Let's Encrypt does not respect changes to `DISCOURSE_DEVELOPER_EMAILS`

(Jay Pfaffman) #1

tl;dr: If you need to change the address LETSENCRYPT_ACCOUNT_EMAIL you need to delete the lets encrypt directory before running it again.

I enabled Let’s Encrypt on a site today. I used a script that copied DISCOURSE_DEVELOPER_EMAILS to LETSENCRYPT_ACCOUNT_EMAIL. I knew it was a bad idea when I wrote the script, but, you know, I was sure that I would never run it when there was more than one email address in DISCOURSE_DEVELOPER_EMAILS. But that’s what I did.

No biggie, I thought, but when I fixed app.yml and rebuilt nginx still wouldn’t come up.

From the logs, @tgxworld, it looks like it’s still trying to register with the original three addresses that were in DISCOURSE_DEVELOPER_EMAILS.

[Tue Mar 14 22:50:34 UTC 2017] Registering account
[Tue Mar 14 22:50:35 UTC 2017] ESC[1;31;40mRegister account Error: {"type":"urn:acme:error:invali
dEmail","detail":"more than one e-mail address","status": 400}ESC[0m
[Tue Mar 14 22:50:35 UTC 2017] ESC[1;31;40mPlease add '--debug' or '--log' to check more details.
[Tue Mar 14 22:50:35 UTC 2017] ESC[1;31;40mSee: https://github.com/Neilpang/acme.sh/wiki/How-to-d
[Tue Mar 14 22:50:35 UTC 2017] Installing key to:/shared/ssl/forum.SITE.org.key
cat: /shared/letsencrypt/forum.SITE.org/forum.SITE.org.key: No such file or directory
[Tue Mar 14 22:50:35 UTC 2017] Installing full chain to:/shared/ssl/forum.SITE.org.cer
cat: /shared/letsencrypt/forum.SITE.org/fullchain.cer: No such file or directory
[Tue Mar 14 22:50:35 UTC 2017] Run Le_ReloadCmd: sv reload nginx
warning: nginx: unable to open supervise/ok: file does not exist
[Tue Mar 14 22:50:35 UTC 2017] ESC[1;31;40mReload error for :forum.SITE.orgESC[0m

and this from the end:

nginx: [emerg] PEM_read_bio_X509_AUX("/shared/ssl/forum.casrai.org.cer") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)

Finally, I did a rm /var/discourse/shared/standalone/letsencrypt and rebuilt again.

and it worked.

(Jeff Atwood) #2

What do you think @tgxworld?

(Matt Palmer) #3

Yep, I see it:

- replace:
   filename: /shared/letsencrypt/account.conf
   from: /#ACCOUNT_EMAIL=.+/
   to: |

That’ll only work on the first rebuild, because after that it isn’t #ACCOUNT_EMAIL= any more. Chuck a ? after # and it’d be fine.

(Jeff Atwood) #4

After you mean? Not before.

(Matt Palmer) #5

Yes… that’s what I said… :troll:

(Alan Tan) #6

Thanks @mpalmer I fixed it in

(Alan Tan) #7