starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-02-26 04:14:50 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

Walking chain fails - Problem connecting to server #293

New Issue
Closed
opened 2025-12-29 01:21:20 +01:00 by adam · 6 comments
adam commented 2025-12-29 01:21:20 +01:00
Owner
Copy Link

Originally created by @ccitro on GitHub (Mar 9, 2018).

Dehydrated is successfully creating the certificate for my domain, but is failing when attempting to create the fullchain file. This happens with both the staging and production environment of Letsencrypt. I'm using the script cloned from master (6e802ddc19).

Here is the relevant output from dehydrated (configured to use the staging CA in this case)

ERROR: Problem connecting to server (get for http://cert.stg-int-x1.letsencrypt.org/; curl returned with 51)
ERROR: Walking chain has failed, your certificate has been created and can be found at ...

I used openssl to verify the "CA Issuers" for certs coming from letsencrypt.

For the staging CA: CA Issuers - URI:http://cert.stg-int-x1.letsencrypt.org/
For the production CA: CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

The curl command that fails is (staging CA, in this case):
curl -4 -A "dehydr4ted/0.6.0 curl/7.58.0" -L -s -w "%{http_code}" -o "/tmp/dehydrated-HbaofE" -D "/tmp/dehydrated-hJegeK" "http://cert.int-x1.letsencrypt.org/"

If the command is run with the -k flag, the letsencrypt server is responding with 403. I'm not sure if this is an issue with how dehydrated is trying to walk the chain, or with how letsencrypt is issuing / serving the certs.

Originally created by @ccitro on GitHub (Mar 9, 2018). Dehydrated is successfully creating the certificate for my domain, but is failing when attempting to create the fullchain file. This happens with both the staging and production environment of Letsencrypt. I'm using the script cloned from master (6e802ddc1949f3abe5283abfc5a07822ebc94ff9). Here is the relevant output from dehydrated (configured to use the staging CA in this case) ``` ERROR: Problem connecting to server (get for http://cert.stg-int-x1.letsencrypt.org/; curl returned with 51) ERROR: Walking chain has failed, your certificate has been created and can be found at ... ``` I used openssl to verify the "CA Issuers" for certs coming from letsencrypt. For the staging CA: `CA Issuers - URI:http://cert.stg-int-x1.letsencrypt.org/` For the production CA: `CA Issuers - URI:http://cert.int-x3.letsencrypt.org/` The curl command that fails is (staging CA, in this case): `curl -4 -A "dehydr4ted/0.6.0 curl/7.58.0" -L -s -w "%{http_code}" -o "/tmp/dehydrated-HbaofE" -D "/tmp/dehydrated-hJegeK" "http://cert.int-x1.letsencrypt.org/"` If the command is run with the -k flag, the letsencrypt server is responding with 403. I'm not sure if this is an issue with how dehydrated is trying to walk the chain, or with how letsencrypt is issuing / serving the certs.
adam closed this issue 2025-12-29 01:21:20 +01:00
adam commented 2025-12-29 01:21:21 +01:00
Author
Owner
Copy Link

@cpu commented on GitHub (Mar 9, 2018):

@ccitro This is caused by an ongoing website incident: https://letsencrypt.status.io/pages/incident/55957a99e800baa4470002da/5aa2c4df1e024002287ebe57 Apologies.

@lukas2511 More generally, for ACMEv1 it would be preferable if Dehydrated fetched the issuer using the "up" Link header that's provided in the response from new-cert instead of pulling it out of the Certificate's AIA field. This is the more canonical ACME way of finding the issuer, and in this particular case would result in a URL that isn't affected by the website outage. For ACMEv2 its a non-issue, the full chain is returned with the certificate.

@cpu commented on GitHub (Mar 9, 2018): @ccitro This is caused by an ongoing website incident: https://letsencrypt.status.io/pages/incident/55957a99e800baa4470002da/5aa2c4df1e024002287ebe57 Apologies. @lukas2511 More generally, for ACMEv1 it would be preferable if Dehydrated fetched the issuer using the "up" `Link` header that's provided in the response from `new-cert` instead of pulling it out of the Certificate's AIA field. This is the more canonical ACME way of finding the issuer, and in this particular case would result in a URL that isn't affected by the website outage. For ACMEv2 its a non-issue, the full chain is returned with the certificate.
adam commented 2025-12-29 01:21:22 +01:00
Author
Owner
Copy Link

@jasonbouffard commented on GitHub (Mar 9, 2018):

@cpu is there a work around we can do to assemble the cert chain manually since we already have the certs in hand?

@jasonbouffard commented on GitHub (Mar 9, 2018): @cpu is there a work around we can do to assemble the cert chain manually since we already have the certs in hand?
adam commented 2025-12-29 01:21:22 +01:00
Author
Owner
Copy Link

@cpu commented on GitHub (Mar 9, 2018):

@jasonbouffard If you want to assemble a chain by hand the Let's Encrypt Authority X3 certificate that is the issuer for end-entity certificates at the time of writing (09/03/2018) is:

-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
@cpu commented on GitHub (Mar 9, 2018): @jasonbouffard If you want to assemble a chain by hand the Let's Encrypt Authority X3 certificate that is the issuer for end-entity certificates at the time of writing (09/03/2018) is: ``` -----BEGIN CERTIFICATE----- MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj /PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== -----END CERTIFICATE----- ```
adam commented 2025-12-29 01:21:23 +01:00
Author
Owner
Copy Link

@ghost commented on GitHub (Mar 11, 2018):

...
 + Challenge is valid!
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Walking chain...
  + ERROR: An error occurred while sending get-request to http://cert.int-x3.letsencrypt.org/ (Status 301)

Details:


ERROR: Walking chain has failed, your certificate has been created and can be found at /etc/dehydrated/certs/domain.com/cert-1520763845.pem, the corresponding private key at privkey-1520763845.pem. If you want you can manually continue on creating and linking all necessary files. If this error occurs again you should manually generate the certificate chain and place it under /etc/dehydrated/chains/4f06f81d.chain (see http://cert.int-x3.letsencrypt.org/)

As a workaround you could add the curl parameter -L in the dehydrated script. Seems like curl is not following a redirect http to https

- statuscode="$(curl ${ip_version:-} ${CURL_OPTS} -s -w "%{http_code}" -o "${tempcont}" "${2}")"
+ statuscode="$(curl ${ip_version:-} ${CURL_OPTS} -L -s -w "%{http_code}" -o "${tempcont}" "${2}")"

https://github.com/lukas2511/dehydrated/blob/v0.5.0/dehydrated#L427

@ghost commented on GitHub (Mar 11, 2018): ``` ... + Challenge is valid! + Requesting certificate... + Checking certificate... + Done! + Creating fullchain.pem... + Walking chain... + ERROR: An error occurred while sending get-request to http://cert.int-x3.letsencrypt.org/ (Status 301) Details: ERROR: Walking chain has failed, your certificate has been created and can be found at /etc/dehydrated/certs/domain.com/cert-1520763845.pem, the corresponding private key at privkey-1520763845.pem. If you want you can manually continue on creating and linking all necessary files. If this error occurs again you should manually generate the certificate chain and place it under /etc/dehydrated/chains/4f06f81d.chain (see http://cert.int-x3.letsencrypt.org/) ``` As a workaround you could add the curl parameter -L in the dehydrated script. Seems like curl is not following a redirect http to https ``` - statuscode="$(curl ${ip_version:-} ${CURL_OPTS} -s -w "%{http_code}" -o "${tempcont}" "${2}")" + statuscode="$(curl ${ip_version:-} ${CURL_OPTS} -L -s -w "%{http_code}" -o "${tempcont}" "${2}")" ``` https://github.com/lukas2511/dehydrated/blob/v0.5.0/dehydrated#L427
adam commented 2025-12-29 01:21:23 +01:00
Author
Owner
Copy Link

@txr13 commented on GitHub (Mar 11, 2018):

@bobcanthelpyou This is already fixed in master (see commit 7a0e71c).

@txr13 commented on GitHub (Mar 11, 2018): @bobcanthelpyou This is already fixed in master (see commit 7a0e71c).
adam commented 2025-12-29 01:21:23 +01:00
Author
Owner
Copy Link

@lukas2511 commented on GitHub (Mar 11, 2018):

This issue is kinda resolved and/or not really dehydrated specific. I opened #498 for a better approach of dealing with issues like this.

@cpu thanks, i created #497 and will probably implement this behaviour for the 0.6.1 release

@lukas2511 commented on GitHub (Mar 11, 2018): This issue is kinda resolved and/or not really dehydrated specific. I opened #498 for a better approach of dealing with issues like this. @cpu thanks, i created #497 and will probably implement this behaviour for the 0.6.1 release
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#293
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?