[ANNOUNCE] node-red-contrib-letsencrypt : beta version

Thanks!! It is updated now. Otherwise I could have called my node now the node-red-contrib-error-404 :shushing_face:

2 Likes

Installing in a Oracle Linux VM instance...

certs

node-RED log shows - Cannot find Acme Client node with id = 2e9616dc.9ec6e2

Node-RED version: v1.0.6
Node.js version: v10.20.1
Linux 4.14

Morning Paul,
Seemed it needed to be deployed before calling this server side functionality. However that is only required to create a subscriber account, not for a simple hash. It is now fixed on Github.

2 Likes

Yes that is now fixed.

However, I get a similar error when trying to Create Acme subscriber account. I get the pop-up asking to agree the terms, and when I agree, the node-RED log reports -

Cannot find Acme Client node with id = 2e9616dc.9ec6e2

Even when you have deployed your node first (as described in the popup)?

Yes. But I've found the problem. There was a format error in the Domain array (missing quote).
Corrected and now successfully Acme account created.

And you don't see any visual indication of such an error?

I think it would be more user friendly to subscribe with the info on the screen, instead of with the deployed data?

Still having problems I'm afraid. When I request a certificate, I get;

acmeerror

and in the node-red log;

21 May 08:56:02 - [info] [aedes broker:41b47ed.32a568] Binding aedes mqtt server on port: 1883
21 May 08:56:02 - [info] Server now running at http://127.0.0.1:2086/
21 May 08:56:02 - [info] [mqtt-broker:9e0fbc51.f0a3e] Connected to broker: mqtt://140.238.65.67:1883
21 May 08:56:11 - [warn] [acme-client:Certificate Management] Acme warning message = dns-01 challenge's `propagationDelay` not set, defaulting to 5000ms status =
21 May 08:56:12 - [error] [acme-client:Certificate Management] Error in CREATE_CERTIFICATE : Error: HTTPError: Response code 400 (Bad Request)

It's worth pointing out that I don't already have any certificates in my server. Do I need to create dummy ones?

The domain being used is a sub domain.

No when private key setting is "use or create private key" then everything should be setup automatically...

Will need to debug this. Is there a simple znd quick way for me to setup and test a cloudflare connection tonight? Would be nice if I don't have to digg through 20 manuals... Or send me a private message if you like ... Thanks!

Yes, sure. I'll PM you the necessary later today.

1 Like

Is anyone successfully using this with Cloudflare. The DNS challenge is failing for me.

API token or Key?

Cloudflare API token, setup as per https://certbot-dns-cloudflare.readthedocs.io/en/stable/

There are access issues with the Token - what error do you get? I had to do something really odd to get it through the security model but I can't find what I did. They changed something as is stopped working. Basically you need to give the token access to everything.

When I request a renewal, it appears to be making an attempt, but then I get this in the debug;
(NOTE, this is copied from a earlier DM, hence the date/times show 21 May - but just tried again & get the same result)

acmeerror

and this in the node-RED log;

21 May 11:49:09 - [info] [aedes broker:41b47ed.32a568] Binding aedes mqtt server on port: 1883
21 May 11:49:09 - [info] Server now running at http://127.0.0.1:2086/
21 May 11:49:09 - [info] [mqtt-broker:9e0fbc51.f0a3e] Connected to broker: mqtt://140.238.65.67:1883
21 May 11:49:25 - [warn] [acme-client:Certificate Management] Acme warning message = dns-01 challenge's `propagationDelay` not set, defaulting to 5000ms status =
21 May 11:49:31 - [info] [acme-client:Certificate Management] Acme certificate_order message =  status =
Error: DNS record deletion not yet propagated for _greenlock-dryrun-10495c40.firstimage.digitalnut.co.uk
at Function.verifyPropagation (/home/opc/.node-red/node_modules/acme-dns-01-cloudflare/index.js:139:13)
Waiting for 10000 ms before attempting propagation verification retry 1 / 30.
21 May 11:49:33 - [info] [acme-client:Certificate Management] Acme challenge_select message =  status =
21 May 11:49:33 - [info] [acme-client:Certificate Management] Acme _challenge_select message =  status =
21 May 11:49:39 - [error] [acme-client:Certificate Management] Error in CREATE_CERTIFICATE : Error: queryTxt ENOTFOUND _acme-challenge.firstimage.digitalnut.co.uk
{ Error: queryTxt ENOTFOUND _acme-challenge.firstimage.digitalnut.co.uk
at QueryReqWrap.onresolve [as oncomplete] (dns.js:196:19)
errno: 'ENOTFOUND',
code: 'ENOTFOUND',
syscall: 'queryTxt',
hostname: '_acme-challenge.firstimage.digitalnut.co.uk' }
Waiting for 10000 ms before attempting propagation verification retry 1 / 30.
Error: DNS record deletion not yet propagated for _greenlock-dryrun-10495c40.firstimage.digitalnut.co.uk
at Function.verifyPropagation (/home/opc/.node-red/node_modules/acme-dns-01-cloudflare/index.js:139:13)
Waiting for 10000 ms before attempting propagation verification retry 2 / 30.
{ Error: queryTxt ENOTFOUND _acme-challenge.firstimage.digitalnut.co.uk
at QueryReqWrap.onresolve [as oncomplete] (dns.js:196:19)
errno: 'ENOTFOUND',
code: 'ENOTFOUND',

I've googled the error, which brought me to this issue, and perhaps a workaround by changing the waitFor option to 20000.
I attempted to change Bart's code to increase the waitFor time to 20 seconds, but still did not work.

Hi Paul,
I didn't have time yet to investigate this problem with Cloudflare.
But could we continue this discussion in the LetsEncrypt topic, otherwise your issue is split across two topics. And since it is not related to this automatic certificate renewal pull request, it might be confusing for people reading in this topic...
Thanks!

I was intending to move it. Honest :grinning:

1 Like

I was using certbot so the error is different but I found I needed to set wide permissions for the API Token to work with the HA LetsEncrypt addon (https://community.cloudflare.com/t/unable-to-determine-zone-id/169111/2). The Key worked fine previously.

The 'normal' certbot wait is 30s IIRC.

Thanks Brian.
@BartButenaers has just updated the node-package, which appears to include a fix in the acme-dns-01-cloudflare node dependency.
I've just tried it, and despite a few false starts, it has obtained the certificates OK.

Paul

1 Like

This topic was automatically closed after 60 days. New replies are no longer allowed.