Failed renewal

[idan100]

Hi
I'm getting Error getting renweal information from server, after i successfully got a certificate using win-acme.
the error is coming from:
ACMESharp.Protocoal.AcmeProtocolException: Unexpected response status code [BadRequest] for [GetRenwealInfo]
In the logs, when I send the request to renwal - my request completed with BadRequest, And in addition I get Empty Response.
I Would like to get contacted please

[grindsa]

can you please enable debuging in acme2certifer (debug=True) in acme_srv.cfg, replicate the issue and share the logs?

In addition, please share the win-acme commands you are using for enrollment and to get the renewal information.

Thanks
G.

[grindsa]

To continue in this...

Please specify the win-acme version you are using. It seems that EmptyResponse issue is already known and got fixed in 2.2.3.1

[idan100]

hello,
sorry for the delay.
my win acme version is v2.2.5.1541 (64x release)
adding multiple images about the win acme commands i used:
this is the output i got for enrolling certificate:

this is the output i got for trying to renew certificate:

this is the output i got for trying to renew force certificate:

this is the output i got for trying to renew certificate with no cache:

this is the logs on acme2certifier when debug=True:

[grindsa]

Thank you. I was meanwhile able to replicate the issue. The problem is related to win-acme as the renwal-info path is not constructed correctly. I've already opened a related issue. I also have workaround available. Would you be able to test it on your side? If so what do you need (which docker image, rpm, deb)?

[idan100]

I am using a docker image. can you explain about the bug and the fix you did? which files did you changed and what extacly?

[grindsa]

The Issue lies in the way how win-acme is constructing the renewal-info path. According to an RFC draft from Feb this year it should be the renewalinfo URL with a forward slash and the based64 encoded CertID.

So a renewal-info path should be something like this https://acme-srv/acme/renwal-info/base64-sequence

win-acme does not include the forward-slash so the renewal-info path does look like this: https://acme-srv/acme/renwal-infobase64-sequence

The CertID contains the certificate serial number which is used by a2c to lookup the renewal information. Due to this bug a2c is not able to extract and decode certid and serial number and cannot lookup the renewal information from database.

Fix must be done in win-acme; all I can do is to work around this issue. The patch 2bb1f57 allows a2c to cope with this behavior and to extract the certid even if the forward slash is missing.

Two files had been modified acme_srv/helpyer.py and acme_srv/renewalinfo.py. The fix is already included in the devel-branch and I created a docker-image some minutes ago. You can pull it with docker pull grindsa/acme2certifier:devel. Feel free to test and to provide feedback.

G.

[grindsa]

fix got included in v0.33. Thus, closing...