"TOS hash mismatch" when using acme / simp_le / letsencrypt

[ryantrinkle]

Issue description

ACME certificates cannot be provisioned automatically, even though letsencrypt run in manual mode succeeds.

Aug 02 18:33:38 lanehoney.com acme-lanehoney.com-start[31014]: 2016-08-02 18:33:38,918:DEBUG:simp_le:1237: TOS hash: 6373439b9f29d67a5cd4d18cbc7f264809342dbf21cb2ba2fc7588df987a6221
Aug 02 18:33:38 lanehoney.com acme-lanehoney.com-start[31014]: TOS hash mismatch. Found: 6373439b9f29d67a5cd4d18cbc7f264809342dbf21cb2ba2fc7588df987a6221.

Steps to reproduce

This seems to occur whenever allocating a new certificate, and possibly when renewing one.

Technical details

• System: 16.09.git.982be4d (Flounder)
• Nix version: nix-env (Nix) 1.11.2
• Nixpkgs version: "16.03.1168.44b1d6b"

[ryantrinkle]

@fpletz @abbradar @bobvanderlinden Hi guys; if any of you know what's going on here, it'd be greatly appreciated. From what I can tell, the Terms of Service are out of date for nixpkgs's version of letsencrypt - and this makes the service pretty much unusable. If you have any ideas about how we can fix this, I'll be happy to investigate further and make a fix.

[fpletz]

Luckily only happens when creating a new account, so renews are not affected. Thanks for reporting. Fixed. 🍻

[ryantrinkle]

@fpletz Awesome; thanks for the very fast fix!

I'm wondering if there's a more permanent way to solve this - being unable to deploy new servers whenever letsencrypt releases a new TOS seems a bit fragile. Maybe we could add a configuration option to set the TOS hash on the command line when invoking simp_le?

[fpletz]

That's a good idea. Also as we're right before releasing 16.09 we should add that option before the release so NixOS users can easily update the hash themselves if needed.

[dsferruzza]

Hi!

Even if the new configuration option to set the TOSH hash would only appear in 16.09 (makes sense, it's a new feature), is the hash fix (1cd2ac8) going to reach 16.03?
It doesn't seem to be there for now: https://github.com/NixOS/nixpkgs/blob/release-16.03/pkgs/tools/admin/simp_le/default.nix

[fpletz]

@dsferruzza Thanks for the reminder. I'll look at it. The only potential problem is that simp_le is at another version in 16.03. The patch should apply cleanly, though.

[dsferruzza]

@fpletz any news?

If someone need a fix, just add the following snippet to your configuration to override the simp_le package with a patched one:

# Fix simp_le (see https://github.com/NixOS/nixpkgs/issues/17455)
nixpkgs.config.packageOverrides = pkgs: rec {
  simp_le = pkgs.simp_le.overrideDerivation (oldAttrs: {
    patches = [
    (pkgs.fetchpatch {
      url = "https://github.com/kuba/simp_le/commit/4bc788fdd611c4118c3f86b5f546779723aca5a7.patch";
      sha256 = "0036p11qn3plydv5s5z6i28r6ihy1ipjl0y8la0izpkiq273byfc";
    })
    ];
  });
};

Then you can use the security.acme options as usual!

But I hope the patch will soon be available in 16.03 :)

[fpletz]

@dsferruzza Ah, thanks for testing that! In that case I'll simply backport that patch.

[fpletz]

Ok, backported. Will be in the 16.03 channel soon.

I'll keep this issue open because I want an to add an option for 16.09 to specify the TOS hash in the security.acme module.

[dsferruzza]

Confirmed to work on 16.03! Thanks a lot!

[grahamc]

@fpletz are you still planning on doing this in time for 16.09?

[domenkozar]

@fpletz what are actionables here for 16.09?

[fpletz]

We won't implement this for now because we need to replace simp_le anyway.

[domenkozar]

This is happening again?

[domenkozar]

zenhack/simp_le@48b406f

[elitak]

That fix worked for me. I've no idea if it breaks anything else for others.