Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

accountDoesNotExist error #211

Closed
HenriWahl opened this issue Feb 27, 2025 · 24 comments
Closed

accountDoesNotExist error #211

HenriWahl opened this issue Feb 27, 2025 · 24 comments
Labels
bug Something isn't working

Comments

@HenriWahl
Copy link

Hi @grindsa,

I am not sure if this is a bug or a config issue, but the config did not change so I am somehow lost with debugging.

acme2certifier is used in a setup where a bunch of traefik instances contact it to get certificates from a mscertsrv server. Worked flowlessly but since some weeks some of the traefik instances receive this error:

urn:ietf:params:acme:error:accountDoesNotExist

instead of certificates.

The acme2certfifier side logs:

acmeserver-1  | _config_load()
acmeserver-1  | Helper.error_dict_get()
acmeserver-1  | Order._config_load()
acmeserver-1  | Order._config_orderconfig_load()
acmeserver-1  | Order._config_orderconfig_load() ended
acmeserver-1  | Order._config_headerinfo_config_load()
acmeserver-1  | Order._config_headerinfo_config_load() ended
acmeserver-1  | Order._config_load() ended.
acmeserver-1  | Order.new()
acmeserver-1  | Message.check()
acmeserver-1  | Helper.decode_message()
acmeserver-1  | Message._check()
acmeserver-1  | Nonce.check_nonce()
acmeserver-1  | Nonce.nonce._check_and_delete(642cf5cfed8f4f5d90dfcc982cc6ac06)
acmeserver-1  | DBStore.nonce_check(642cf5cfed8f4f5d90dfcc982cc6ac06)
acmeserver-1  | DBStore.nonce_check() ended
acmeserver-1  | DBStore.nonce_delete(642cf5cfed8f4f5d90dfcc982cc6ac06)
acmeserver-1  | DBStore.nonce_delete() ended
acmeserver-1  | Nonce._check_and_delete() ended with:200
acmeserver-1  | Nonce.check_nonce() ended with:200
acmeserver-1  | Message._name_get()
acmeserver-1  | kid: http://acmeserver.local/acme/acct/8CBXS0Xp91cD
acmeserver-1  | Message._name_get() returns: None
acmeserver-1  | Helper.error_dict_get()
acmeserver-1  | Signature.check(None)
acmeserver-1  | Signature.check() ended with: False:urn:ietf:params:acme:error:accountDoesNotExist
acmeserver-1  | Message._check() ended with: 403
acmeserver-1  | Message.check() ended with:403
acmeserver-1  | Message.prepare_response()
acmeserver-1  | Nonce.nonce_generate_and_add()
acmeserver-1  | Nonce.nonce__new()
acmeserver-1  | got nonce: 056785f19cd64d2a99cbd4c996ec63b9
acmeserver-1  | DBStore.nonce_add(056785f19cd64d2a99cbd4c996ec63b9)
acmeserver-1  | DBStore.nonce_add() ended
acmeserver-1  | Nonce.generate_and_add() ended with:056785f19cd64d2a99cbd4c996ec63b9
acmeserver-1  | Order.new() returns: {"code": 403, "header": {"Replay-Nonce": "056785f19cd64d2a99cbd4c996ec63b9"}, "data": {"status": 403, "type": "urn:ietf:params:acme:error:accountDoesNotExist"}}

In my opinion things went wrong since the Signature.check(None) line. I did some debugging and found the aname actually being None. When everything worked, aname is something like ZFOCCn83hpjV.
Do you have any hint where I could check more or what could be the cause?

Best regards
Henri
@grindsa grindsa added the bug Something isn't working label Feb 27, 2025
@grindsa
Copy link
Owner

grindsa commented Feb 27, 2025

Hi,

This is an interesting problem. The function to lookup the account name from "http://acmeserver.local/acme/acct/8CBXS0Xp91cD" fails for some reason. Unfortunately, I am not sure of the cause. To gain further insight, I can provide a debug-build. Could you please let me know which version of acme2certifier you are using? Additionally, could you describe your deployment method (e.g., container, RPM, DEB, manual)? If you are using the a2c container, please specify the container name.

Thank you,
/G.

@HenriWahl
Copy link
Author

Hi @grindsa,

thanks for your fast reply. I use 0.36 as Docker image from Dockerhub: grindsa/acme2certifier:0.36-nginx-wsgi

@HenriWahl
Copy link
Author

If you need it for debugging I could send you some payload.

@grindsa
Copy link
Owner

grindsa commented Feb 28, 2025

Hi,

thanks. I created a debug build which can be downloaded from dockerhub by using docker pull grindsa/acme2certifier:aname_dbg. Can you please use this image, replicate the issue and share the logs?

@arp-mbender
Copy link

arp-mbender commented Feb 28, 2025
edited
Loading

I've just noticed the same issue, also related to traefik usage under the hood. I'm going to check with an older traefik version just to verify if that's not the cause.

EDIT: Downgrading traefik did not solve the issue. So it might be something inside acme2certifier or Windows itself (after a recent update).

@HenriWahl
Copy link
Author

@arp-mbender I also tried some older versions of traefik with the same result. The strange thing is that it sometimes works and sometimes doesn't.

@grindsa
Copy link
Owner

grindsa commented Feb 28, 2025

@HenriWahl: sorry the debug image was build for the wrong httpd (apache2 instead of nginx). Can you please try again?

@HenriWahl
Copy link
Author

HenriWahl commented Feb 28, 2025
edited
Loading

@grindsa now I have logs:

acme-1  | 2025-02-28T13:03:27.122811208Z no acme_srv.cfg found! creating acme_srv.cfg
acme-1  | 2025-02-28T13:03:27.126204266Z no ca_handler.py found! creating from skeleton_ca_handler.py
acme-1  | 2025-02-28T13:03:27.128157912Z ln: failed to create symbolic link '/var/www/acme2certifier/acme_srv/acme_srv.cfg': File exists
acme-1  | 2025-02-28T13:03:27.129114197Z chown: warning: '.' should be ':': 'www-data.www-data'
acme-1  | 2025-02-28T13:03:27.344125469Z DBStore._db_create(/var/www/acme2certifier/acme_srv/acme_srv.db)
acme-1  | 2025-02-28T13:03:27.344158150Z create nonce
acme-1  | 2025-02-28T13:03:27.359894511Z create account
acme-1  | 2025-02-28T13:03:27.368216298Z create cliaccount
acme-1  | 2025-02-28T13:03:27.376408852Z create status
acme-1  | 2025-02-28T13:03:27.384930133Z create orders
acme-1  | 2025-02-28T13:03:27.385191844Z create authorization
acme-1  | 2025-02-28T13:03:27.385420603Z create challenge
acme-1  | 2025-02-28T13:03:27.385681813Z create certificate
acme-1  | 2025-02-28T13:03:27.394558912Z DBStore._db_create() ended
acme-1  | 2025-02-28T13:03:27.394574942Z DBStore.db_update()
acme-1  | 2025-02-28T13:03:27.394856501Z DBStore._db_update_certificate()
acme-1  | 2025-02-28T13:03:27.395239189Z DBStore._db_update_status()
acme-1  | 2025-02-28T13:03:27.395390673Z DBStore._db_update_certificate()
acme-1  | 2025-02-28T13:03:27.395502483Z DBStore._db_update_account()
acme-1  | 2025-02-28T13:03:27.395601809Z DBStore._db_update_orders()
acme-1  | 2025-02-28T13:03:27.395698050Z DBStore._db_update_authorization()
acme-1  | 2025-02-28T13:03:27.395809629Z DBStore._db_update_housekeeping()
acme-1  | 2025-02-28T13:03:27.395974238Z DBStore._db_update_cahandler()
acme-1  | 2025-02-28T13:03:27.396085277Z DBStore._db_update_cliaccount()
acme-1  | 2025-02-28T13:03:27.396195363Z update dbversion to 0.33.2
acme-1  | 2025-02-28T13:03:27.401510528Z DBStore.db_update() ended
acme-1  | 2025-02-28T13:03:27.451183204Z AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.16.5.2. Set the 'ServerName' directive globally to suppress this message
acme-1  | 2025-02-28T13:03:27.457868740Z AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.16.5.2. Set the 'ServerName' directive globally to suppress this message
acme-1  | 2025-02-28T13:03:27.460182642Z [Fri Feb 28 13:03:27.460039 2025] [mpm_event:notice] [pid 20:tid 123309876184960] AH00489: Apache/2.4.58 (Ubuntu) OpenSSL/3.0.13 mod_wsgi/5.0.0 Python/3.12 configured -- resuming normal operations
acme-1  | 2025-02-28T13:03:27.460196999Z [Fri Feb 28 13:03:27.460103 2025] [core:notice] [pid 20:tid 123309876184960] AH00094: Command line: '/usr/sbin/apache2 -D FOREGROUND'
acme-1  | 2025-02-28T13:03:42.875571973Z [Fri Feb 28 13:03:42.875408 2025] [wsgi:error] [pid 21:tid 123309832275648] _config_load()
acme-1  | 2025-02-28T13:03:42.875877696Z [Fri Feb 28 13:03:42.875612 2025] [wsgi:error] [pid 21:tid 123309832275648] Helper.error_dict_get()
acme-1  | 2025-02-28T13:03:42.875889218Z [Fri Feb 28 13:03:42.875637 2025] [wsgi:error] [pid 21:tid 123309832275648] Housekeeping._config_load()
acme-1  | 2025-02-28T13:03:42.876062012Z [Fri Feb 28 13:03:42.875959 2025] [wsgi:error] [pid 21:tid 123309832275648] Housekeeping.dbversion_check(0.33.2)
acme-1  | 2025-02-28T13:03:42.876069025Z [Fri Feb 28 13:03:42.875996 2025] [wsgi:error] [pid 21:tid 123309832275648] DBStore.dbversion_get()
acme-1  | 2025-02-28T13:03:42.876572460Z [Fri Feb 28 13:03:42.876488 2025] [wsgi:error] [pid 21:tid 123309832275648] DBStore.dbversion_get() ended with 0.33.2
acme-1  | 2025-02-28T13:03:42.876588049Z [Fri Feb 28 13:03:42.876511 2025] [wsgi:error] [pid 21:tid 123309832275648] acme2certifier database version: 0.33.2 is upto date
acme-1  | 2025-02-28T13:03:42.876982630Z [Fri Feb 28 13:03:42.876905 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Directory._config_load()
acme-1  | 2025-02-28T13:03:42.876991647Z [Fri Feb 28 13:03:42.876933 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] load_config(Directory:/var/www/acme2certifier/acme_srv/acme_srv.cfg)
acme-1  | 2025-02-28T13:03:42.877203444Z [Fri Feb 28 13:03:42.877155 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Directory._config_load() ended
acme-1  | 2025-02-28T13:03:42.877228762Z [Fri Feb 28 13:03:42.877194 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] 10.10.10.10 / 
acme-1  | 2025-02-28T13:03:42.877237789Z [Fri Feb 28 13:03:42.877213 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Directory.directory_get()
acme-1  | 2025-02-28T13:03:42.880268085Z [Fri Feb 28 13:03:42.880217 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] Nonce.nonce_generate_and_add()
acme-1  | 2025-02-28T13:03:42.880276982Z [Fri Feb 28 13:03:42.880245 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] Nonce.nonce__new()
acme-1  | 2025-02-28T13:03:42.880297060Z [Fri Feb 28 13:03:42.880271 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] got nonce: d4ebf71a3d3c46c59471a83d268fce43
acme-1  | 2025-02-28T13:03:42.880306668Z [Fri Feb 28 13:03:42.880287 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] DBStore.nonce_add(d4ebf71a3d3c46c59471a83d268fce43)
acme-1  | 2025-02-28T13:03:42.893895649Z [Fri Feb 28 13:03:42.893818 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] DBStore.nonce_add() ended
acme-1  | 2025-02-28T13:03:42.893927689Z [Fri Feb 28 13:03:42.893864 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] Nonce.generate_and_add() ended with:d4ebf71a3d3c46c59471a83d268fce43
acme-1  | 2025-02-28T13:03:42.905632965Z [Fri Feb 28 13:03:42.905500 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] _config_load()
acme-1  | 2025-02-28T13:03:42.906057231Z [Fri Feb 28 13:03:42.905930 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Helper.error_dict_get()
acme-1  | 2025-02-28T13:03:42.906069524Z [Fri Feb 28 13:03:42.905979 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Order._config_load()
acme-1  | 2025-02-28T13:03:42.906485275Z [Fri Feb 28 13:03:42.906368 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Order._config_orderconfig_load()
acme-1  | 2025-02-28T13:03:42.906497518Z [Fri Feb 28 13:03:42.906406 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Order._config_orderconfig_load() ended
acme-1  | 2025-02-28T13:03:42.906503289Z [Fri Feb 28 13:03:42.906432 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Order._config_headerinfo_config_load()
acme-1  | 2025-02-28T13:03:42.906599800Z [Fri Feb 28 13:03:42.906458 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Order._config_headerinfo_config_load() ended
acme-1  | 2025-02-28T13:03:42.906611271Z [Fri Feb 28 13:03:42.906494 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Order._config_load() ended.
acme-1  | 2025-02-28T13:03:42.906644864Z [Fri Feb 28 13:03:42.906582 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Order.new()
acme-1  | 2025-02-28T13:03:42.906703093Z [Fri Feb 28 13:03:42.906648 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Message.check()
acme-1  | 2025-02-28T13:03:42.906710568Z [Fri Feb 28 13:03:42.906679 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Helper.decode_message()
acme-1  | 2025-02-28T13:03:42.907098405Z [Fri Feb 28 13:03:42.907056 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Message._check()
acme-1  | 2025-02-28T13:03:42.907118413Z [Fri Feb 28 13:03:42.907094 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Nonce.check_nonce()
acme-1  | 2025-02-28T13:03:42.907160091Z [Fri Feb 28 13:03:42.907129 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Nonce.nonce._check_and_delete(d4ebf71a3d3c46c59471a83d268fce43)
acme-1  | 2025-02-28T13:03:42.907191911Z [Fri Feb 28 13:03:42.907161 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] DBStore.nonce_check(d4ebf71a3d3c46c59471a83d268fce43)
acme-1  | 2025-02-28T13:03:42.907889039Z [Fri Feb 28 13:03:42.907844 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] DBStore.nonce_check() ended
acme-1  | 2025-02-28T13:03:42.907937981Z [Fri Feb 28 13:03:42.907896 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] DBStore.nonce_delete(d4ebf71a3d3c46c59471a83d268fce43)
acme-1  | 2025-02-28T13:03:42.914053668Z [Fri Feb 28 13:03:42.914003 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] DBStore.nonce_delete() ended
acme-1  | 2025-02-28T13:03:42.914141993Z [Fri Feb 28 13:03:42.914106 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Nonce._check_and_delete() ended with:200
acme-1  | 2025-02-28T13:03:42.914168413Z [Fri Feb 28 13:03:42.914137 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Nonce.check_nonce() ended with:200
acme-1  | 2025-02-28T13:03:42.914193660Z [Fri Feb 28 13:03:42.914162 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Message._name_get()
acme-1  | 2025-02-28T13:03:42.914238464Z [Fri Feb 28 13:03:42.914199 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] content: {'alg': 'RS256', 'kid': 'http://acme.server.local/acme/acct/cA9IHFlCrm6e', 'nonce': 'd4ebf71a3d3c46c59471a83d268fce43', 'url': 'http://acme.server.local/acme/neworders'}
acme-1  | 2025-02-28T13:03:42.914260576Z [Fri Feb 28 13:03:42.914227 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] kid: http://acme.server.local/acme/acct/cA9IHFlCrm6e
acme-1  | 2025-02-28T13:03:42.914275965Z [Fri Feb 28 13:03:42.914250 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] server_name: http://acme.server.local
acme-1  | 2025-02-28T13:03:42.914302184Z [Fri Feb 28 13:03:42.914272 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] acct_path: /acme/acct/
acme-1  | 2025-02-28T13:03:42.914315840Z [Fri Feb 28 13:03:42.914297 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] kid: cA9IHFlCrm6e
acme-1  | 2025-02-28T13:03:42.914347930Z [Fri Feb 28 13:03:42.914320 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Message._name_get() returns: cA9IHFlCrm6e
acme-1  | 2025-02-28T13:03:42.914721020Z [Fri Feb 28 13:03:42.914685 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Helper.error_dict_get()
acme-1  | 2025-02-28T13:03:42.915048885Z [Fri Feb 28 13:03:42.914979 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Signature.check(cA9IHFlCrm6e)
acme-1  | 2025-02-28T13:03:42.915061319Z [Fri Feb 28 13:03:42.915010 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] check signature against account key
acme-1  | 2025-02-28T13:03:42.915070937Z [Fri Feb 28 13:03:42.915036 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Signature._jwk_load(cA9IHFlCrm6e)
acme-1  | 2025-02-28T13:03:42.915089672Z [Fri Feb 28 13:03:42.915061 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] DBStore.jwk_load(cA9IHFlCrm6e)
acme-1  | 2025-02-28T13:03:42.915102636Z [Fri Feb 28 13:03:42.915085 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] DBStore._account_search(column:name, pattern:cA9IHFlCrm6e)
acme-1  | 2025-02-28T13:03:42.915743168Z [Fri Feb 28 13:03:42.915669 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] DBStore._account_search() ended with: False
acme-1  | 2025-02-28T13:03:42.915762665Z [Fri Feb 28 13:03:42.915710 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] DBStore.jwk_load() ended with: {}
acme-1  | 2025-02-28T13:03:42.915769718Z [Fri Feb 28 13:03:42.915739 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Signature.check() ended with: False:urn:ietf:params:acme:error:accountDoesNotExist
acme-1  | 2025-02-28T13:03:42.915831434Z [Fri Feb 28 13:03:42.915768 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Message._check() ended with: 403
acme-1  | 2025-02-28T13:03:42.915839459Z [Fri Feb 28 13:03:42.915796 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Message.check() ended with:403
acme-1  | 2025-02-28T13:03:42.915848255Z [Fri Feb 28 13:03:42.915822 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Message.prepare_response()
acme-1  | 2025-02-28T13:03:42.915872100Z [Fri Feb 28 13:03:42.915850 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Nonce.nonce_generate_and_add()
acme-1  | 2025-02-28T13:03:42.915908007Z [Fri Feb 28 13:03:42.915889 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Nonce.nonce__new()
acme-1  | 2025-02-28T13:03:42.916004098Z [Fri Feb 28 13:03:42.915938 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] got nonce: 2cfa2d514150498e9a7494eb89b0fdbd
acme-1  | 2025-02-28T13:03:42.916051948Z [Fri Feb 28 13:03:42.916000 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] DBStore.nonce_add(2cfa2d514150498e9a7494eb89b0fdbd)
acme-1  | 2025-02-28T13:03:42.922250720Z [Fri Feb 28 13:03:42.922183 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] DBStore.nonce_add() ended
acme-1  | 2025-02-28T13:03:42.922282750Z [Fri Feb 28 13:03:42.922246 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Nonce.generate_and_add() ended with:2cfa2d514150498e9a7494eb89b0fdbd
acme-1  | 2025-02-28T13:03:42.922377889Z [Fri Feb 28 13:03:42.922327 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Order.new() returns: {"code": 403, "header": {"Replay-Nonce": "2cfa2d514150498e9a7494eb89b0fdbd"}, "data": {"status": 403, "type": "urn:ietf:params:acme:error:accountDoesNotExist"}}
acme-1  | 2025-02-28T13:03:42.922569138Z [Fri Feb 28 13:03:42.922486 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] 10.10.10.10 /acme/neworders {'code': 403, 'header': {'Replay-Nonce': '- modified -'}, 'data': {'status': 403, 'type': 'urn:ietf:params:acme:error:accountDoesNotExist'}}
acme-1  | 2025-02-28T13:03:42.934752591Z [Fri Feb 28 13:03:42.934666 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] _config_load()
acme-1  | 2025-02-28T13:03:42.935117596Z [Fri Feb 28 13:03:42.935035 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] Helper.error_dict_get()
acme-1  | 2025-02-28T13:03:42.935140119Z [Fri Feb 28 13:03:42.935082 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] Order._config_load()
acme-1  | 2025-02-28T13:03:42.935484615Z [Fri Feb 28 13:03:42.935415 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] Order._config_orderconfig_load()
acme-1  | 2025-02-28T13:03:42.935491488Z [Fri Feb 28 13:03:42.935453 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] Order._config_orderconfig_load() ended
acme-1  | 2025-02-28T13:03:42.935500705Z [Fri Feb 28 13:03:42.935479 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] Order._config_headerinfo_config_load()
acme-1  | 2025-02-28T13:03:42.935545700Z [Fri Feb 28 13:03:42.935505 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] Order._config_headerinfo_config_load() ended
acme-1  | 2025-02-28T13:03:42.935577269Z [Fri Feb 28 13:03:42.935542 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] Order._config_load() ended.
acme-1  | 2025-02-28T13:03:42.935685282Z [Fri Feb 28 13:03:42.935611 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] Order.new()
acme-1  | 2025-02-28T13:03:42.935697735Z [Fri Feb 28 13:03:42.935656 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] Message.check()
acme-1  | 2025-02-28T13:03:42.935715549Z [Fri Feb 28 13:03:42.935682 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] Helper.decode_message()
acme-1  | 2025-02-28T13:03:42.936161816Z [Fri Feb 28 13:03:42.936129 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] Message._check()
acme-1  | 2025-02-28T13:03:42.936198174Z [Fri Feb 28 13:03:42.936165 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] Nonce.check_nonce()
acme-1  | 2025-02-28T13:03:42.936232869Z [Fri Feb 28 13:03:42.936200 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] Nonce.nonce._check_and_delete(2cfa2d514150498e9a7494eb89b0fdbd)
acme-1  | 2025-02-28T13:03:42.936264839Z [Fri Feb 28 13:03:42.936233 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] DBStore.nonce_check(2cfa2d514150498e9a7494eb89b0fdbd)
acme-1  | 2025-02-28T13:03:42.937019465Z [Fri Feb 28 13:03:42.936967 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] DBStore.nonce_check() ended
acme-1  | 2025-02-28T13:03:42.937073727Z [Fri Feb 28 13:03:42.937026 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] DBStore.nonce_delete(2cfa2d514150498e9a7494eb89b0fdbd)
acme-1  | 2025-02-28T13:03:42.943272139Z [Fri Feb 28 13:03:42.943224 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] DBStore.nonce_delete() ended
acme-1  | 2025-02-28T13:03:42.943299751Z [Fri Feb 28 13:03:42.943268 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] Nonce._check_and_delete() ended with:200
acme-1  | 2025-02-28T13:03:42.943336891Z [Fri Feb 28 13:03:42.943296 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] Nonce.check_nonce() ended with:200
acme-1  | 2025-02-28T13:03:42.943356407Z [Fri Feb 28 13:03:42.943321 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] Message._name_get()
acme-1  | 2025-02-28T13:03:42.943371195Z [Fri Feb 28 13:03:42.943350 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] content: {'alg': 'RS256', 'kid': 'http://acme.server.local/acme/acct/cA9IHFlCrm6e', 'nonce': '2cfa2d514150498e9a7494eb89b0fdbd', 'url': 'http://acme.server.local/acme/neworders'}
acme-1  | 2025-02-28T13:03:42.943409166Z [Fri Feb 28 13:03:42.943377 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] kid: http://acme.server.local/acme/acct/cA9IHFlCrm6e
acme-1  | 2025-02-28T13:03:42.943433542Z [Fri Feb 28 13:03:42.943402 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] server_name: http://acme.server.local
acme-1  | 2025-02-28T13:03:42.943453600Z [Fri Feb 28 13:03:42.943424 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] acct_path: /acme/acct/
acme-1  | 2025-02-28T13:03:42.943470482Z [Fri Feb 28 13:03:42.943449 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] kid: cA9IHFlCrm6e
acme-1  | 2025-02-28T13:03:42.943535714Z [Fri Feb 28 13:03:42.943472 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] Message._name_get() returns: cA9IHFlCrm6e
acme-1  | 2025-02-28T13:03:42.943855324Z [Fri Feb 28 13:03:42.943821 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] Helper.error_dict_get()
acme-1  | 2025-02-28T13:03:42.944153964Z [Fri Feb 28 13:03:42.944122 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] Signature.check(cA9IHFlCrm6e)
acme-1  | 2025-02-28T13:03:42.944177839Z [Fri Feb 28 13:03:42.944154 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] check signature against account key
acme-1  | 2025-02-28T13:03:42.944208637Z [Fri Feb 28 13:03:42.944181 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] Signature._jwk_load(cA9IHFlCrm6e)
acme-1  | 2025-02-28T13:03:42.944229907Z [Fri Feb 28 13:03:42.944207 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] DBStore.jwk_load(cA9IHFlCrm6e)
acme-1  | 2025-02-28T13:03:42.944259702Z [Fri Feb 28 13:03:42.944230 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] DBStore._account_search(column:name, pattern:cA9IHFlCrm6e)
acme-1  | 2025-02-28T13:03:42.944804886Z [Fri Feb 28 13:03:42.944767 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] DBStore._account_search() ended with: False
acme-1  | 2025-02-28T13:03:42.944837867Z [Fri Feb 28 13:03:42.944809 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] DBStore.jwk_load() ended with: {}
acme-1  | 2025-02-28T13:03:42.944867944Z [Fri Feb 28 13:03:42.944838 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] Signature.check() ended with: False:urn:ietf:params:acme:error:accountDoesNotExist
acme-1  | 2025-02-28T13:03:42.944892440Z [Fri Feb 28 13:03:42.944865 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] Message._check() ended with: 403
acme-1  | 2025-02-28T13:03:42.944918268Z [Fri Feb 28 13:03:42.944894 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] Message.check() ended with:403
acme-1  | 2025-02-28T13:03:42.944938727Z [Fri Feb 28 13:03:42.944921 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] Message.prepare_response()
acme-1  | 2025-02-28T13:03:42.944963183Z [Fri Feb 28 13:03:42.944944 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] Nonce.nonce_generate_and_add()
acme-1  | 2025-02-28T13:03:42.944990434Z [Fri Feb 28 13:03:42.944965 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] Nonce.nonce__new()
acme-1  | 2025-02-28T13:03:42.945031841Z [Fri Feb 28 13:03:42.945009 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] got nonce: 8f2d0b707dce4bada472390ff5b0b213
acme-1  | 2025-02-28T13:03:42.945066296Z [Fri Feb 28 13:03:42.945034 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] DBStore.nonce_add(8f2d0b707dce4bada472390ff5b0b213)
acme-1  | 2025-02-28T13:03:42.951014919Z [Fri Feb 28 13:03:42.950971 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] DBStore.nonce_add() ended
acme-1  | 2025-02-28T13:03:42.951039536Z [Fri Feb 28 13:03:42.951011 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] Nonce.generate_and_add() ended with:8f2d0b707dce4bada472390ff5b0b213
acme-1  | 2025-02-28T13:03:42.951103947Z [Fri Feb 28 13:03:42.951063 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] Order.new() returns: {"code": 403, "header": {"Replay-Nonce": "8f2d0b707dce4bada472390ff5b0b213"}, "data": {"status": 403, "type": "urn:ietf:params:acme:error:accountDoesNotExist"}}
acme-1  | 2025-02-28T13:03:42.951166604Z [Fri Feb 28 13:03:42.951138 2025] [wsgi:error] [pid 21:tid 123309685475008] [remote 10.10.10.10:41860] 10.10.10.10 /acme/neworders {'code': 403, 'header': {'Replay-Nonce': '- modified -'}, 'data': {'status': 403, 'type': 'urn:ietf:params:acme:error:accountDoesNotExist'}}
acme-1  | 2025-02-28T13:03:42.961998852Z [Fri Feb 28 13:03:42.961907 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] _config_load()
acme-1  | 2025-02-28T13:03:42.962229775Z [Fri Feb 28 13:03:42.962184 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Helper.error_dict_get()
acme-1  | 2025-02-28T13:03:42.962248811Z [Fri Feb 28 13:03:42.962219 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Order._config_load()
acme-1  | 2025-02-28T13:03:42.962548814Z [Fri Feb 28 13:03:42.962484 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Order._config_orderconfig_load()
acme-1  | 2025-02-28T13:03:42.962577788Z [Fri Feb 28 13:03:42.962516 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Order._config_orderconfig_load() ended
acme-1  | 2025-02-28T13:03:42.962600731Z [Fri Feb 28 13:03:42.962550 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Order._config_headerinfo_config_load()
acme-1  | 2025-02-28T13:03:42.962620979Z [Fri Feb 28 13:03:42.962580 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Order._config_headerinfo_config_load() ended
acme-1  | 2025-02-28T13:03:42.962625738Z [Fri Feb 28 13:03:42.962604 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Order._config_load() ended.
acme-1  | 2025-02-28T13:03:42.962728371Z [Fri Feb 28 13:03:42.962651 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Order.new()
acme-1  | 2025-02-28T13:03:42.962740614Z [Fri Feb 28 13:03:42.962687 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Message.check()
acme-1  | 2025-02-28T13:03:42.962746355Z [Fri Feb 28 13:03:42.962709 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Helper.decode_message()
acme-1  | 2025-02-28T13:03:42.963016041Z [Fri Feb 28 13:03:42.962953 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Message._check()
acme-1  | 2025-02-28T13:03:42.963033734Z [Fri Feb 28 13:03:42.962981 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Nonce.check_nonce()
acme-1  | 2025-02-28T13:03:42.963057949Z [Fri Feb 28 13:03:42.963031 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Nonce.nonce._check_and_delete(8f2d0b707dce4bada472390ff5b0b213)
acme-1  | 2025-02-28T13:03:42.963110829Z [Fri Feb 28 13:03:42.963055 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] DBStore.nonce_check(8f2d0b707dce4bada472390ff5b0b213)
acme-1  | 2025-02-28T13:03:42.963593374Z [Fri Feb 28 13:03:42.963563 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] DBStore.nonce_check() ended
acme-1  | 2025-02-28T13:03:42.963626557Z [Fri Feb 28 13:03:42.963603 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] DBStore.nonce_delete(8f2d0b707dce4bada472390ff5b0b213)
acme-1  | 2025-02-28T13:03:42.969656783Z [Fri Feb 28 13:03:42.969609 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] DBStore.nonce_delete() ended
acme-1  | 2025-02-28T13:03:42.969707117Z [Fri Feb 28 13:03:42.969651 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Nonce._check_and_delete() ended with:200
acme-1  | 2025-02-28T13:03:42.969719490Z [Fri Feb 28 13:03:42.969680 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Nonce.check_nonce() ended with:200
acme-1  | 2025-02-28T13:03:42.969736793Z [Fri Feb 28 13:03:42.969703 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Message._name_get()
acme-1  | 2025-02-28T13:03:42.969753244Z [Fri Feb 28 13:03:42.969731 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] content: {'alg': 'RS256', 'kid': 'http://acme.server.local/acme/acct/cA9IHFlCrm6e', 'nonce': '8f2d0b707dce4bada472390ff5b0b213', 'url': 'http://acme.server.local/acme/neworders'}
acme-1  | 2025-02-28T13:03:42.969832733Z [Fri Feb 28 13:03:42.969758 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] kid: http://acme.server.local/acme/acct/cA9IHFlCrm6e
acme-1  | 2025-02-28T13:03:42.969848352Z [Fri Feb 28 13:03:42.969780 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] server_name: http://acme.server.local
acme-1  | 2025-02-28T13:03:42.969852881Z [Fri Feb 28 13:03:42.969802 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] acct_path: /acme/acct/
acme-1  | 2025-02-28T13:03:42.969857710Z [Fri Feb 28 13:03:42.969826 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] kid: cA9IHFlCrm6e
acme-1  | 2025-02-28T13:03:42.969867959Z [Fri Feb 28 13:03:42.969848 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Message._name_get() returns: cA9IHFlCrm6e
acme-1  | 2025-02-28T13:03:42.970220841Z [Fri Feb 28 13:03:42.970186 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Helper.error_dict_get()
acme-1  | 2025-02-28T13:03:42.970492702Z [Fri Feb 28 13:03:42.970454 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Signature.check(cA9IHFlCrm6e)
acme-1  | 2025-02-28T13:03:42.970508952Z [Fri Feb 28 13:03:42.970484 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] check signature against account key
acme-1  | 2025-02-28T13:03:42.970541804Z [Fri Feb 28 13:03:42.970509 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Signature._jwk_load(cA9IHFlCrm6e)
acme-1  | 2025-02-28T13:03:42.970576719Z [Fri Feb 28 13:03:42.970547 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] DBStore.jwk_load(cA9IHFlCrm6e)
acme-1  | 2025-02-28T13:03:42.970590195Z [Fri Feb 28 13:03:42.970571 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] DBStore._account_search(column:name, pattern:cA9IHFlCrm6e)
acme-1  | 2025-02-28T13:03:42.971103969Z [Fri Feb 28 13:03:42.971070 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] DBStore._account_search() ended with: False
acme-1  | 2025-02-28T13:03:42.971136269Z [Fri Feb 28 13:03:42.971110 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] DBStore.jwk_load() ended with: {}
acme-1  | 2025-02-28T13:03:42.971161627Z [Fri Feb 28 13:03:42.971138 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Signature.check() ended with: False:urn:ietf:params:acme:error:accountDoesNotExist
acme-1  | 2025-02-28T13:03:42.971195440Z [Fri Feb 28 13:03:42.971164 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Message._check() ended with: 403
acme-1  | 2025-02-28T13:03:42.971213134Z [Fri Feb 28 13:03:42.971191 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Message.check() ended with:403
acme-1  | 2025-02-28T13:03:42.971238341Z [Fri Feb 28 13:03:42.971216 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Message.prepare_response()
acme-1  | 2025-02-28T13:03:42.971263999Z [Fri Feb 28 13:03:42.971240 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Nonce.nonce_generate_and_add()
acme-1  | 2025-02-28T13:03:42.971283466Z [Fri Feb 28 13:03:42.971259 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Nonce.nonce__new()
acme-1  | 2025-02-28T13:03:42.971328911Z [Fri Feb 28 13:03:42.971302 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] got nonce: bb031e9e5eb542bfadb67b2a3b832d09
acme-1  | 2025-02-28T13:03:42.971351934Z [Fri Feb 28 13:03:42.971327 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] DBStore.nonce_add(bb031e9e5eb542bfadb67b2a3b832d09)
acme-1  | 2025-02-28T13:03:42.977417607Z [Fri Feb 28 13:03:42.977376 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] DBStore.nonce_add() ended
acme-1  | 2025-02-28T13:03:42.977449727Z [Fri Feb 28 13:03:42.977417 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Nonce.generate_and_add() ended with:bb031e9e5eb542bfadb67b2a3b832d09
acme-1  | 2025-02-28T13:03:42.977492447Z [Fri Feb 28 13:03:42.977465 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] Order.new() returns: {"code": 403, "header": {"Replay-Nonce": "bb031e9e5eb542bfadb67b2a3b832d09"}, "data": {"status": 403, "type": "urn:ietf:params:acme:error:accountDoesNotExist"}}
acme-1  | 2025-02-28T13:03:42.977578178Z [Fri Feb 28 13:03:42.977546 2025] [wsgi:error] [pid 21:tid 123309832275648] [remote 10.10.10.10:41860] 10.10.10.10 /acme/neworders {'code': 403, 'header': {'Replay-Nonce': '- modified -'}, 'data': {'status': 403, 'type': 'urn:ietf:params:acme:error:accountDoesNotExist'}}

The acme_srv.cfg looks like this and is mounted via docker-compose.yml:

[DEFAULT]
debug: True

[CAhandler]
host: ca.server.local
user: ca_cert_user
password: xxxxxxxxxx
template: ca_template
ca_bundle: ca_bundle-ukd_2018.pem
handler_file: examples/ca_handler/mscertsrv_ca_handler.py
auth_method: ntlm

@grindsa
Copy link
Owner

grindsa commented Feb 28, 2025
edited
Loading

the problem looks different as the lookup of the account name ended successfully:

[remote 10.10.10.10:41860] Message._name_get()
[remote 10.10.10.10:41860] content: {'alg': 'RS256', 'kid': 'http://acme.server.local/acme/acct/cA9IHFlCrm6e', 'nonce': '8f2d0b707dce4bada472390ff5b0b213', 'url': 'http://acme.server.local/acme/neworders'}
[remote 10.10.10.10:41860] kid: http://acme.server.local/acme/acct/cA9IHFlCrm6e
[remote 10.10.10.10:41860] server_name: http://acme.server.local
[remote 10.10.10.10:41860] acct_path: /acme/acct/
[remote 10.10.10.10:41860] kid: cA9IHFlCrm6e
[remote 10.10.10.10:41860] Message._name_get() returns: cA9IHFlCrm6e

But i have an idea why this could fail. Would you mind to share the acme_srv.db via email to [email protected]? Or check the content of the accounts table inside of acme_srv.db with an sqlite-browser to check the account names?

@grindsa
Copy link
Owner

grindsa commented Feb 28, 2025

can you please also share your docker-compose.yml?

@HenriWahl
Copy link
Author

To avoid DB problems I do not use a persistent DB on the testing machine. I just could send you the DB file from the production setup.

@HenriWahl
Copy link
Author

HenriWahl commented Feb 28, 2025
edited
Loading

The docker-compose.yml is this:

services:
  acme:
    image: grindsa/acme2certifier:aname_dbg
    restart: unless-stopped
    # needed to avoid proxy usage inside the container which disturbs internal communication
    environment:
      HTTP_PROXY:
      HTTPS_PROXY:
      http_proxy:
      https_proxy:
    volumes:
      - ./acme_srv.cfg:/var/www/acme2certifier/acme_srv/acme_srv.cfg
    ports:
      - 80:80

@HenriWahl
Copy link
Author

HenriWahl commented Feb 28, 2025
edited
Loading

the problem looks different as the lookup of the account name ended successfully:

When I first noted the malfunction I found exactly this, the account name being resolved as None - see the log in the initial post.

@grindsa
Copy link
Owner

grindsa commented Mar 1, 2025

Were the shared logs taken from your test system (with a non-persistent database) or from your production setup?

@HenriWahl
Copy link
Author

It's from the testing system without persistent database.

@HenriWahl
Copy link
Author

@grindsa if you like I could setup a test environment with persistent DB, but this will be possible next week.

@grindsa
Copy link
Owner

grindsa commented Mar 3, 2025

Hi,

It appears that the non-persistent database might be the root cause of your issue, as Traefik may be using its existing account registration for certificate issuance. acme2certifier will look up the account key to validate the message signature, which fails with an accountDoesNotExist error if the account name cannot be found in the database.

To resolve this error, you need to force Traefik to start a new account registration. Although I am not an expert on Traefik, according to a post I found, you can do this by following these steps (please note that this will delete ALL certificates and accounts):

  • Log on to your server and navigate to the Let's Encrypt directory containing the acme.json file.
  • Rename the acme.json file for backup purposes: mv acme.json revoked_acme.json
  • Create a new empty acme.json file: touch acme.json
  • Shut down all containers: docker-compose down
  • Start all containers in detached mode: docker-compose up -d

I hope this helps!

I recommend making a small modification to your docker-compose.yml file by mounting a directory from your host system into the container at /var/www/acme2certifier/volume. This will allow acme2certifier to store both acme_srv.cfg and acme_srv.db in this directory.

services:
  acme:
    image: grindsa/acme2certifier:aname_dbg
    restart: unless-stopped
    # needed to avoid proxy usage inside the container which disturbs internal communication
    environment:
    ...
    volumes:
      - <your directory>:/var/www/acme2certifier/volume
    ports:
   ...

@HenriWahl
Copy link
Author

Hi @grindsa,

the problem arouse within the production setup, where acme2certifier actually uses persistent storage, just like you describe it with the /var/www/acme2certifier/volume mount. :-(

@HenriWahl
Copy link
Author

Just an idea, maybe this is already configurable: how about no storage at all, just acting as a proxy between e.g. traefik and the internal CA? In theory it won't be necessary to store anything, treating every request as the initial one?

@grindsa
Copy link
Owner

grindsa commented Mar 3, 2025

Hi,

Understood. Please replicate the issue on a system with persistent storage and share the logs along with the acme_srv.db file.

Regarding your later question:

Even if acme2certifier acts as a proxy, it is not stateless. The main reasons are:

  • ACME clients typically register on the ACME server only once.
  • They use the registered account key to issue and later renew certificates.

Acme2certifier stores the public key submitted during the initial account registration (step 1) as it is needed to verify the JWS of all subsequent messages from the client. Therefore, as long as Traefik (or any other ACME client) continues to reuse an existing account registration for later certificate issuance, acme2certifier cannot be stateless.

Additionally, there are other scenarios (e.g., replay protection, pre-authorization) that require a certain level of statefulness. While your proposal is interesting, I foresee a few implementation challenges including potential non-compliance to RFC 8555

Hope this explains the current situation.
/G

@HenriWahl
Copy link
Author

@grindsa thank you for your explanations - they helped me to find the cause: me.

I erroneously assumed that the whole ACME process is stateless and when I set up a new acme2certifier instance as replacement for an old one, I did not copy the old DB data. With this enlightenment the error messages are totally clear and appropriate - the client's account of course was unkown und believed themselves to be registered.

Putting the old DB file into the volume for the new instance solved all problems.

So thanks for your patience and fast reply.

@arp-mbender
Copy link

arp-mbender commented Mar 4, 2025
edited
Loading

Hmm... I have to say I'm confused. I don't recall changing the DB file, yet I had the same issue.

I've since deleted the Traefik ACME-related JSON to restart the process which I suspect also causes Traefik to re-register with acme2certifier, so the immediate issue has been resolved. But I'm really confused as to why that failed at all in the first place (again, I don't recall removing / deleting the DB file).

@grindsa
Copy link
Owner

grindsa commented Mar 4, 2025

Hi Mateusz,

I am not suggesting that the non-persistent database is the explanation for all issues. For instance, it does not account for the initial error reported by @HenriWahl , where the account lookup failed. I am very interested in understanding what happened in this case (it seems to be a corner case that slipped through the cracks). However, I need a complete set of logs and the acme_srv.db file for analysis.

@arp-mbender
Copy link

Fair enough. If it pops up again I'll try and gather everything up. For the time being I'll leave it as is. 👍🏻

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@HenriWahl @grindsa @arp-mbender