icing
Error "cert created without giving its location header" when using a different CA
This message is logged for every ACME certificate:
(22)Invalid argument: cert created without giving its location header
(22)Invalid argument: AH10056: processing <scrubbed>: (null)
However, the certificate is still issued and activated. The status page lists the status as "incomplete" and the "Activity" as "finished successfully". Every time the server is restarted it will try to obtain a certificate again.
Configuration for different CA:
MDCertificateAuthority https://api.buypass.com/acme/directory
MDCertificateAgreement https://api.buypass.com/acme/terms/750
- Server Version: Apache/2.4.49 (Win64) OpenSSL/1.1.1
Hmm, just setup a domain and got a certificate successfully:
[Mon Oct 04 12:29:03.780581 2021] [md:trace2] [pid 2009937:tid 140299590395648] md_crypt.c(1395): read chain with 2 certs
[Mon Oct 04 12:29:03.780591 2021] [md:trace2] [pid 2009937:tid 140299590395648] md_crypt.c(1477): parsed certs from content-type=application/pem-certificate-chain, content-length=4435
[Mon Oct 04 12:29:03.780596 2021] [md:debug] [pid 2009937:tid 140299590395648] md_acme_drive.c(232): 2 certs parsed
[Mon Oct 04 12:29:03.780622 2021] [md:debug] [pid 2009937:tid 140299590395648] md_acme_drive.c(267): poll for cert at https://api.buypass.com/acme-v02/cert/GcLGg8v1zoE
[Mon Oct 04 12:29:03.780628 2021] [md:trace1] [pid 2009937:tid 140299590395648] md_acme_drive.c(444): got chain with 2 certs (0. attempt)
[Mon Oct 04 12:29:03.780632 2021] [md:debug] [pid 2009937:tid 140299590395648] md_acme_drive.c(484): chain retrieved
If you set LogLevel md:trace4could you send me such a failed attempt to "stefan at eissing.org"? thanks.
urgs. But they seem to have a test API endoint: https://api.test4.buypass.no/acme/directory
This problem exists on a production system. I can't just switch that over, or everyone is getting SSL errors.
A minimal test setup, I used here:
<MDomainSet buypass.one-of-my-domains.com>
MDDriveMode always
MDCertificateAuthority https://api.test4.buypass.no/acme/directory
</MDomainSet>
that will trigger a renewal, even though that domain is not visible in any VirtualHosts. Hope this helps.
I found a domain I could use to create yet another virtual host and sent the log to you. In the mean time, is there a way to edit the json files to convince mod_md that the certs are valid and it should leave the CA alone until renewal is up?
In the logs you provided I see that you have MDMustStaple on configured. This means that the CA should set this extension in the certificates it creates for you. However the certificate Apache gets do not seem to have this set. Therefore, it tries again.
If you configure MDMustStaple off (or comment it out), the renewal attempts should stop.
There it is: https://community.buypass.com/t/60h8l7f/support-for-ocsp-must-staple
This is a bug on their side. If a client submits a certificate request with must-staple set, they can deny it, but they should not pretend all is fine and issue a cert without it.
This makes Apache go into an endless loop until it hits their rate limit.
In that case, adding an appropriate error message like "MDMustStaple is not supported by this CA" would be an acceptable solution.
I agree, if the code could find out that this is the case and not an error on the CA side.
it could also just tell "generated certificate does not match expectations:
Yes. What I did already is to tell the reason why a renewal is done. So, in the future, one will see that a new cert is requested because the MustStaple is missing.
But you are right that a check on the retrieved cert with a proper error message would be good as well.
I just got this error - but I don't have any setting for MustStaple....
I'll quickly try it again with that specifically turned off.
EDIT: It also seems like BuyPass doesn't support secp384r1 either.... So you have to specify secp256r1
I switched to the Test API URL listed above, and still get:
(22)Invalid argument: cert created without giving its location header
(22)Invalid argument: AH10056: processing <$domain>: (null)
I did eventually get a cert after what looked to be 4 attempts from the testing API.....
I went back to MDCertificateAuthority buypass - and I still get:
(70013)Missing parameter for the specified command line option: AH10056: processing $domain: Too many certificates issued already for requested domains
(70013)Missing parameter for the specified command line option: acme problem urn:ietf:params:acme:error:rateLimited: Too many certificates issued already for requested domains
The config I'm using:
MDBaseServer on
MDCertificateProtocol ACME
MDCAChallenges tls-alpn-01 http-01
MDDriveMode auto
#MDPrivateKeys RSA secp384r1
MDPrivateKeys RSA secp256r1
MDRenewWindow 33%
MDStoreDir md
#MDCertificateAuthority letsencrypt
MDCertificateAuthority buypass
MDRequireHttps permanent
MDCertificateAgreement accepted
MDMustStaple off
rateLimited: Too many certificates issued already for requested domainsmeans that buypass refuses to give new certificates to you as you seem to have reached their rate limit.
They counted the previous attempts as successful. If you have just this one domain, you may try stopping your server, wipe the md directory and start again. This will then create a new account.
Yeah - I tried this by doing:
$ mv md md.old
$ systemctl restart httpd
wait 5-10 seconds
$ systemctl reload httpd
I think it keeps count of the domain name - cos I'm only testing them with the one system that one a single DNS name...
I tried this again with buypass today for the same domain.... It created the cert several times and still failed with:
[Sun Sep 24 00:09:35.210334 2023] [md:error] [pid 40123:tid 40126] (22)Invalid argument: cert created without giving its location header
[Sun Sep 24 00:09:35.211559 2023] [md:error] [pid 40123:tid 40126] (22)Invalid argument: AH10056: processing <domain>: (null)
[Sun Sep 24 00:09:52.422743 2023] [md:error] [pid 40464:tid 40469] (22)Invalid argument: cert created without giving its location header
[Sun Sep 24 00:09:52.424005 2023] [md:error] [pid 40464:tid 40469] (22)Invalid argument: AH10056: processing <domain>: (null)
[Sun Sep 24 00:10:10.475356 2023] [md:error] [pid 40769:tid 40772] (22)Invalid argument: cert created without giving its location header
[Sun Sep 24 00:10:10.477005 2023] [md:error] [pid 40769:tid 40772] (22)Invalid argument: AH10056: processing <domain>: (null)
[Sun Sep 24 00:10:34.505717 2023] [md:error] [pid 40769:tid 40772] (22)Invalid argument: cert created without giving its location header
[Sun Sep 24 00:10:34.507411 2023] [md:error] [pid 40769:tid 40772] (22)Invalid argument: AH10056: processing <domain>: (null)
[Sun Sep 24 00:11:26.607397 2023] [md:error] [pid 41162:tid 41165] (22)Invalid argument: cert created without giving its location header
[Sun Sep 24 00:11:26.609041 2023] [md:error] [pid 41162:tid 41165] (22)Invalid argument: AH10056: processing <domain>: (null)
[Sun Sep 24 00:11:40.319072 2023] [md:error] [pid 41162:tid 41165] (70013)Missing parameter for the specified command line option: AH10056: processing <domain>: Too many certificates issued already for requested domains
[Sun Sep 24 00:11:50.131992 2023] [md:error] [pid 41162:tid 41165] (70013)Missing parameter for the specified command line option: AH10056: processing <domain>: Too many certificates issued already for requested domains
This was with the following config:
MDBaseServer on
MDCertificateProtocol ACME
MDCAChallenges tls-alpn-01 http-01
MDDriveMode auto
#MDPrivateKeys RSA secp384r1
MDPrivateKeys RSA secp256r1
MDRenewWindow 33%
MDStoreDir md
#MDCertificateAuthority letsencrypt
MDCertificateAuthority buypass
MDRequireHttps permanent
MDCertificateAgreement accepted
MDMustStaple off