -f key.pem, simp_le -f chain.pem -f cert.pem -f key.pem, etc.
  10. Do not allow specifying output file paths. Users should symlink if necessary!
  11. No need to allow specifying an arbitrary command when renewal has happened, just check the exit code:
    • 0 if certificate data was created or updated;
    • 1 if renewal not necessary;
    • 2 in case of errors.
  12. --server (support multiple ACME v2 CAs).
  13. Support for revocation.
  14. Implicit agreement to the selected ACME CA's terms of service.

Installation

sudo ./bootstrap.sh
./venv.sh
export PATH=$PWD/venv/bin:$PATH

Usage with Docker

If you want to use simp_le with Docker, have a look at simp_le for Docker.

Help

Have a look at https://github.com/zenhack/simp_le/wiki/Examples for some examples.

If you’re having problems feel free to open an issue to ask questions.

Change Log

Below is a summary of changes introduced in each release. Any user-visible changes must be recorded here. Note that the topmost entry sometimes represents the next (i.e. not yet released) version.

Releases occur approximately every two months, unless there is a pressing need to do otherwise (e.g. security & serious bug fixes), or no changes have been made since the last release.

0.20.0

  • Update python-acme dependency to version 2.0

0.19.2

  • Fix a minor standards conformance issue, see #155

0.19.1

  • Add missing dependency on the six package.

0.19.0

  • Add --use_alt_chain flag.

0.18.1

  • Fix a minor protocol conformance issue.
  • Fix some bitrot in the venv.sh script (not applicable unless installing from the git repo).

0.18.0

  • Upgrade acme to 1.3 or later.
  • Fix a bug where simp_le failed to obtain a cert from BuyPass ACME.

0.17.0

  • Upgrade acme to 1.x

0.16.0

  • Fix an ACME v2 protocol non-conformity
  • Upgrade acme to 0.39.x

0.15.0

Please read these carefully, as this release includes a couple changes that may require changes when upgrading

  • Switch from ACME v1 to ACME v2 endpoints support. Support for ACME v1 endpoints has been dropped entirely. If you were previously passing the server endpoint via the --server flag, you will need to update it to point to a v2 endpoint (or simply remove it, to use Let's Encrypt's default v2 endpoint).
  • Persist account_reg.json in addition to account_key.json, and recover missing registration info if needed. You will now need to pass a ``-f account_reg.json`` option to simp_le
  • Remove the -f external.sh feature.
  • Drop official support for Python 2 and 3.4.
  • Add official support for Python 3.7 (in theory it should have worked before, but we are now testing with it).
  • Upgrade acme to 0.35.x

0.14.0

  • Upgrade acme to 0.33.x

0.13.0

  • Upgrade acme to 0.31.x

0.12.0

  • Upgrade acme to 0.29.x

0.11.0

  • Upgrade acme to 0.27.x

0.10.0

  • Upgrade acme to 0.25.x

0.9.0

  • Upgrade acme to 0.24.x

0.8.1

  • Add a workaround for some installation problems caused by a bug in pip.

0.8.0

  • Drop official support for Python 2.6
  • Upgrade acme to 0.22.x

0.7.0

  • Remove the ToS hash comparison, implicitly agree to CA's ToS if present
  • Add check for empty or corrupt cert/key files
  • Add some sanity checks for email syntax
  • Upgrade acme to 0.20.x

0.6.2

  • Implement the future-proofing mentioned in the 0.6.1 release notes. Future TOS changes should not break simp_le >= 0.6.2

0.6.1

  • Update the hash for the letsencrypt TOS. The TOS changed on November 15th, which broke previous releases. Future releases will not hard-code the hash, which should avoid this sort of problem in the future.

0.6.0

  • Drop official support for Python 3.3.
  • Disable self-verification; this was highly unreliable and resulted in spurrious warnings.
  • Improve argument sanity-checks and error messages.
  • Save account_key.json, even on failures
  • Clean temporary challenge files.
  • Upgrade acme to 0.19.x

0.5.1

  • Add a workaround for some installation problems caused by a bug in pip

0.5.0

  • Upgrade acme to 0.17.x

0.4.0

  • Upgrade acme to 0.16.x

0.3.0

  • Fix a bug where the version number was incorrectly reported
  • Upgrade acme to 0.15.x

0.2.0

  • Upgrade to acme 0.11.x

0.1.1

  • Change the package name; the original maintainer owns the simp_le PyPI package, and hasn't responded to requests to transfer it, so the package name is now 'simp_le-client'.

0.1.0

  • First release

simp_le's People

Contributors

3onyc avatar aaomidi avatar acabal avatar bit avatar bronson avatar buchdag avatar burakdev avatar faircopy avatar haydngreatnews avatar klemens avatar kuba avatar lekensteyn avatar mjrider avatar thedd avatar thomastweets avatar thousandsofthem avatar tometzky avatar yiabiten avatar zenhack avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

simp_le's Issues

Install fails on Ubuntu precise

I've just run into problems trying to get a working version of simp_le on an up-to-date Ubuntu precise (12.04) machine. The initial failure is the installation of setuptools into the venv directory:

cert@ip-10-0-0-6:~/simp_le$ ./venv.sh
The --no-site-packages flag is deprecated; it is now the default behavior.
New python executable in venv/bin/python
Installing distribute.............................................................................................................................................................................................done.
Installing pip...............done.
Downloading/unpacking distribute from https://pypi.python.org/packages/5f/ad/1fde06877a8d7d5c9b60eff7de2d452f639916ae1d48f0b8f97bf97e570a/distribute-0.7.3.zip#md5=c6c59594a7b180af57af8a0cc0cf5b4a
  Downloading distribute-0.7.3.zip (145Kb): 145Kb downloaded
  Running setup.py egg_info for package distribute

Downloading/unpacking setuptools>=0.7 (from distribute)
  Downloading setuptools-34.1.1.zip (621Kb): 621Kb downloaded
  Running setup.py egg_info for package setuptools
    Traceback (most recent call last):
      File "<string>", line 3, in <module>
      File "setuptools/__init__.py", line 10, in <module>
        from six.moves import filter, map
    ImportError: No module named six.moves
    Complete output from command python setup.py egg_info:
    Traceback (most recent call last):

  File "<string>", line 3, in <module>

  File "setuptools/__init__.py", line 10, in <module>

    from six.moves import filter, map

ImportError: No module named six.moves

----------------------------------------
Command python setup.py egg_info failed with error code 1 in /home/cert/simp_le/venv/build/setuptools
Storing complete log in /home/cert/.pip/pip.log
Downloading/unpacking pip from https://pypi.python.org/packages/11/b6/abcb525026a4be042b486df43905d6893fb04f05aac21c32c638e939e447/pip-9.0.1.tar.gz#md5=35f01da33009719497f01a4ba69d63c9
  Downloading pip-9.0.1.tar.gz (1.2Mb): 1.2Mb downloaded
[...]
cert@ip-10-0-0-6:~/simp_le$ simp_le
Traceback (most recent call last):
  File "/home/cert/simp_le/venv/bin/simp_le", line 5, in <module>
    from pkg_resources import load_entry_point
  File "/home/cert/simp_le/venv/local/lib/python2.7/site-packages/distribute-0.6.24-py2.7.egg/pkg_resources.py", line 2707, in <module>
    working_set.require(__requires__)
  File "/home/cert/simp_le/venv/local/lib/python2.7/site-packages/distribute-0.6.24-py2.7.egg/pkg_resources.py", line 686, in require
    needed = self.resolve(parse_requirements(requirements))
  File "/home/cert/simp_le/venv/local/lib/python2.7/site-packages/distribute-0.6.24-py2.7.egg/pkg_resources.py", line 584, in resolve
    raise DistributionNotFound(req)
pkg_resources.DistributionNotFound: mock
cert@ip-10-0-0-6:~/simp_le$~/simp_le$

It seems both pip and distribute need to be upgraded from the versions that ship with virtualenv on Precise, before setuptools is installed. I made the following change to my copy:

diff --git a/venv.sh b/venv.sh
index 72394f3..f03a3d7 100755
--- a/venv.sh
+++ b/venv.sh
@@ -2,7 +2,7 @@

 virtualenv --no-site-packages venv
 export PATH="$PWD/venv/bin:$PATH"  # #49, activate script requires bash
-for pkg in setuptools pip wheel
+for pkg in pip distribute setuptools wheel
 do
   pip install -U "${pkg?}"
 done

and the installation then produced a working version of simp_le. I don't know if that change would cause issues for more modern distributions and Python installs though.

Unhandled error on dns-01 challenge

Issue by briceburg
Tuesday Jun 07, 2016 at 20:28 GMT
Originally opened as kuba/simp_le#110


I'm using simp_le via the https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion to automatically give SSL to our https containers. This has worked fine until now.

From what I can tell, letsencrypt is responding with a 'dns-01' challenge, which simp_le is blowing up on. I believe it previously received a 'http-01' challenge as expected. I'm not sure what changed -- but is there a way to force a http-01 challenge? or to continue gracefully after receiving dns-01 and ask for a http-01 challenge?

I'll attach the full output of our container. The first line contains flags passed to the simp_le client.

2016-06-07 20:18:22,716:DEBUG:simp_le:1371: ['-f', 'account_key.json', '-f', 'key.pem', '-f', 'fullchain.pem', '-f', 'cert.pem', '-v', '-d', 'AAA.qa-1.blueacorn.net', '--email', '[email protected]', '--server=https://acme-v01.api.letsencrypt.org/directory', '--default_root', '/usr/share/nginx/html/'] parsed as Namespace(account_key_public_exponent=65537, account_key_size=4096, cert_key_size=4096, default_root='/usr/share/nginx/html/', email='[email protected]', help=False, integration_test=False, ioplugins=['account_key.json', 'key.pem', 'fullchain.pem', 'cert.pem'], reuse_key=False, revoke=False, server='https://acme-v01.api.letsencrypt.org/directory', test=False, tos_sha256='33d233c8ab558ba6c8ebc370a509acdded8b80e5d587aa5d192193f35226540f', user_agent='simp_le/0', valid_min=2592000, verbose=True, version=False, vhosts=[Vhost(name='AAA.qa-1.blueacorn.net', root=None)])

towards the end we see the error:

machine-nginx-letsencrypt | 2016-06-07 20:18:26,773:DEBUG:acme.challenges:34: dns-01 was not recognized, full message: {u'status': u'pending', u'token': u'FyfOt3Q911U3IzBaFZ6HiWEsF0eQLNBJULg-cybGbHE', u'type': u'dns-01', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/oWaWiODe0SFi9uY9b8QpfaE6RumZAm2q-DlhN1nSfdE/114061731'}

below is the full output:

2016-06-07 20:18:22,716:DEBUG:simp_le:1371: ['-f', 'account_key.json', '-f', 'key.pem', '-f', 'fullchain.pem', '-f', 'cert.pem', '-v', '-d', 'AAA.qa-1.blueacorn.net', '--email', '[email protected]', '--server=https://acme-v01.api.letsencrypt.org/directory', '--default_root', '/usr/share/nginx/html/'] parsed as Namespace(account_key_public_exponent=65537, account_key_size=4096, cert_key_size=4096, default_root='/usr/share/nginx/html/', email='[email protected]', help=False, integration_test=False, ioplugins=['account_key.json', 'key.pem', 'fullchain.pem', 'cert.pem'], reuse_key=False, revoke=False, server='https://acme-v01.api.letsencrypt.org/directory', test=False, tos_sha256='33d233c8ab558ba6c8ebc370a509acdded8b80e5d587aa5d192193f35226540f', user_agent='simp_le/0', valid_min=2592000, verbose=True, version=False, vhosts=[Vhost(name='AAA.qa-1.blueacorn.net', root=None)])
machine-nginx-letsencrypt | 2016-06-07 20:18:22,717:DEBUG:simp_le:367: Loading account_key.json
machine-nginx-letsencrypt | 2016-06-07 20:18:22,717:DEBUG:simp_le:367: Loading key.pem
machine-nginx-letsencrypt | 2016-06-07 20:18:22,717:DEBUG:simp_le:367: Loading fullchain.pem
machine-nginx-letsencrypt | 2016-06-07 20:18:22,717:DEBUG:simp_le:367: Loading cert.pem
machine-nginx-letsencrypt | 2016-06-07 20:18:22,717:DEBUG:simp_le:1280: Computed roots: {'AAA.qa-1.blueacorn.net': '/usr/share/nginx/html/'}
machine-nginx-letsencrypt | 2016-06-07 20:18:22,717:INFO:simp_le:1211: Generating new account key
machine-nginx-letsencrypt | 2016-06-07 20:18:23,679:DEBUG:root:605: Sending GET request to https://acme-v01.api.letsencrypt.org/directory. args: (), kwargs: {}
machine-nginx-letsencrypt | 2016-06-07 20:18:23,683:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
machine-nginx-letsencrypt | 2016-06-07 20:18:23,949:DEBUG:requests.packages.urllib3.connectionpool:387: "GET /directory HTTP/1.1" 200 280
machine-nginx-letsencrypt | 2016-06-07 20:18:23,952:DEBUG:root:611: Received <Response [200]>. Headers: {'Content-Length': '280', 'Expires': 'Tue, 07 Jun 2016 20:16:48 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 07 Jun 2016 20:16:48 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': '5o6YG0PcrI0Be5LqYWnThivGyrVr3NCys5CrCmQqc_Q'}. Content: '{\n  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",\n  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",\n  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",\n  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"\n}'
machine-nginx-letsencrypt | 2016-06-07 20:18:23,953:DEBUG:acme.client:551: Received response <Response [200]> (headers: {'Content-Length': '280', 'Expires': 'Tue, 07 Jun 2016 20:16:48 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 07 Jun 2016 20:16:48 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': '5o6YG0PcrI0Be5LqYWnThivGyrVr3NCys5CrCmQqc_Q'}): '{\n  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",\n  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",\n  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",\n  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"\n}'
machine-nginx-letsencrypt | 2016-06-07 20:18:23,953:DEBUG:root:643: Requesting fresh nonce
machine-nginx-letsencrypt | 2016-06-07 20:18:23,953:DEBUG:root:605: Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-reg. args: (), kwargs: {}
machine-nginx-letsencrypt | 2016-06-07 20:18:23,955:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
machine-nginx-letsencrypt | 2016-06-07 20:18:24,250:DEBUG:requests.packages.urllib3.connectionpool:387: "HEAD /acme/new-reg HTTP/1.1" 405 0
machine-nginx-letsencrypt | 2016-06-07 20:18:24,253:DEBUG:root:611: Received <Response [405]>. Headers: {'Content-Length': '91', 'Pragma': 'no-cache', 'Expires': 'Tue, 07 Jun 2016 20:16:48 GMT', 'Server': 'nginx', 'Connection': 'keep-alive', 'Allow': 'POST', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 07 Jun 2016 20:16:48 GMT', 'Content-Type': 'application/problem+json', 'Replay-Nonce': 'hF6JGzEFAXxeZM306ZukruFAjpVp5R9jnBispaFh288'}. Content: ''
machine-nginx-letsencrypt | 2016-06-07 20:18:24,253:DEBUG:acme.client:636: Storing nonce: '\x84^\x89\x1b1\x05\x01|^d\xcd\xf4\xe9\x9b\xa4\xae\xe1@\x8e\x95i\xe5\x1fc\x9c\x18\xac\xa5\xa1a\xdb\xcf'
machine-nginx-letsencrypt | 2016-06-07 20:18:24,254:DEBUG:acme.jose.json_util:259: Omitted empty fields: certificates=None, key=None, agreement=None, authorizations=None
machine-nginx-letsencrypt | 2016-06-07 20:18:24,254:DEBUG:acme.client:527: Serialized JSON: {"contact": ["mailto:[email protected]"], "resource": "new-reg"}
machine-nginx-letsencrypt | 2016-06-07 20:18:24,259:DEBUG:acme.jose.json_util:259: Omitted empty fields: x5c=(), jku=None, x5t=None, x5tS256=None, alg=None, typ=None, jwk=None, crit=(), x5u=None, kid=None, cty=None
machine-nginx-letsencrypt | 2016-06-07 20:18:24,280:DEBUG:acme.jose.json_util:259: Omitted empty fields: x5c=(), jku=None, nonce=None, x5tS256=None, crit=(), x5t=None, typ=None, x5u=None, kid=None, cty=None
machine-nginx-letsencrypt | 2016-06-07 20:18:24,280:DEBUG:root:605: Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-reg. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "x0-YLfJ5ckH8msE5Q9etNCEsOPD30jFwu1PEt3Civm-57IrNp5HwJ7wUlonsQ89rfHCVuKvtvNqiWeyg4usPj7nCx9lz5JOJkt3eeJrER0lVExe6HajbE-Scr54ROrO_W3OHnmJg1jUyxKcNqOTsn3cPVB7GWK7KjlSqM5BVGN5FUzrA5ffT16zeNb1KbtyVFqfQ9CeZ9mWGhptDByjsG7QlMTWzbkRbrPRBprjnbKTc8hBYUk_HzuJIXMeRVEa6doXgPTCqRXwv6t44Bl5DaHTCe3X-rRlOnq_px4T3cg1tUEhfEzxEpbszIaxZQJt-T6T_aSctjsjXCQiwcDiVbCSHdjUkYDvE-VC-h5rXg70CymmveVJT649NKfRTV_KlEATRInoRBj1LcNNEZP85ilH4Yqlb_Wpu8FCnmzWGO7M4GKYYTlup1Eyo7EHvlEDu0VpWa-U_eUF7Tq7YaQmf24WCexXd2NqEOCMu6ox5jVmf8Zj_mlHzTM4nMHY5mGX3c2ip8lFOB2Kyo0h0LJ6egbGWHDotz1m8l5DXGN9Zbvy58GxTs17Xy-T7f70fqbvEvfugzbpsCatnp-eWPhs5WqAg9bje2WSVm02VH-bB2fPwxcg6twS5yID9Jez_3wrDow-Y76J8EYCcgZN9X1_d9GdiqojbmP75PEVwlqTX_l8"}}, "protected": "eyJub25jZSI6ICJoRjZKR3pFRkFYeGVaTTMwNlp1a3J1RkFqcFZwNVI5am5CaXNwYUZoMjg4In0", "payload": "eyJjb250YWN0IjogWyJtYWlsdG86ZGV2b3BzK3NzbEBibHVlYWNvcm4uY29tIl0sICJyZXNvdXJjZSI6ICJuZXctcmVnIn0", "signature": "RiOPO7UVaatmbx_K70IXglOG_iOgXCOipMlb8Ekm8ApIcmGVBTR2OMY2cnoxrvJZ7rQOc6bFHmf-8EgrU5LaxWudapo-KrhXnSRYxpCbQBlm3vShfh9ayh0qo79FAynYNj1GsClb5cvZrPWUGqcAR16zQGn0XeWzi4Mlm7ZgJmDKptzUq8lC3D0EMKRFKgBLfBaTLRU7hoFihT4-iCwUSjYgEKHJws3zXInFUbkcTEn7KEZS4FNA9XA8IFhCVGIy-vL6zKLOuocyZ3Pa_ZdtQrdQz9vOYDFsbDFk1huRYKCB38CEB6v1gTLD_JXAXHWlXT7Z6Tjct-eYovEKsXJV1emvMSJSIRccLy8kEp7Idw-GTW4IDWPLJqFvolp4OPprhlkBfNUbyCaHnsvq23hODT1Ec9JN9RAziBmOpcKg-zCua6W9GZ7bwgboSr1V8Xf1543O6ckNxfie98AaPrJxkHPtSDR4wIA-WGTI0sPk5GJCos1PngmLeLCfCTWyoCWMzfFfV9yO-Us7009wgrMABEDELi5hdBfjIKWiGcMwqf1grXHDNrm8Qu0EEB37vo37_t7gbIPsEWSWkH0VkxZtn76-WHdGXLaTqU3tQH-6VVUFg8RhwPwyMGdG4cUd6iB4DdN3GcxZ-obLbawDLtJCKvqoSpIg09sp9eTdw8zU2Zg"}'}
machine-nginx-letsencrypt | 2016-06-07 20:18:24,282:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
machine-nginx-letsencrypt | 2016-06-07 20:18:24,743:DEBUG:requests.packages.urllib3.connectionpool:387: "POST /acme/new-reg HTTP/1.1" 201 904
machine-nginx-letsencrypt | 2016-06-07 20:18:24,747:DEBUG:root:611: Received <Response [201]>. Headers: {'Content-Length': '904', 'Expires': 'Tue, 07 Jun 2016 20:16:49 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-authz>;rel="next", <https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf>;rel="terms-of-service"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/reg/2106899', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 07 Jun 2016 20:16:49 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'bXhrZaZHN_JILFgzaNFWF_JRgkPW7VTndJLFtbR7hN0'}. Content: '{\n  "id": 2106899,\n  "key": {\n    "kty": "RSA",\n    "n": "x0-YLfJ5ckH8msE5Q9etNCEsOPD30jFwu1PEt3Civm-57IrNp5HwJ7wUlonsQ89rfHCVuKvtvNqiWeyg4usPj7nCx9lz5JOJkt3eeJrER0lVExe6HajbE-Scr54ROrO_W3OHnmJg1jUyxKcNqOTsn3cPVB7GWK7KjlSqM5BVGN5FUzrA5ffT16zeNb1KbtyVFqfQ9CeZ9mWGhptDByjsG7QlMTWzbkRbrPRBprjnbKTc8hBYUk_HzuJIXMeRVEa6doXgPTCqRXwv6t44Bl5DaHTCe3X-rRlOnq_px4T3cg1tUEhfEzxEpbszIaxZQJt-T6T_aSctjsjXCQiwcDiVbCSHdjUkYDvE-VC-h5rXg70CymmveVJT649NKfRTV_KlEATRInoRBj1LcNNEZP85ilH4Yqlb_Wpu8FCnmzWGO7M4GKYYTlup1Eyo7EHvlEDu0VpWa-U_eUF7Tq7YaQmf24WCexXd2NqEOCMu6ox5jVmf8Zj_mlHzTM4nMHY5mGX3c2ip8lFOB2Kyo0h0LJ6egbGWHDotz1m8l5DXGN9Zbvy58GxTs17Xy-T7f70fqbvEvfugzbpsCatnp-eWPhs5WqAg9bje2WSVm02VH-bB2fPwxcg6twS5yID9Jez_3wrDow-Y76J8EYCcgZN9X1_d9GdiqojbmP75PEVwlqTX_l8",\n    "e": "AQAB"\n  },\n  "contact": [\n    "mailto:[email protected]"\n  ],\n  "initialIp": "66.49.116.181",\n  "createdAt": "2016-06-07T20:16:49.054933433Z"\n}'
machine-nginx-letsencrypt | 2016-06-07 20:18:24,747:DEBUG:acme.client:636: Storing nonce: 'mxke\xa6G7\xf2H,X3h\xd1V\x17\xf2Q\x82C\xd6\xedT\xe7t\x92\xc5\xb5\xb4{\x84\xdd'
machine-nginx-letsencrypt | 2016-06-07 20:18:24,747:DEBUG:acme.client:551: Received response <Response [201]> (headers: {'Content-Length': '904', 'Expires': 'Tue, 07 Jun 2016 20:16:49 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-authz>;rel="next", <https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf>;rel="terms-of-service"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/reg/2106899', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 07 Jun 2016 20:16:49 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'bXhrZaZHN_JILFgzaNFWF_JRgkPW7VTndJLFtbR7hN0'}): '{\n  "id": 2106899,\n  "key": {\n    "kty": "RSA",\n    "n": "x0-YLfJ5ckH8msE5Q9etNCEsOPD30jFwu1PEt3Civm-57IrNp5HwJ7wUlonsQ89rfHCVuKvtvNqiWeyg4usPj7nCx9lz5JOJkt3eeJrER0lVExe6HajbE-Scr54ROrO_W3OHnmJg1jUyxKcNqOTsn3cPVB7GWK7KjlSqM5BVGN5FUzrA5ffT16zeNb1KbtyVFqfQ9CeZ9mWGhptDByjsG7QlMTWzbkRbrPRBprjnbKTc8hBYUk_HzuJIXMeRVEa6doXgPTCqRXwv6t44Bl5DaHTCe3X-rRlOnq_px4T3cg1tUEhfEzxEpbszIaxZQJt-T6T_aSctjsjXCQiwcDiVbCSHdjUkYDvE-VC-h5rXg70CymmveVJT649NKfRTV_KlEATRInoRBj1LcNNEZP85ilH4Yqlb_Wpu8FCnmzWGO7M4GKYYTlup1Eyo7EHvlEDu0VpWa-U_eUF7Tq7YaQmf24WCexXd2NqEOCMu6ox5jVmf8Zj_mlHzTM4nMHY5mGX3c2ip8lFOB2Kyo0h0LJ6egbGWHDotz1m8l5DXGN9Zbvy58GxTs17Xy-T7f70fqbvEvfugzbpsCatnp-eWPhs5WqAg9bje2WSVm02VH-bB2fPwxcg6twS5yID9Jez_3wrDow-Y76J8EYCcgZN9X1_d9GdiqojbmP75PEVwlqTX_l8",\n    "e": "AQAB"\n  },\n  "contact": [\n    "mailto:[email protected]"\n  ],\n  "initialIp": "66.49.116.181",\n  "createdAt": "2016-06-07T20:16:49.054933433Z"\n}'
machine-nginx-letsencrypt | 2016-06-07 20:18:24,755:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): letsencrypt.org
machine-nginx-letsencrypt | 2016-06-07 20:18:24,968:DEBUG:requests.packages.urllib3.connectionpool:387: "GET /documents/LE-SA-v1.0.1-July-27-2015.pdf HTTP/1.1" 200 126016
machine-nginx-letsencrypt | 2016-06-07 20:18:25,307:DEBUG:simp_le:1237: TOS hash: 33d233c8ab558ba6c8ebc370a509acdded8b80e5d587aa5d192193f35226540f
machine-nginx-letsencrypt | 2016-06-07 20:18:25,308:DEBUG:acme.jose.json_util:259: Omitted empty fields: certificates=None, authorizations=None
machine-nginx-letsencrypt | 2016-06-07 20:18:25,308:DEBUG:acme.client:527: Serialized JSON: {"contact": ["mailto:[email protected]"], "resource": "reg", "agreement": "https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf", "key": {"e": "AQAB", "kty": "RSA", "n": "x0-YLfJ5ckH8msE5Q9etNCEsOPD30jFwu1PEt3Civm-57IrNp5HwJ7wUlonsQ89rfHCVuKvtvNqiWeyg4usPj7nCx9lz5JOJkt3eeJrER0lVExe6HajbE-Scr54ROrO_W3OHnmJg1jUyxKcNqOTsn3cPVB7GWK7KjlSqM5BVGN5FUzrA5ffT16zeNb1KbtyVFqfQ9CeZ9mWGhptDByjsG7QlMTWzbkRbrPRBprjnbKTc8hBYUk_HzuJIXMeRVEa6doXgPTCqRXwv6t44Bl5DaHTCe3X-rRlOnq_px4T3cg1tUEhfEzxEpbszIaxZQJt-T6T_aSctjsjXCQiwcDiVbCSHdjUkYDvE-VC-h5rXg70CymmveVJT649NKfRTV_KlEATRInoRBj1LcNNEZP85ilH4Yqlb_Wpu8FCnmzWGO7M4GKYYTlup1Eyo7EHvlEDu0VpWa-U_eUF7Tq7YaQmf24WCexXd2NqEOCMu6ox5jVmf8Zj_mlHzTM4nMHY5mGX3c2ip8lFOB2Kyo0h0LJ6egbGWHDotz1m8l5DXGN9Zbvy58GxTs17Xy-T7f70fqbvEvfugzbpsCatnp-eWPhs5WqAg9bje2WSVm02VH-bB2fPwxcg6twS5yID9Jez_3wrDow-Y76J8EYCcgZN9X1_d9GdiqojbmP75PEVwlqTX_l8"}}
machine-nginx-letsencrypt | 2016-06-07 20:18:25,310:DEBUG:acme.jose.json_util:259: Omitted empty fields: x5c=(), jku=None, x5t=None, x5tS256=None, alg=None, typ=None, jwk=None, crit=(), x5u=None, kid=None, cty=None
machine-nginx-letsencrypt | 2016-06-07 20:18:25,320:DEBUG:acme.jose.json_util:259: Omitted empty fields: x5c=(), jku=None, nonce=None, x5tS256=None, crit=(), x5t=None, typ=None, x5u=None, kid=None, cty=None
machine-nginx-letsencrypt | 2016-06-07 20:18:25,320:DEBUG:root:605: Sending POST request to https://acme-v01.api.letsencrypt.org/acme/reg/2106899. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "x0-YLfJ5ckH8msE5Q9etNCEsOPD30jFwu1PEt3Civm-57IrNp5HwJ7wUlonsQ89rfHCVuKvtvNqiWeyg4usPj7nCx9lz5JOJkt3eeJrER0lVExe6HajbE-Scr54ROrO_W3OHnmJg1jUyxKcNqOTsn3cPVB7GWK7KjlSqM5BVGN5FUzrA5ffT16zeNb1KbtyVFqfQ9CeZ9mWGhptDByjsG7QlMTWzbkRbrPRBprjnbKTc8hBYUk_HzuJIXMeRVEa6doXgPTCqRXwv6t44Bl5DaHTCe3X-rRlOnq_px4T3cg1tUEhfEzxEpbszIaxZQJt-T6T_aSctjsjXCQiwcDiVbCSHdjUkYDvE-VC-h5rXg70CymmveVJT649NKfRTV_KlEATRInoRBj1LcNNEZP85ilH4Yqlb_Wpu8FCnmzWGO7M4GKYYTlup1Eyo7EHvlEDu0VpWa-U_eUF7Tq7YaQmf24WCexXd2NqEOCMu6ox5jVmf8Zj_mlHzTM4nMHY5mGX3c2ip8lFOB2Kyo0h0LJ6egbGWHDotz1m8l5DXGN9Zbvy58GxTs17Xy-T7f70fqbvEvfugzbpsCatnp-eWPhs5WqAg9bje2WSVm02VH-bB2fPwxcg6twS5yID9Jez_3wrDow-Y76J8EYCcgZN9X1_d9GdiqojbmP75PEVwlqTX_l8"}}, "protected": "eyJub25jZSI6ICJiWGhyWmFaSE5fSklMRmd6YU5GV0ZfSlJna1BXN1ZUbmRKTEZ0YlI3aE4wIn0", "payload": "eyJjb250YWN0IjogWyJtYWlsdG86ZGV2b3BzK3NzbEBibHVlYWNvcm4uY29tIl0sICJyZXNvdXJjZSI6ICJyZWciLCAiYWdyZWVtZW50IjogImh0dHBzOi8vbGV0c2VuY3J5cHQub3JnL2RvY3VtZW50cy9MRS1TQS12MS4wLjEtSnVseS0yNy0yMDE1LnBkZiIsICJrZXkiOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAieDAtWUxmSjVja0g4bXNFNVE5ZXROQ0VzT1BEMzBqRnd1MVBFdDNDaXZtLTU3SXJOcDVId0o3d1Vsb25zUTg5cmZIQ1Z1S3Z0dk5xaVdleWc0dXNQajduQ3g5bHo1Sk9Ka3QzZWVKckVSMGxWRXhlNkhhamJFLVNjcjU0Uk9yT19XM09Ibm1KZzFqVXl4S2NOcU9Uc24zY1BWQjdHV0s3S2psU3FNNUJWR041RlV6ckE1ZmZUMTZ6ZU5iMUtidHlWRnFmUTlDZVo5bVdHaHB0REJ5anNHN1FsTVRXemJrUmJyUFJCcHJqbmJLVGM4aEJZVWtfSHp1SklYTWVSVkVhNmRvWGdQVENxUlh3djZ0NDRCbDVEYUhUQ2UzWC1yUmxPbnFfcHg0VDNjZzF0VUVoZkV6eEVwYnN6SWF4WlFKdC1UNlRfYVNjdGpzalhDUWl3Y0RpVmJDU0hkalVrWUR2RS1WQy1oNXJYZzcwQ3ltbXZlVkpUNjQ5TktmUlRWX0tsRUFUUklub1JCajFMY05ORVpQODVpbEg0WXFsYl9XcHU4RkNubXpXR083TTRHS1lZVGx1cDFFeW83RUh2bEVEdTBWcFdhLVVfZVVGN1RxN1lhUW1mMjRXQ2V4WGQyTnFFT0NNdTZveDVqVm1mOFpqX21sSHpUTTRuTUhZNW1HWDNjMmlwOGxGT0IyS3lvMGgwTEo2ZWdiR1dIRG90ejFtOGw1RFhHTjlaYnZ5NThHeFRzMTdYeS1UN2Y3MGZxYnZFdmZ1Z3picHNDYXRucC1lV1BoczVXcUFnOWJqZTJXU1ZtMDJWSC1iQjJmUHd4Y2c2dHdTNXlJRDlKZXpfM3dyRG93LVk3Nko4RVlDY2daTjlYMV9kOUdkaXFvamJtUDc1UEVWd2xxVFhfbDgifX0", "signature": "ayXNoNFf5l7xX_SJd8PI7ISaAGjCv0GgyrcnmJeQJegvH42SuzcOS626B7kJQf2b7Ny0HwnAS_VFyKo0swBMTkRLg1z0adsVoPNRJC2pFFJqLTAFSdT-5oTUOuIlM1iTpApOYcWeLM2hHD9IXvQKXlq1ZVsqSctRs3pJAm75yIEmZtb7b-KwFtzKTL43eZM7KDP9yt2mrXGvvI4b6incpIvMiMmD9Uw-VNDNdzpNgrZubgaa0e3nXWnahm2JxIQevF46Rs6fjiSRKgRLMjHxRBqbgZ5bkARO6MW-JE0DM3DgvbqNg7xadGlkOXS-1HzUsQK-Q7nLq-DFJrCb1htw0b-3cJ1vci5IhuTfzlpZrjvzAwlQZFTXUhBeWxZGyXfOS2pzcfBLKMgh_6Q8ZidUMxGqxf_Zr1nM8Apo67dsAIwLYnH55SjYdM6PtdDnQqPezR5ZBkG5UidmD-2ZLDTBS6A1qPtf6B_AnAaYlKTTPkiMQ8q2q9dT0IKVYGYHwjPA9DI--DPIO6FwoJ6ViGooLWEAwT5yF4jjhwq_Q6Mc_0pyHobWNq0FBV7sR8Clm_f8aGtbeUK0AfWTK_dP5Gz89jGZ7dWbJrRkMRWRL9BoI-7Qk-UpB-igw9y-W4gjy3VRR0lf286qZkSWH7BnYALdnBPtbzS-ueS3QYbul3cKcHw"}'}
machine-nginx-letsencrypt | 2016-06-07 20:18:25,321:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
machine-nginx-letsencrypt | 2016-06-07 20:18:26,095:DEBUG:requests.packages.urllib3.connectionpool:387: "POST /acme/reg/2106899 HTTP/1.1" 202 976
machine-nginx-letsencrypt | 2016-06-07 20:18:26,099:DEBUG:root:611: Received <Response [202]>. Headers: {'Content-Length': '976', 'Expires': 'Tue, 07 Jun 2016 20:16:50 GMT', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-authz>;rel="next", <https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf>;rel="terms-of-service"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 07 Jun 2016 20:16:50 GMT', 'Content-Type': 'application/json', 'Replay-Nonce': 'fFrR4Uwscup7dT0XrdTzuFzvmUw3qWuCHMYoeWAQCHk'}. Content: '{\n  "id": 2106899,\n  "key": {\n    "kty": "RSA",\n    "n": "x0-YLfJ5ckH8msE5Q9etNCEsOPD30jFwu1PEt3Civm-57IrNp5HwJ7wUlonsQ89rfHCVuKvtvNqiWeyg4usPj7nCx9lz5JOJkt3eeJrER0lVExe6HajbE-Scr54ROrO_W3OHnmJg1jUyxKcNqOTsn3cPVB7GWK7KjlSqM5BVGN5FUzrA5ffT16zeNb1KbtyVFqfQ9CeZ9mWGhptDByjsG7QlMTWzbkRbrPRBprjnbKTc8hBYUk_HzuJIXMeRVEa6doXgPTCqRXwv6t44Bl5DaHTCe3X-rRlOnq_px4T3cg1tUEhfEzxEpbszIaxZQJt-T6T_aSctjsjXCQiwcDiVbCSHdjUkYDvE-VC-h5rXg70CymmveVJT649NKfRTV_KlEATRInoRBj1LcNNEZP85ilH4Yqlb_Wpu8FCnmzWGO7M4GKYYTlup1Eyo7EHvlEDu0VpWa-U_eUF7Tq7YaQmf24WCexXd2NqEOCMu6ox5jVmf8Zj_mlHzTM4nMHY5mGX3c2ip8lFOB2Kyo0h0LJ6egbGWHDotz1m8l5DXGN9Zbvy58GxTs17Xy-T7f70fqbvEvfugzbpsCatnp-eWPhs5WqAg9bje2WSVm02VH-bB2fPwxcg6twS5yID9Jez_3wrDow-Y76J8EYCcgZN9X1_d9GdiqojbmP75PEVwlqTX_l8",\n    "e": "AQAB"\n  },\n  "contact": [\n    "mailto:[email protected]"\n  ],\n  "agreement": "https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf",\n  "initialIp": "66.49.116.181",\n  "createdAt": "2016-06-07T20:16:49Z"\n}'
machine-nginx-letsencrypt | 2016-06-07 20:18:26,099:DEBUG:acme.client:636: Storing nonce: '|Z\xd1\xe1L,r\xea{u=\x17\xad\xd4\xf3\xb8\\\xef\x99L7\xa9k\x82\x1c\xc6(y`\x10\x08y'
machine-nginx-letsencrypt | 2016-06-07 20:18:26,099:DEBUG:acme.client:551: Received response <Response [202]> (headers: {'Content-Length': '976', 'Expires': 'Tue, 07 Jun 2016 20:16:50 GMT', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-authz>;rel="next", <https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf>;rel="terms-of-service"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 07 Jun 2016 20:16:50 GMT', 'Content-Type': 'application/json', 'Replay-Nonce': 'fFrR4Uwscup7dT0XrdTzuFzvmUw3qWuCHMYoeWAQCHk'}): '{\n  "id": 2106899,\n  "key": {\n    "kty": "RSA",\n    "n": "x0-YLfJ5ckH8msE5Q9etNCEsOPD30jFwu1PEt3Civm-57IrNp5HwJ7wUlonsQ89rfHCVuKvtvNqiWeyg4usPj7nCx9lz5JOJkt3eeJrER0lVExe6HajbE-Scr54ROrO_W3OHnmJg1jUyxKcNqOTsn3cPVB7GWK7KjlSqM5BVGN5FUzrA5ffT16zeNb1KbtyVFqfQ9CeZ9mWGhptDByjsG7QlMTWzbkRbrPRBprjnbKTc8hBYUk_HzuJIXMeRVEa6doXgPTCqRXwv6t44Bl5DaHTCe3X-rRlOnq_px4T3cg1tUEhfEzxEpbszIaxZQJt-T6T_aSctjsjXCQiwcDiVbCSHdjUkYDvE-VC-h5rXg70CymmveVJT649NKfRTV_KlEATRInoRBj1LcNNEZP85ilH4Yqlb_Wpu8FCnmzWGO7M4GKYYTlup1Eyo7EHvlEDu0VpWa-U_eUF7Tq7YaQmf24WCexXd2NqEOCMu6ox5jVmf8Zj_mlHzTM4nMHY5mGX3c2ip8lFOB2Kyo0h0LJ6egbGWHDotz1m8l5DXGN9Zbvy58GxTs17Xy-T7f70fqbvEvfugzbpsCatnp-eWPhs5WqAg9bje2WSVm02VH-bB2fPwxcg6twS5yID9Jez_3wrDow-Y76J8EYCcgZN9X1_d9GdiqojbmP75PEVwlqTX_l8",\n    "e": "AQAB"\n  },\n  "contact": [\n    "mailto:[email protected]"\n  ],\n  "agreement": "https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf",\n  "initialIp": "66.49.116.181",\n  "createdAt": "2016-06-07T20:16:49Z"\n}'
machine-nginx-letsencrypt | 2016-06-07 20:18:26,101:DEBUG:acme.jose.json_util:259: Omitted empty fields: expires=None, status=None, combinations=None, challenges=None
machine-nginx-letsencrypt | 2016-06-07 20:18:26,101:DEBUG:acme.client:527: Serialized JSON: {"identifier": {"type": "dns", "value": "AAA.qa-1.blueacorn.net"}, "resource": "new-authz"}
machine-nginx-letsencrypt | 2016-06-07 20:18:26,106:DEBUG:acme.jose.json_util:259: Omitted empty fields: x5c=(), jku=None, x5t=None, x5tS256=None, alg=None, typ=None, jwk=None, crit=(), x5u=None, kid=None, cty=None
machine-nginx-letsencrypt | 2016-06-07 20:18:26,124:DEBUG:acme.jose.json_util:259: Omitted empty fields: x5c=(), jku=None, nonce=None, x5tS256=None, crit=(), x5t=None, typ=None, x5u=None, kid=None, cty=None
machine-nginx-letsencrypt | 2016-06-07 20:18:26,124:DEBUG:root:605: Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "x0-YLfJ5ckH8msE5Q9etNCEsOPD30jFwu1PEt3Civm-57IrNp5HwJ7wUlonsQ89rfHCVuKvtvNqiWeyg4usPj7nCx9lz5JOJkt3eeJrER0lVExe6HajbE-Scr54ROrO_W3OHnmJg1jUyxKcNqOTsn3cPVB7GWK7KjlSqM5BVGN5FUzrA5ffT16zeNb1KbtyVFqfQ9CeZ9mWGhptDByjsG7QlMTWzbkRbrPRBprjnbKTc8hBYUk_HzuJIXMeRVEa6doXgPTCqRXwv6t44Bl5DaHTCe3X-rRlOnq_px4T3cg1tUEhfEzxEpbszIaxZQJt-T6T_aSctjsjXCQiwcDiVbCSHdjUkYDvE-VC-h5rXg70CymmveVJT649NKfRTV_KlEATRInoRBj1LcNNEZP85ilH4Yqlb_Wpu8FCnmzWGO7M4GKYYTlup1Eyo7EHvlEDu0VpWa-U_eUF7Tq7YaQmf24WCexXd2NqEOCMu6ox5jVmf8Zj_mlHzTM4nMHY5mGX3c2ip8lFOB2Kyo0h0LJ6egbGWHDotz1m8l5DXGN9Zbvy58GxTs17Xy-T7f70fqbvEvfugzbpsCatnp-eWPhs5WqAg9bje2WSVm02VH-bB2fPwxcg6twS5yID9Jez_3wrDow-Y76J8EYCcgZN9X1_d9GdiqojbmP75PEVwlqTX_l8"}}, "protected": "eyJub25jZSI6ICJmRnJSNFV3c2N1cDdkVDBYcmRUenVGenZtVXczcVd1Q0hNWW9lV0FRQ0hrIn0", "payload": "eyJpZGVudGlmaWVyIjogeyJ0eXBlIjogImRucyIsICJ2YWx1ZSI6ICJBQUEucWEtMS5ibHVlYWNvcm4ubmV0In0sICJyZXNvdXJjZSI6ICJuZXctYXV0aHoifQ", "signature": "lXa1UeNB10M6bavDxwEethi7jt9DXlQq90QSbEZhGejR70pPE2_0XqMTRsPs_A_065AfytLJzwbPC1slPCsrtMk1HN2z7NNtQqC48-eFw1hzKUpTrJEwGG4v4mqs9fwCD9cSp6IFSaEp1bMcdnwp9swuWe3p45ROSfZQgEpl5uWtRbL5zwYUvqs6JNDFf8iEaixypzEpJFCARAkhZ1v-yOlOY95PpScHpnoprNAWj-WHtOrcAtMXTbywNyu7T2GO-VqS600NmXKkBWNvMVEC_Q_1FkwHZdwqqujGDO3nR_Ybq2h3wYeXnKI6bl4Zy9j3rdEV635aFDA6ZdU7xR2LvBVNPHd-WkpB6frxPDg6wUYIpL0APwRHE3Q5wML0Kz8uCFQ8-9X914JJYgpEH8oYOq8f5vKQ_QONQMGy6n8i-UjX_fM7S8Mj0j8n39EbF6EkKjXCmr97SmRCED5G3irBG1kL8QuWZHIr3vg6X8skUyWv6v6AmbfnsFfXXIVgMDvrtEwxA2toLG6bsDJUinlJAZfHqS4ANgN8qmfOoHCmtgwWzM6jq__fMQEbNVYcfj93y6pPOPoC4TEWExiDv1uJXDKKQtQtiykJuZiOnQiNyRZ7LCETVWuNoGvomzxYQ_cSNepY7db3-4FwT4GJuLHZgVQ1MMTCTnTDb-uoz9pCM_w"}'}
machine-nginx-letsencrypt | 2016-06-07 20:18:26,126:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
machine-nginx-letsencrypt | 2016-06-07 20:18:26,768:DEBUG:requests.packages.urllib3.connectionpool:387: "POST /acme/new-authz HTTP/1.1" 201 1007
machine-nginx-letsencrypt | 2016-06-07 20:18:26,771:DEBUG:root:611: Received <Response [201]>. Headers: {'Content-Length': '1007', 'Expires': 'Tue, 07 Jun 2016 20:16:51 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/authz/oWaWiODe0SFi9uY9b8QpfaE6RumZAm2q-DlhN1nSfdE', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 07 Jun 2016 20:16:51 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'AKwkOzC4mtI3TDVRh3oPG6SaaD_zwQElhh_vdRjxJ-A'}. Content: '{\n  "identifier": {\n    "type": "dns",\n    "value": "aaa.qa-1.blueacorn.net"\n  },\n  "status": "pending",\n  "expires": "2016-06-14T20:16:50.773055189Z",\n  "challenges": [\n    {\n      "type": "dns-01",\n      "status": "pending",\n      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/oWaWiODe0SFi9uY9b8QpfaE6RumZAm2q-DlhN1nSfdE/114061731",\n      "token": "FyfOt3Q911U3IzBaFZ6HiWEsF0eQLNBJULg-cybGbHE"\n    },\n    {\n      "type": "http-01",\n      "status": "pending",\n      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/oWaWiODe0SFi9uY9b8QpfaE6RumZAm2q-DlhN1nSfdE/114061732",\n      "token": "C69-yopJIvQ2luYDBgyHP16RqWKYoWBEWNcjwFjYNSI"\n    },\n    {\n      "type": "tls-sni-01",\n      "status": "pending",\n      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/oWaWiODe0SFi9uY9b8QpfaE6RumZAm2q-DlhN1nSfdE/114061733",\n      "token": "sDUQoE4bX6n-rA-vdGmKmH6bZhYbcsq3vbRCu3u1QSk"\n    }\n  ],\n  "combinations": [\n    [\n      1\n    ],\n    [\n      2\n    ],\n    [\n      0\n    ]\n  ]\n}'
machine-nginx-letsencrypt | 2016-06-07 20:18:26,772:DEBUG:acme.client:636: Storing nonce: "\x00\xac$;0\xb8\x9a\xd27L5Q\x87z\x0f\x1b\xa4\x9ah?\xf3\xc1\x01%\x86\x1f\xefu\x18\xf1'\xe0"
machine-nginx-letsencrypt | 2016-06-07 20:18:26,772:DEBUG:acme.client:551: Received response <Response [201]> (headers: {'Content-Length': '1007', 'Expires': 'Tue, 07 Jun 2016 20:16:51 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/authz/oWaWiODe0SFi9uY9b8QpfaE6RumZAm2q-DlhN1nSfdE', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 07 Jun 2016 20:16:51 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'AKwkOzC4mtI3TDVRh3oPG6SaaD_zwQElhh_vdRjxJ-A'}): '{\n  "identifier": {\n    "type": "dns",\n    "value": "aaa.qa-1.blueacorn.net"\n  },\n  "status": "pending",\n  "expires": "2016-06-14T20:16:50.773055189Z",\n  "challenges": [\n    {\n      "type": "dns-01",\n      "status": "pending",\n      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/oWaWiODe0SFi9uY9b8QpfaE6RumZAm2q-DlhN1nSfdE/114061731",\n      "token": "FyfOt3Q911U3IzBaFZ6HiWEsF0eQLNBJULg-cybGbHE"\n    },\n    {\n      "type": "http-01",\n      "status": "pending",\n      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/oWaWiODe0SFi9uY9b8QpfaE6RumZAm2q-DlhN1nSfdE/114061732",\n      "token": "C69-yopJIvQ2luYDBgyHP16RqWKYoWBEWNcjwFjYNSI"\n    },\n    {\n      "type": "tls-sni-01",\n      "status": "pending",\n      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/oWaWiODe0SFi9uY9b8QpfaE6RumZAm2q-DlhN1nSfdE/114061733",\n      "token": "sDUQoE4bX6n-rA-vdGmKmH6bZhYbcsq3vbRCu3u1QSk"\n    }\n  ],\n  "combinations": [\n    [\n      1\n    ],\n    [\n      2\n    ],\n    [\n      0\n    ]\n  ]\n}'
machine-nginx-letsencrypt | 2016-06-07 20:18:26,773:DEBUG:acme.challenges:34: dns-01 was not recognized, full message: {u'status': u'pending', u'token': u'FyfOt3Q911U3IzBaFZ6HiWEsF0eQLNBJULg-cybGbHE', u'type': u'dns-01', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/oWaWiODe0SFi9uY9b8QpfaE6RumZAm2q-DlhN1nSfdE/114061731'}
machine-nginx-letsencrypt | Traceback (most recent call last):
machine-nginx-letsencrypt |   File "build/bdist.linux-x86_64/egg/simp_le.py", line 1401, in main
machine-nginx-letsencrypt |     return main_with_exceptions(cli_args)
machine-nginx-letsencrypt |   File "build/bdist.linux-x86_64/egg/simp_le.py", line 1386, in main_with_exceptions
machine-nginx-letsencrypt |     persist_new_data(args, existing_data)
machine-nginx-letsencrypt |   File "build/bdist.linux-x86_64/egg/simp_le.py", line 1287, in persist_new_data
machine-nginx-letsencrypt |     for vhost in args.vhosts
machine-nginx-letsencrypt |   File "build/bdist.linux-x86_64/egg/simp_le.py", line 1287, in <genexpr>
machine-nginx-letsencrypt |     for vhost in args.vhosts
machine-nginx-letsencrypt |   File "build/bdist.linux-x86_64/egg/acme/client.py", line 217, in request_domain_challenges
machine-nginx-letsencrypt |     typ=messages.IDENTIFIER_FQDN, value=domain), new_authzr_uri)
machine-nginx-letsencrypt |   File "build/bdist.linux-x86_64/egg/acme/client.py", line 200, in request_challenges
machine-nginx-letsencrypt |     return self._authzr_from_response(response, identifier)
machine-nginx-letsencrypt |   File "build/bdist.linux-x86_64/egg/acme/client.py", line 180, in _authzr_from_response
machine-nginx-letsencrypt |     raise errors.UnexpectedUpdate(authzr)
machine-nginx-letsencrypt | UnexpectedUpdate: AuthorizationResource(body=Authorization(status=Status(pending), challenges=(ChallengeBody(chall=UnrecognizedChallenge(), status=Status(pending), validated=None, uri=u'https://acme-v01.api.letsencrypt.org/acme/challenge/oWaWiODe0SFi9uY9b8QpfaE6RumZAm2q-DlhN1nSfdE/114061731', error=None), ChallengeBody(chall=HTTP01(token='\x0b\xaf~\xca\x8aI"\xf46\x96\xe6\x03\x06\x0c\x87?^\x91\xa9b\x98\xa1`DX\xd7#\xc0X\xd85"'), status=Status(pending), validated=None, uri=u'https://acme-v01.api.letsencrypt.org/acme/challenge/oWaWiODe0SFi9uY9b8QpfaE6RumZAm2q-DlhN1nSfdE/114061732', error=None), ChallengeBody(chall=TLSSNI01(token='\xb05\x10\xa0N\x1b_\xa9\xfe\xac\x0f\xafti\x8a\x98~\x9bf\x16\x1br\xca\xb7\xbd\xb4B\xbb{\xb5A)'), status=Status(pending), validated=None, uri=u'https://acme-v01.api.letsencrypt.org/acme/challenge/oWaWiODe0SFi9uY9b8QpfaE6RumZAm2q-DlhN1nSfdE/114061733', error=None)), identifier=Identifier(typ=IdentifierType(dns), value=u'aaa.qa-1.blueacorn.net'), expires=datetime.datetime(2016, 6, 14, 20, 16, 50, 773055, tzinfo=<UTC>), combinations=((1,), (2,), (0,))), new_cert_uri='https://acme-v01.api.letsencrypt.org/acme/new-cert', uri='https://acme-v01.api.letsencrypt.org/acme/authz/oWaWiODe0SFi9uY9b8QpfaE6RumZAm2q-DlhN1nSfdE')
machine-nginx-letsencrypt | 
machine-nginx-letsencrypt | Unhandled error has happened, traceback is above

Cleanup webroot

Issue by mikedevita
Friday Dec 04, 2015 at 18:08 GMT
Originally opened as kuba/simp_le#28


I am using the following script to generate certificates and noticed the /tmp/letsencrypt dir contents are left intact even after ssl generation. Should I be deleting these after generation?

DOMAIN=domain.com;
sudo mkdir /etc/nginx/ssl/${DOMAIN};
sudo chmod 700 /etc/nginx/ssl/${DOMAIN};
cd /etc/nginx/ssl/${DOMAIN};
simp_le -d ${DOMAIN}:/tmp/letsencrypt -f key.pem -f cert.pem -f fullchain.pem
sudo chmod -R 400 /etc/nginx/ssl/${DOMAIN}/*;

Cleanup webroot

Issue by mikedevita
Friday Dec 04, 2015 at 18:08 GMT
Originally opened as kuba/simp_le#28


I am using the following script to generate certificates and noticed the /tmp/letsencrypt dir contents are left intact even after ssl generation. Should I be deleting these after generation?

DOMAIN=domain.com;
sudo mkdir /etc/nginx/ssl/${DOMAIN};
sudo chmod 700 /etc/nginx/ssl/${DOMAIN};
cd /etc/nginx/ssl/${DOMAIN};
simp_le -d ${DOMAIN}:/tmp/letsencrypt -f key.pem -f cert.pem -f fullchain.pem
sudo chmod -R 400 /etc/nginx/ssl/${DOMAIN}/*;

Exit code on Python crash

Due to manifesto, exit code 1 is reserved for "renewal not necessary".

In last month, simp_le keeps failing for some reason and returns 1 so my wrapper script do nothing, because certificate looks up-to-date. Everything was fixed when I upgrade simp_le but my certificates expired without any reported errors.

Please catch all exceptions and return non-one non-zero error code, when something went wrong and exception is thrown. Here is some log from simp_le, if it helps.

private key permissions

Issue by irv
Friday Dec 04, 2015 at 22:27 GMT
Originally opened as kuba/simp_le#29


Hi,

I think the permissions on the private key should be more restrictive by default, they're currently set to world readable and should probably be chmod 600

(I noticed this because opensmtpd considers insecure file perms on the private key a fatal error:
must be at most rwx------)

Retain Order of Domains

Issue by zx2c4
Tuesday Feb 09, 2016 at 13:42 GMT
Originally opened as kuba/simp_le#72


For certificates that authenticate multiple sites, I'd like to specify which domain goes in the CN field. This should probably be the first -d domain specified. But since simp_le uses a dictionary, the ordering provided by the user is lost.

Could you have the ordering of -d be preserved, or add another switch to specify explicitly which domain should be in the CN?

Thanks.

Retain order of domains

Issue by zx2c4
Sunday Feb 28, 2016 at 02:19 GMT
Originally opened as kuba/simp_le#80


This ensures that the first domain specified on the command line will be the domain that winds up in the CN field. Otherwise, users have no way of controlling this.

This also supports Python 2.6, which is an improvement over the prior pull request. It also correctly tames pylint for an extremely widespread conditional import pattern.

It should pass all tests on Travis.

Fixes: kuba/simp_le#72
Signed-off-by: Jason A. Donenfeld [email protected]


zx2c4 included the following code: https://github.com/kuba/simp_le/pull/80/commits

CSR instead of cert key (fixes #13, #53)

Issue by kuba
Sunday Apr 17, 2016 at 21:22 GMT
Originally opened as kuba/simp_le#105


This PR substantially changes API for simp_le and will break existing customers

  1. Instead of accepting -f key.pem (or -f key.der) it accepts -f csr.pem (-f csr.der) and expects the client to generate CSR (cf. examples/generate_csr.sh).
  2. It reads domain names from the CSR instead of -d.
  3. Only one webroot can be specified at a time (as a positional argument) instead of --default_root or -d exmaple.com:root syntax, so in case of multi-domain certificates customer is expected to arrange the file hierarchy (e.g. using symlinks).
  4. Moreover, the webroot must now be specified including .well-known/acme-challenge (fixes #53).

It's not yet ready, but I hope to get it finished in O(week). Posting it here in advance, so that interested parties get an early notification about breaking changes.


kuba included the following code: https://github.com/kuba/simp_le/pull/105/commits

SAN certificates

Issue by ManuelGysin
Saturday Jun 04, 2016 at 23:29 GMT
Originally opened as kuba/simp_le#109


Hello

What exactly the parameters to create a SAN certificate?

Using multiple -d hosts does not work and tries to create for each host a certificate.

Thanks
Manuel

Using the simp_le client in a docker container hangs during http challenge

This is a copy of: https://community.letsencrypt.org/t/using-the-simp-le-client-in-a-docker-container-hangs-during-http-challenge/33694

Please fill out the fields below so we can help you better.

My domain is:
spierepf.ddns.net

I ran this command:
simp_le --verbose --email [email protected] -f account_key.json -f fullchain.pem -f key.pem -d spierepf.ddns.net:/usr/share/nginx/html

It produced this output:
2017-05-09 11:02:57,239:DEBUG:simp_le:1371: ['--verbose', '--email', '[email protected]', '-f', 'account_key.json', '-f', 'fullchain.pem', '-f', 'key.pem', '-d', 'spierepf.ddns.net:/usr/share/nginx/html'] parsed as Namespace(account_key_public_exponent=65537, account_key_size=4096, cert_key_size=4096, default_root=None, email='[email protected]', help=False, integration_test=False, ioplugins=['account_key.json', 'fullchain.pem', 'key.pem'], reuse_key=False, revoke=False, server='https://acme-v01.api.letsencrypt.org/directory', test=False, tos_sha256='6373439b9f29d67a5cd4d18cbc7f264809342dbf21cb2ba2fc7588df987a6221', user_agent='simp_le/0', valid_min=2592000, verbose=True, version=False, vhosts=[Vhost(name='spierepf.ddns.net', root='/usr/share/nginx/html')])
2017-05-09 11:02:57,240:DEBUG:simp_le:367: Loading account_key.json
2017-05-09 11:02:57,241:DEBUG:simp_le:367: Loading fullchain.pem
2017-05-09 11:02:57,241:DEBUG:simp_le:367: Loading key.pem
2017-05-09 11:02:57,241:DEBUG:simp_le:1280: Computed roots: {'spierepf.ddns.net': '/usr/share/nginx/html'}
2017-05-09 11:02:57,241:INFO:simp_le:1211: Generating new account key
2017-05-09 11:02:58,092:DEBUG:root:626: Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2017-05-09 11:02:58,093:DEBUG:requests.packages.urllib3.connectionpool:818: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2017-05-09 11:02:58,463:DEBUG:requests.packages.urllib3.connectionpool:395: https://acme-v01.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 352
2017-05-09 11:02:58,463:DEBUG:acme.client:641: Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 352
Boulder-Request-Id: 5Gt0mK2cujd1E2NzzAzLcLdKJHy61c5ALjnR-5CqZ14
Replay-Nonce: kvQL2iK2qX3fANQqzb8Z2GeVZ1JPCnB4r81IRmBq4Ws
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 09 May 2017 11:02:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 09 May 2017 11:02:58 GMT
Connection: keep-alive

{
"key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
"new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
"new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
"new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
"revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"
}
2017-05-09 11:02:58,464:DEBUG:root:673: Requesting fresh nonce
2017-05-09 11:02:58,464:DEBUG:root:626: Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-reg.
2017-05-09 11:02:58,575:DEBUG:requests.packages.urllib3.connectionpool:395: https://acme-v01.api.letsencrypt.org:443 "HEAD /acme/new-reg HTTP/1.1" 405 0
2017-05-09 11:02:58,576:DEBUG:acme.client:641: Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Boulder-Request-Id: sQruqSb4Xolet7A6PdNylnohcS7FUjPVc9-yD_XKo1A
Replay-Nonce: osB4PUfnI8Bh4fNUZy34vyEFWxuVvzm4evCLDVvHoQo
Expires: Tue, 09 May 2017 11:02:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 09 May 2017 11:02:58 GMT
Connection: keep-alive

2017-05-09 11:02:58,576:DEBUG:acme.client:666: Storing nonce: osB4PUfnI8Bh4fNUZy34vyEFWxuVvzm4evCLDVvHoQo
2017-05-09 11:02:58,577:DEBUG:acme.client:547: JWS payload:
{
"contact": [
"mailto:[email protected]"
],
"resource": "new-reg"
}
2017-05-09 11:02:58,595:DEBUG:root:624: Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-reg:
{
"header": {
"alg": "RS256",
"jwk": {
"e": "AQAB",
"kty": "RSA",
"n": "wfH95WbCxJgy1NC1wMR2A_AqCYmHftHbh3xKLlgCaa3hVUZLfOEQ09GRr8OLNRsaWi6d-wmfI8cb89POKhX_gKLtfarrsdch_eyptWMc5v2HXxb5tGe48zShyRq4f9v4xJD0pIInoBFZZGIAPcHM6e1KTTS4AUEX7mv_zej_p5Dz6crWdYToM7RpxgmkrHGdNJd4wzNo_1nUVj911zETGfuBADEbRizf_CDIznDVLupWYLCL9-aSjVq9fcNQo_zfyUdZCwHxVJh3v0DrC0eDTQfFnREZ-jeyC1o7Bb1uylF4ZercrHsbogOyK5cwIXShymBb0-tySwoHtk66Wk56bFcRQr9sHAvJwZTu10o6hEgtnOEh7209v1u1KDPoDYPscSS2E4iRwwq8OgUj_EyTyO4EGFKo2ghOyDCxtpJGFzoKWOe1qxY17348oMAepDJ6wbDprM2ubGcd4dwer5NcCQor6fMLgZQKtMgjjx_OU6nk1cRAVlPQzB-ZI0pAOrOYtMVNGh-meuJGqCq0HFP-nEoM-ngn9Drkcli_T9IabmLlKrHE4c3sTOcXfnSNwetrDKYKBONobqPPD_ssQ1bUhtJcj3ojVkDQ8MkZIoK1VZglLOeYx1YLWh3IJEZJ63GFwGBWBorlSsbzrRaaGRt7zlCswJJwuL-3dzxRx-qXM"
}
},
"protected": "eyJub25jZSI6ICJvc0I0UFVmbkk4Qmg0Zk5VWnkzNHZ5RUZXeHVWdnptNGV2Q0xEVnZIb1FvIn0",
"payload": "ewogICJjb250YWN0IjogWwogICAgIm1haWx0bzpzcGllcmVwZkBob3RtYWlsLmNvbSIKICBdLCAKICAicmVzb3VyY2UiOiAibmV3LXJlZyIKfQ",
"signature": "UTyQBEbmZs0TDHyl_-jQvUmV7M_Iv6IWGZ0zmJwNJDIMbOdIZSrmTkpmwz9n47wnU1JNMGjEx4sLdTxG2gsL7SaJC8ZqrYZy2raz8lfuDz352-4zpvPBnyzujoAqllGdH20vNzKSIiXN-v9rwmjtU9tIlxE6645sCkvKPtG9C1O-ZslaPcWUnAoZ7-CIEq7DjUbV9WkmXk4kBNbusmx8xnLlg7bRbVGif0SZ-G7EOZFHR-Tcdahq89DZw51-C47bqpzlJRD-MvqW_12AEaydsBzaTENRY0gHWMjgogvp9wzsuL4YwbkkYT07NHi4MY1mj2BjwOIpUxPELY7WPE1AqrGtWKx_2wNnySWyOR2Jpr3QnWyHE6P3ZPkOvfg27F5HfRdDGuOUkEBmJAl6dRYFTtwy8e-uMz3MmEr-Ch-qJxbclikxauL3fZTBI7bXUbgEqS0-t8EfAn46cy1tgb39fCFyAXhn7J1yCKMUeLwx-m0caSkmdiiDojU0vXdrII1XIaJrLvSUNV4NYXH4coerdvdBLDHFEVj-2hC8YcV90wRT3T6dIpYQ3VSnzrphkRo77yypEUsE1JEuRxBuowGUkiCRSWcP4aTKXs5aublN_wQNRsAScI_RnUKxN20bjCIOWZzzCW7l3vGw4-9Fk5Ng3NQ5I5ZRtPE4zPajcfMDzoQ"
}
2017-05-09 11:02:58,893:DEBUG:requests.packages.urllib3.connectionpool:395: https://acme-v01.api.letsencrypt.org:443 "POST /acme/new-reg HTTP/1.1" 201 921
2017-05-09 11:02:58,895:DEBUG:acme.client:641: Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 921
Boulder-Request-Id: 1tCRAWU3T4i85DTcDgSp-2vUFEwkpz95en4TCqBxWaI
Boulder-Requester: 14246951
Link: https://acme-v01.api.letsencrypt.org/acme/new-authz;rel="next", https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf;rel="terms-of-service"
Location: https://acme-v01.api.letsencrypt.org/acme/reg/14246951
Replay-Nonce: gEhkKCXqB9rp5etAXqWJYNpaphZYM_MCd9SLJTeEK0U
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 09 May 2017 11:02:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 09 May 2017 11:02:58 GMT
Connection: keep-alive

{
"id": 14246951,
"key": {
"kty": "RSA",
"n": "wfH95WbCxJgy1NC1wMR2A_AqCYmHftHbh3xKLlgCaa3hVUZLfOEQ09GRr8OLNRsaWi6d-wmfI8cb89POKhX_gKLtfarrsdch_eyptWMc5v2HXxb5tGe48zShyRq4f9v4xJD0pIInoBFZZGIAPcHM6e1KTTS4AUEX7mv_zej_p5Dz6crWdYToM7RpxgmkrHGdNJd4wzNo_1nUVj911zETGfuBADEbRizf_CDIznDVLupWYLCL9-aSjVq9fcNQo_zfyUdZCwHxVJh3v0DrC0eDTQfFnREZ-jeyC1o7Bb1uylF4ZercrHsbogOyK5cwIXShymBb0-tySwoHtk66Wk56bFcRQr9sHAvJwZTu10o6hEgtnOEh7209v1u1KDPoDYPscSS2E4iRwwq8OgUj_EyTyO4EGFKo2ghOyDCxtpJGFzoKWOe1qxY17348oMAepDJ6wbDprM2ubGcd4dwer5NcCQor6fMLgZQKtMgjjx_OU6nk1cRAVlPQzB-ZI0pAOrOYtMVNGh-meuJGqCq0HFP-nEoM-ngn9Drkcli_T9IabmLlKrHE4c3sTOcXfnSNwetrDKYKBONobqPPD_ssQ1bUhtJcj3ojVkDQ8MkZIoK1VZglLOeYx1YLWh3IJEZJ63GFwGBWBorlSsbzrRaaGRt7zlCswJJwuL-3dzxRx-qXM",
"e": "AQAB"
},
"contact": [
"mailto:[email protected]"
],
"initialIp": "24.138.24.95",
"createdAt": "2017-05-09T11:02:58.795671648Z",
"Status": "valid"
}
2017-05-09 11:02:58,895:DEBUG:acme.client:666: Storing nonce: gEhkKCXqB9rp5etAXqWJYNpaphZYM_MCd9SLJTeEK0U
2017-05-09 11:02:58,900:DEBUG:requests.packages.urllib3.connectionpool:818: Starting new HTTPS connection (1): letsencrypt.org
2017-05-09 11:02:59,121:DEBUG:requests.packages.urllib3.connectionpool:395: https://letsencrypt.org:443 "GET /documents/LE-SA-v1.1.1-August-1-2016.pdf HTTP/1.1" 200 134243
2017-05-09 11:02:59,431:DEBUG:simp_le:1237: TOS hash: 6373439b9f29d67a5cd4d18cbc7f264809342dbf21cb2ba2fc7588df987a6221
2017-05-09 11:02:59,431:DEBUG:acme.client:547: JWS payload:
{
"contact": [
"mailto:[email protected]"
],
"resource": "reg",
"agreement": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf",
"key": {
"e": "AQAB",
"kty": "RSA",
"n": "wfH95WbCxJgy1NC1wMR2A_AqCYmHftHbh3xKLlgCaa3hVUZLfOEQ09GRr8OLNRsaWi6d-wmfI8cb89POKhX_gKLtfarrsdch_eyptWMc5v2HXxb5tGe48zShyRq4f9v4xJD0pIInoBFZZGIAPcHM6e1KTTS4AUEX7mv_zej_p5Dz6crWdYToM7RpxgmkrHGdNJd4wzNo_1nUVj911zETGfuBADEbRizf_CDIznDVLupWYLCL9-aSjVq9fcNQo_zfyUdZCwHxVJh3v0DrC0eDTQfFnREZ-jeyC1o7Bb1uylF4ZercrHsbogOyK5cwIXShymBb0-tySwoHtk66Wk56bFcRQr9sHAvJwZTu10o6hEgtnOEh7209v1u1KDPoDYPscSS2E4iRwwq8OgUj_EyTyO4EGFKo2ghOyDCxtpJGFzoKWOe1qxY17348oMAepDJ6wbDprM2ubGcd4dwer5NcCQor6fMLgZQKtMgjjx_OU6nk1cRAVlPQzB-ZI0pAOrOYtMVNGh-meuJGqCq0HFP-nEoM-ngn9Drkcli_T9IabmLlKrHE4c3sTOcXfnSNwetrDKYKBONobqPPD_ssQ1bUhtJcj3ojVkDQ8MkZIoK1VZglLOeYx1YLWh3IJEZJ63GFwGBWBorlSsbzrRaaGRt7zlCswJJwuL-3dzxRx-qXM"
}
}
2017-05-09 11:02:59,444:DEBUG:root:624: Sending POST request to https://acme-v01.api.letsencrypt.org/acme/reg/14246951:
{
"header": {
"alg": "RS256",
"jwk": {
"e": "AQAB",
"kty": "RSA",
"n": "wfH95WbCxJgy1NC1wMR2A_AqCYmHftHbh3xKLlgCaa3hVUZLfOEQ09GRr8OLNRsaWi6d-wmfI8cb89POKhX_gKLtfarrsdch_eyptWMc5v2HXxb5tGe48zShyRq4f9v4xJD0pIInoBFZZGIAPcHM6e1KTTS4AUEX7mv_zej_p5Dz6crWdYToM7RpxgmkrHGdNJd4wzNo_1nUVj911zETGfuBADEbRizf_CDIznDVLupWYLCL9-aSjVq9fcNQo_zfyUdZCwHxVJh3v0DrC0eDTQfFnREZ-jeyC1o7Bb1uylF4ZercrHsbogOyK5cwIXShymBb0-tySwoHtk66Wk56bFcRQr9sHAvJwZTu10o6hEgtnOEh7209v1u1KDPoDYPscSS2E4iRwwq8OgUj_EyTyO4EGFKo2ghOyDCxtpJGFzoKWOe1qxY17348oMAepDJ6wbDprM2ubGcd4dwer5NcCQor6fMLgZQKtMgjjx_OU6nk1cRAVlPQzB-ZI0pAOrOYtMVNGh-meuJGqCq0HFP-nEoM-ngn9Drkcli_T9IabmLlKrHE4c3sTOcXfnSNwetrDKYKBONobqPPD_ssQ1bUhtJcj3ojVkDQ8MkZIoK1VZglLOeYx1YLWh3IJEZJ63GFwGBWBorlSsbzrRaaGRt7zlCswJJwuL-3dzxRx-qXM"
}
},
"protected": "eyJub25jZSI6ICJnRWhrS0NYcUI5cnA1ZXRBWHFXSllOcGFwaFpZTV9NQ2Q5U0xKVGVFSzBVIn0",
"payload": "ewogICJjb250YWN0IjogWwogICAgIm1haWx0bzpzcGllcmVwZkBob3RtYWlsLmNvbSIKICBdLCAKICAicmVzb3VyY2UiOiAicmVnIiwgCiAgImFncmVlbWVudCI6ICJodHRwczovL2xldHNlbmNyeXB0Lm9yZy9kb2N1bWVudHMvTEUtU0EtdjEuMS4xLUF1Z3VzdC0xLTIwMTYucGRmIiwgCiAgImtleSI6IHsKICAgICJlIjogIkFRQUIiLCAKICAgICJrdHkiOiAiUlNBIiwgCiAgICAibiI6ICJ3Zkg5NVdiQ3hKZ3kxTkMxd01SMkFfQXFDWW1IZnRIYmgzeEtMbGdDYWEzaFZVWkxmT0VRMDlHUnI4T0xOUnNhV2k2ZC13bWZJOGNiODlQT0toWF9nS0x0ZmFycnNkY2hfZXlwdFdNYzV2MkhYeGI1dEdlNDh6U2h5UnE0Zjl2NHhKRDBwSUlub0JGWlpHSUFQY0hNNmUxS1RUUzRBVUVYN212X3plal9wNUR6NmNyV2RZVG9NN1JweGdta3JIR2ROSmQ0d3pOb18xblVWajkxMXpFVEdmdUJBREViUml6Zl9DREl6bkRWTHVwV1lMQ0w5LWFTalZxOWZjTlFvX3pmeVVkWkN3SHhWSmgzdjBEckMwZURUUWZGblJFWi1qZXlDMW83QmIxdXlsRjRaZXJjckhzYm9nT3lLNWN3SVhTaHltQmIwLXR5U3dvSHRrNjZXazU2YkZjUlFyOXNIQXZKd1pUdTEwbzZoRWd0bk9FaDcyMDl2MXUxS0RQb0RZUHNjU1MyRTRpUnd3cThPZ1VqX0V5VHlPNEVHRktvMmdoT3lEQ3h0cEpHRnpvS1dPZTFxeFkxNzM0OG9NQWVwREo2d2JEcHJNMnViR2NkNGR3ZXI1TmNDUW9yNmZNTGdaUUt0TWdqanhfT1U2bmsxY1JBVmxQUXpCLV9aSTBwQU9yT1l0TVZOR19oLW1ldUpHcUNxMEhGUC1uRW9NLW5nbjlEcmtjbGlfVDlJYWJtTGxLckhFNGMzc1RPY1hmblNOd2V0ckRLWUtCT05vYnFQUERfc3NRMWJVaHRKY2ozb2pWa0RROE1rWklvSzFWWmdsTE9lWXgxWUxXaDNJSkVaSjYzR0Z3R0JXQm9ybFNzYnpyUmFhR1J0N3psQ3N3Skp3dUwtM2R6eFJ4LXFYTSIKICB9Cn0",
"signature": "NQdegiSVsxn4h_wjcO9LkjaRCj63LJGNXNmbUh40X5c1k28BlETDGUTCxMJUhlYEneIkhMU3kwk8YnoLLTbsI1fVWKHAgbx8uUI_WKemFg7TEnkkAYxz5MaKt47N-TA-RjY0zpBH8wvPEFdW5wTVhqmoxw1JhjUaAhard4wiWmWJhah7H5ixFj4_rSY7qn8ruU3i6d9Gby5EcQuo0mogxvI1IWJ_Ip8EEw48uNwM0Jp79DVumKrUC5jN7_dh5KY-WhpBYLpJ4wBao9BRtVja079D-Xhzv_HKoxWjS_KI4XQSyM65yFMC03ONMceFj8M8tSvQdrFy_JikgjxFj8TgX1HOdGlkwl9cfWW2AbuZ911qCG_2QReJIpTZ4JOUsHrNXw6PCQGds6HlQC-URXUTdkowzXZk_nrOHuBUcccy6XrmnMbhcRNgWjnydYWKvlN72A2VhpoV4gOulKm-aXJJDF6S8QJ0KFWYNjkgQ9nFQS0be1-cTkF9lfKR57WzYTnkvXlpZm0jI5xzwhMP926J7eggCcGk_nZcH65McSbAo0E3Z5vUnwvzllzM6oiroehM1HxYGehxHcl0DIRbfmAnxJ4-CpArQNCzaGqNO_s4wddkhcD8qUKfaU_xgHYNlBqMCcRi1Uu2OQ8Ny-l4ljhIvKTF7HMW5mrJXrqBtZF0o4E"
}
2017-05-09 11:02:59,590:DEBUG:requests.packages.urllib3.connectionpool:395: https://acme-v01.api.letsencrypt.org:443 "POST /acme/reg/14246951 HTTP/1.1" 202 994
2017-05-09 11:02:59,590:DEBUG:acme.client:641: Received response:
HTTP 202
Server: nginx
Content-Type: application/json
Content-Length: 994
Boulder-Request-Id: SoFiO2rh5K_0cHWvAU9id7N2nIk5Ic6LrsdeUUVrmvw
Boulder-Requester: 14246951
Link: https://acme-v01.api.letsencrypt.org/acme/new-authz;rel="next", https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf;rel="terms-of-service"
Replay-Nonce: INmxqMPEdZA5qo1KJ_D7_IkQp0lK_6X4A6_mAmsuNvs
Expires: Tue, 09 May 2017 11:02:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 09 May 2017 11:02:59 GMT
Connection: keep-alive

{
"id": 14246951,
"key": {
"kty": "RSA",
"n": "wfH95WbCxJgy1NC1wMR2A_AqCYmHftHbh3xKLlgCaa3hVUZLfOEQ09GRr8OLNRsaWi6d-wmfI8cb89POKhX_gKLtfarrsdch_eyptWMc5v2HXxb5tGe48zShyRq4f9v4xJD0pIInoBFZZGIAPcHM6e1KTTS4AUEX7mv_zej_p5Dz6crWdYToM7RpxgmkrHGdNJd4wzNo_1nUVj911zETGfuBADEbRizf_CDIznDVLupWYLCL9-aSjVq9fcNQo_zfyUdZCwHxVJh3v0DrC0eDTQfFnREZ-jeyC1o7Bb1uylF4ZercrHsbogOyK5cwIXShymBb0-tySwoHtk66Wk56bFcRQr9sHAvJwZTu10o6hEgtnOEh7209v1u1KDPoDYPscSS2E4iRwwq8OgUj_EyTyO4EGFKo2ghOyDCxtpJGFzoKWOe1qxY17348oMAepDJ6wbDprM2ubGcd4dwer5NcCQor6fMLgZQKtMgjjx_OU6nk1cRAVlPQzB-ZI0pAOrOYtMVNGh-meuJGqCq0HFP-nEoM-ngn9Drkcli_T9IabmLlKrHE4c3sTOcXfnSNwetrDKYKBONobqPPD_ssQ1bUhtJcj3ojVkDQ8MkZIoK1VZglLOeYx1YLWh3IJEZJ63GFwGBWBorlSsbzrRaaGRt7zlCswJJwuL-3dzxRx-qXM",
"e": "AQAB"
},
"contact": [
"mailto:[email protected]"
],
"agreement": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf",
"initialIp": "24.138.24.95",
"createdAt": "2017-05-09T11:02:58Z",
"Status": "valid"
}
2017-05-09 11:02:59,590:DEBUG:acme.client:666: Storing nonce: INmxqMPEdZA5qo1KJ_D7_IkQp0lK_6X4A6_mAmsuNvs
2017-05-09 11:02:59,591:DEBUG:acme.client:547: JWS payload:
{
"identifier": {
"type": "dns",
"value": "spierepf.ddns.net"
},
"resource": "new-authz"
}
2017-05-09 11:02:59,604:DEBUG:root:624: Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
"header": {
"alg": "RS256",
"jwk": {
"e": "AQAB",
"kty": "RSA",
"n": "wfH95WbCxJgy1NC1wMR2A_AqCYmHftHbh3xKLlgCaa3hVUZLfOEQ09GRr8OLNRsaWi6d-wmfI8cb89POKhX_gKLtfarrsdch_eyptWMc5v2HXxb5tGe48zShyRq4f9v4xJD0pIInoBFZZGIAPcHM6e1KTTS4AUEX7mv_zej_p5Dz6crWdYToM7RpxgmkrHGdNJd4wzNo_1nUVj911zETGfuBADEbRizf_CDIznDVLupWYLCL9-aSjVq9fcNQo_zfyUdZCwHxVJh3v0DrC0eDTQfFnREZ-jeyC1o7Bb1uylF4ZercrHsbogOyK5cwIXShymBb0-tySwoHtk66Wk56bFcRQr9sHAvJwZTu10o6hEgtnOEh7209v1u1KDPoDYPscSS2E4iRwwq8OgUj_EyTyO4EGFKo2ghOyDCxtpJGFzoKWOe1qxY17348oMAepDJ6wbDprM2ubGcd4dwer5NcCQor6fMLgZQKtMgjjx_OU6nk1cRAVlPQzB-ZI0pAOrOYtMVNGh-meuJGqCq0HFP-nEoM-ngn9Drkcli_T9IabmLlKrHE4c3sTOcXfnSNwetrDKYKBONobqPPD_ssQ1bUhtJcj3ojVkDQ8MkZIoK1VZglLOeYx1YLWh3IJEZJ63GFwGBWBorlSsbzrRaaGRt7zlCswJJwuL-3dzxRx-qXM"
}
},
"protected": "eyJub25jZSI6ICJJTm14cU1QRWRaQTVxbzFLSl9EN19Ja1FwMGxLXzZYNEE2X21BbXN1TnZzIn0",
"payload": "ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAic3BpZXJlcGYuZGRucy5uZXQiCiAgfSwgCiAgInJlc291cmNlIjogIm5ldy1hdXRoeiIKfQ",
"signature": "vgdu3c0O-JMkpP7z32s6snZKGB8Mk6jz94ipQt06Qe6CywvInxUbVpQzSLI67aT2txq5_lVDYEaY_66AnsrhCLpAZVH4NPUOdgWy85o4GS2B2h5I9W3oErYCuHIZn4N8iNjrxQU5sCLIwz_ipYQ35NND1r9eWllxjiyVOTeA1vCvGjoTz3YmzcG3TuYoOLg1ax1miYDYpr91SYPcSzmXdltgUMQxq9C9UE1ZYj2dwM8i5yrIgtySWN1RC8CAjD4E1IkUa3a233TXpb9NJxbkVB7xw60l8bJQsAs2iewH1RKueng2tBTBRfW6EengGw4iTHTjn45vcgQ8LrG2Y8feHj-3UEB7TaGXJyosD4Rju61UMpg2_6GZ0EVo7Ye3OPY0691-9lRlNMfwSvmpMFNVJG7zV2Mf35m6kYKU1P97D0kZnnfpHQE2G9IxFMhiB568Nx0Zm_MmSp24Nj3gFyM4ZXWnoJ2zEPtIXJKB44-BYIrCZZoXIMff5yXiSQCip75TVnKmapBLG-eLI982LT9JQrl__zYkMQprU09tUp-XRuZ6_RBZRo8nBioA_NDBLNGxOcEx-9mfMFfad2eiun6fI1cbnMvm6h-ijejghPP0p6AXeD0nS2QKikG-CvYPgkhIp-ialqFQUIo8QLudVFry-yBGWwZ3ASeZsIpGI2KmyxQ"
}
2017-05-09 11:02:59,759:DEBUG:requests.packages.urllib3.connectionpool:395: https://acme-v01.api.letsencrypt.org:443 "POST /acme/new-authz HTTP/1.1" 201 1005
2017-05-09 11:02:59,761:DEBUG:acme.client:641: Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 1005
Boulder-Request-Id: bd8fjnaFIvtKDJktInIK2GjxTU1FhZXJlQjNvR_8oys
Boulder-Requester: 14246951
Link: https://acme-v01.api.letsencrypt.org/acme/new-cert;rel="next"
Location: https://acme-v01.api.letsencrypt.org/acme/authz/-W53XG9N-PcoaR9gPZ9q4TH44ZM09jZBCReJarr4Chk
Replay-Nonce: l32017LQENMLtMdf6v0ioS2giErAS0Os-kwJH9TWDgo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 09 May 2017 11:02:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 09 May 2017 11:02:59 GMT
Connection: keep-alive

{
"identifier": {
"type": "dns",
"value": "spierepf.ddns.net"
},
"status": "pending",
"expires": "2017-05-16T11:02:59.656179074Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/-W53XG9N-PcoaR9gPZ9q4TH44ZM09jZBCReJarr4Chk/1147834376",
"token": "kf4rYPPgBT-ubAsVA1ZhVGqPUOSZMGFyzDytWmAd2tg"
},
{
"type": "tls-sni-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/-W53XG9N-PcoaR9gPZ9q4TH44ZM09jZBCReJarr4Chk/1147834377",
"token": "5KYEb5AK0D9dx34UySKr7dcA6rnVaTBa6A9bj4tgZto"
},
{
"type": "dns-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/-W53XG9N-PcoaR9gPZ9q4TH44ZM09jZBCReJarr4Chk/1147834378",
"token": "nU8dsB75TqTrHlZrqaALaGLSKVjvBdMZg_ML5jEUiPk"
}
],
"combinations": [
[
2
],
[
0
],
[
1
]
]
}
2017-05-09 11:02:59,761:DEBUG:acme.client:666: Storing nonce: l32017LQENMLtMdf6v0ioS2giErAS0Os-kwJH9TWDgo
2017-05-09 11:02:59,773:DEBUG:simp_le:983: Saving validation (u'kf4rYPPgBT-ubAsVA1ZhVGqPUOSZMGFyzDytWmAd2tg.63543MRgFiPVD1DrDWJwI6bU8T-0U7DruBu_VUZaRIM') at /usr/share/nginx/html/.well-known/acme-challenge/kf4rYPPgBT-ubAsVA1ZhVGqPUOSZMGFyzDytWmAd2tg
2017-05-09 11:02:59,775:DEBUG:acme.challenges:307: Verifying http-01 at http://spierepf.ddns.net/.well-known/acme-challenge/kf4rYPPgBT-ubAsVA1ZhVGqPUOSZMGFyzDytWmAd2tg...
2017-05-09 11:02:59,776:DEBUG:requests.packages.urllib3.connectionpool:207: Starting new HTTP connection (1): spierepf.ddns.net
nginx_1 | 24.138.24.95 - - [09/May/2017:11:02:59 +0000] "GET /.well-known/acme-challenge/kf4rYPPgBT-ubAsVA1ZhVGqPUOSZMGFyzDytWmAd2tg HTTP/1.1" 200 87 "-" "python-requests/2.13.0" "-"

My operating system is (include version):
I'm using the official nginx image on docker hub. The Dockerfile is:

github.com
nginxinc/docker-nginx/blob/53da9a295dfa6c666630a72d9c03dfbd1d2eb37d/mainline/stretch/Dockerfile

FROM debian:stretch-slim

MAINTAINER NGINX Docker Maintainers "[email protected]"

ENV NGINX_VERSION 1.13.0-1stretch
ENV NJS_VERSION 1.13.0.0.1.10-1
stretch

RUN apt-get update
&& apt-get install --no-install-recommends --no-install-suggests -y gnupg1
&&
NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62;
found='';
for server in
ha.pool.sks-keyservers.net
hkp://keyserver.ubuntu.com:80
hkp://p80.pool.sks-keyservers.net:80
pgp.mit.edu
; do
echo "Fetching GPG key $NGINX_GPGKEY from $server";
apt-key adv --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break;
This file has been truncated. show original
So it looks like debian stretch-slim

My web server is (include version):
1.13.0-1~stretch (see above)

My hosting provider, if applicable, is:
Eastlink

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

If you look closely at the last line of the output, you'll notice the nginx log message where the webserver responds to the challenge. This suggests to me that that specific challenge was successful. For some reason however, the simp_le client hangs at that point. I've left it running for more than six hours with no resolution. I would think that the client would terminate with failure after some point.

FullChainFile chain may be an empty list

Issue by dracos
Wednesday Apr 06, 2016 at 17:38 GMT
Originally opened as kuba/simp_le#95


https://github.com/kuba/simp_le/blob/8f258bc098a84b7a20c2732536d0740244d814f7/simp_le.py#L709 tests if data.chain is None, but its parent's load_from_content means that if e.g. the file exists but is empty or corrupt, it will be an empty list. I think the check should also check for the empty list as well as None.

$ touch foo.pem
$ python
>>> import simp_le
>>> simp_le.FullChainFile(path="foo.pem").load()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "simp_le.py", line 713, in load
    cert, chain = data.chain[0], data.chain[1:]
IndexError: list index out of range

private key permissions

Issue by irv
Friday Dec 04, 2015 at 22:27 GMT
Originally opened as kuba/simp_le#29


Hi,

I think the permissions on the private key should be more restrictive by default, they're currently set to world readable and should probably be chmod 600

(I noticed this because opensmtpd considers insecure file perms on the private key a fatal error:
must be at most rwx------)

Simplify IOPlugin.Data initialization

Issue by Lekensteyn
Friday Jan 08, 2016 at 00:01 GMT
Originally opened as kuba/simp_le#63


Remove the need to specify every component of Data. This introduces a
new IOPlugin.PersistedData member which is the same as IOPlugin.Data,
except that it is initialized with boolean False instead of None.

Also remove account_key and key from FullChainFile, it is not stored by
ChainFile. Replace a weird IOPlugin.EMPTY_DATA._replace(key=X) hack by
the more intuitive Data(key=X).

The __defaults__ construct is taken from
http://stackoverflow.com/a/18348004 and documented in
https://docs.python.org/2/reference/datamodel.html and
https://docs.python.org/3/reference/datamodel.html


Lekensteyn included the following code: https://github.com/kuba/simp_le/pull/63/commits

Update travis.sh to not rely on boulder-tools "latest" tag

Hi there,

Happened to see this comment from @zenhack on #48:

I tried this myself; travis failed. The test runs are choking on something to do with the docker images for boulder, which I need to investigate.

We deleted the latest tag for the boulder-tools docker image (letsencrypt/boulder#2030) because the semantics of that label in dockerhub didn't match the way we were using it. Your builds are failing as a result (we fixed the same thing in our own CI incidentally).

I believe you can just delete the explicit docker-pull for the boulder-tools image from your setup script to fix. The docker-compose pull above is pulling in the correct boulder-tools tag already.

Triage issues from kuba's repo

There are a number of open issues on the unmaintained original repository; we should address those and/or record them here.

New account key is not preserved on failure

Issue by Lekensteyn
Tuesday Jan 05, 2016 at 20:55 GMT
Originally opened as kuba/simp_le#58


When an account key is created, but the authorization failed (because the HTTP server is not reachable for example), the account key key is not stored. It should probably persist this key even if it failed to generate a certificate.

Edit: what about allowing simp_le to generate just the account key and nothing else? I.e. allow simp_le.py -f account_key.json to generate the account key. Then a wrapper script can ensure that this file is available and store it appropriately.

Deserialization error: Wrong directory fields

Issue by gionn
Monday Nov 28, 2016 at 13:35 GMT
Originally opened as kuba/simp_le#118


It looks like that a new staging API as broken simp_le:

       ---- Begin output of simp_le  -d kitchen-test.cloudesire.com:/usr/share/nginx/www/kitchen-test.cloudesire.com_kitchen-test-2.cloudesire.com  -d kitchen-test-2.cloudesire.com:/usr/share/nginx/www/kitchen-test.cloudesire.com_kitchen-test-2.cloudesire.com  --email [email protected] --server https://acme-staging.api.letsencrypt.org/directory --tos_sha256 6373439b9f29d67a5cd4d18cbc7f264809342dbf21cb2ba2fc7588df987a6221 -f key.pem -f fullchain.pem -f account_key.json ----
       STDOUT: 
       STDERR: 2016-11-28 11:48:39,389:INFO:simp_le:1211: Generating new account key
       Traceback (most recent call last):
         File "/root/.letsencryptvenv/local/lib/python2.7/site-packages/simp_le.py", line 1401, in main
           return main_with_exceptions(cli_args)
         File "/root/.letsencryptvenv/local/lib/python2.7/site-packages/simp_le.py", line 1386, in main_with_exceptions
           persist_new_data(args, existing_data)
         File "/root/.letsencryptvenv/local/lib/python2.7/site-packages/simp_le.py", line 1282, in persist_new_data
           client = registered_client(args, existing_data.account_key)
         File "/root/.letsencryptvenv/local/lib/python2.7/site-packages/simp_le.py", line 1224, in registered_client
           client = acme_client.Client(directory=args.server, key=key, net=net)
         File "/root/.letsencryptvenv/local/lib/python2.7/site-packages/acme/client.py", line 63, in __init__
           self.net.get(directory).json())
         File "/root/.letsencryptvenv/local/lib/python2.7/site-packages/acme/messages.py", line 169, in from_json
           raise jose.DeserializationError(str(error))
       DeserializationError: Deserialization error: Wrong directory fields

current staging https://acme-staging.api.letsencrypt.org/directory

{
  "key-change": "https://acme-staging.api.letsencrypt.org/acme/key-change",
  "new-authz": "https://acme-staging.api.letsencrypt.org/acme/new-authz",
  "new-cert": "https://acme-staging.api.letsencrypt.org/acme/new-cert",
  "new-reg": "https://acme-staging.api.letsencrypt.org/acme/new-reg",
  "revoke-cert": "https://acme-staging.api.letsencrypt.org/acme/revoke-cert"
}

current prod https://acme-v01.api.letsencrypt.org/directory

{
  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"
}

Validate hostname arg to -d option.

Is it at all possible to specify an alternative port at which the challenge file is served? Currently, the only obvious place to specify a port number is in the domain (e.g. simp_le -d example.com:8080 ...) which ends up with the port interpreted as the local webroot path.

The reason I ask is because I'm trying to use JrCs/docker-letsencrypt-nginx-proxy-companion (which relies on simp_le) and jwilder/nginx-proxy to manage serving Docker containers for me, but my ISP (RCN) blocks incoming requests on port 80. In lieu tls-sni-01 challenge mode support in simp_le, I'm wondering if there's something I can do short of setting up an external server to reverse proxy with HTTPS passthrough.

Related:
kuba/simp_le#89
nginx-proxy/acme-companion#42

bootstrap: ignore apt-get update failures

Issue by dotdoom
Wednesday May 18, 2016 at 19:16 GMT
Originally opened as kuba/simp_le#108


Machines with multiple architectures installed (e.g. for cross-compiling) often have apt-get complaining about repos that do not support multiarch.
That's not a problem; even if apt-get update fails completely for some other reason (locked database etc) it should be fine to proceed with installing.


dotdoom included the following code: https://github.com/kuba/simp_le/pull/108/commits

SHA256 hash of the TOS has changed

Issue by thomastweets
Monday Aug 01, 2016 at 21:12 GMT
Originally opened as kuba/simp_le#114


With the update to the Let’s Encrypt Subscriber Agreement today (v.1.1.1) the SHA256 hash has changed to 6373439b9f29d67a5cd4d18cbc7f264809342dbf21cb2ba2fc7588df987a6221
I can create a pull request to change line 894/895 of simp_le.py, however, I am not sure whether this covers all of it (and I am not deep into the topic).

private key permissions

Issue by irv
Friday Dec 04, 2015 at 22:27 GMT
Originally opened as kuba/simp_le#29


Hi,

I think the permissions on the private key should be more restrictive by default, they're currently set to world readable and should probably be chmod 600

(I noticed this because opensmtpd considers insecure file perms on the private key a fatal error:
must be at most rwx------)

No tag for 0.3.0

The README mentions a 0.3.0 release, yet there is no corresponding tag on the repo (the most recent one is 0.2.0).

Would it be possible to add a tag for this release, or is it still considered unreleased ?

simp_le fails on Debian wheezy

Hi,
I use simp_le on several platforms but I have problem on Debian wheezy (I know, but still "oldstable").

simp_le fails with following Traceback:

Traceback (most recent call last):
  File "/usr/local/sbin/simp_le", line 5, in <module>
    from pkg_resources import load_entry_point
  File "/opt/simp_le/venv/local/lib/python2.7/site-packages/distribute-0.6.24-py2.7.egg/pkg_resources.py", line 2707, in <module>
    working_set.require(__requires__)
  File "/opt/simp_le/venv/local/lib/python2.7/site-packages/distribute-0.6.24-py2.7.egg/pkg_resources.py", line 686, in require
    needed = self.resolve(parse_requirements(requirements))
  File "/opt/simp_le/venv/local/lib/python2.7/site-packages/distribute-0.6.24-py2.7.egg/pkg_resources.py", line 584, in resolve
    raise DistributionNotFound(req)
pkg_resources.DistributionNotFound: mock

There are some errors during runing venv.sh as well, which I include in venv.sh.txt.

One of the problem is that the venv.sh sh script is returning "success" but it seems to fail – according to attached log. This is not suitable for automation installation 😞

I have fixed it once with installing system package python-six before installing simp_le, but it does not help at this time.

  • Could you please give an advice what to do to fix these errors?
  • Could you please ensure that the venv.sh script is returning success only when it successfully install everything?

Thanks in advance

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.