Error letsencrypt.sh: line 232: [: secp384r1: integer expression expected Centos 6

S

sec-is

Verified User
Joined
Feb 14, 2020
Messages
99
Maybe it is Centos 6 related, I am not sure. But the script is generating this error:

Setting up certificate for a hostname: host3.example.nl /usr/local/directadmin/scripts/letsencrypt.sh: line 232: [: secp384r1: integer expression expected Requesting new certificate order... Processing https://acme-v02.api.letsencrypt.org/acme/authz-v3/15905478631... Processing authorization for host3.example.nl... Challenge is valid. Generating secp384r1 bit RSA key for host3.example.nl... openssl genrsa secp384r1 > "/usr/local/directadmin/conf/cakey.pem.new" usage: genrsa [args] [numbits] -des encrypt the generated key with DES in cbc mode -des3 encrypt the generated key with DES in ede cbc mode (168 bit key) -idea encrypt the generated key with IDEA in cbc mode -seed encrypt PEM output with cbc seed -aes128, -aes192, -aes256 encrypt PEM output with cbc aes -camellia128, -camellia192, -camellia256 encrypt PEM output with cbc camellia -out file output the key to 'file -passout arg output file pass phrase source -f4 use F4 (0x10001) for the E value -3 use 3 for the E value -engine e use engine e, possibly a hardware device. -rand file:file:... load the file (or the files in the directory) into the random number generator unable to load Private Key 140036750382920:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: ANY PRIVATE KEY Checking Certificate Private key match... unable to load Private Key 140076905494344:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: ANY PRIVATE KEY Certificate mismatch!!!

Is looks like the script still tries to request the certificateL

Setting up certificate for a hostname: host3.example.nl /usr/local/directadmin/scripts/letsencrypt.sh: line 232: [: secp384r1: integer expression expected Requesting new certificate order... new-order error: HTTP/1.1 100 Continue HTTP/1.1 429 Too Many Requests Server: nginx Date: Sun, 01 Aug 2021 04:21:16 GMT Content-Type: application/problem+json Content-Length: 278 Connection: keep-alive

This is the certificate for the server itself, not for a domain on it.
I would not know how to change the parameter 'secp384r1', if that is the problem.
 
The error on line 232 is this line (the first one):
if [ ${KEY_SIZE} -ne 2048 ] && [ ${KEY_SIZE} -ne 4096 ]; then
echo "Wrong key size. It must be 2048 or 4096. Exiting..."
exit 1
fi

This means ${KEY_SIZE} has the value 'secp384r1' which is not numerical.

I would guess this is a DirectAdmin bug and needs to be solved.

* also tried: /usr/local/directadmin/scripts/letsencrypt.sh request_single your.hostname.com 4096
however I keep getting in that loop "detail": "Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours" see https://letsencrypt.org/docs/rate-limits/"

So I have several issues now with Direct Admin
* it keeps trying to fetch a new one, even though there is an error! (it should nOT try to request a certificate since that is causing the 5 days rate limit overrun)
* it seems to call the script with the wrong parameters
* I have no influence on HOW this certificate is generated, DA does this in their main program, and I could not find any conf-settings for this (mainly to get "openssl genrsa" working I mean).

There is more. . . .
To enable this feature in DirectAdmin, ensure you have DirectAdmin 1.50.1 or newer.
Install the most recent version of the script:
cd /usr/local/directadmin/custombuild
./build update
./build letsencrypt

That last command './build letsencrypt' does not work at all, it shows a very long list of possible commands (because of custombuild version 1.2.43) so how would I get a 'newer' script if this bug is fixed? (unless the script is okay but the DA executable is wrong).
Is 1.2.43 smaller than 1.50.1? Still it is installed and has worked many years. It just got broken after a DA update. And I am not sure which one of course.


I am not sure how to proceed, DA needs to pick this up imho.
Options I can think of:
1) edit their script, and make an exception when it is for the hostname and change the parameters in the script there and then
2) downgrade DA
3) update the script

So I did (3), I downloaded https://files.directadmin.com/services/all/letsencrypt/letsencrypt.sh.1.1.42
I looked inside and saw these lines:

if [ "${KEY_SIZE}" = "secp384r1" ]; then
KEY_SIZE="ec-384"
elif [ "${KEY_SIZE}" = "prime256v1" ]; then
KEY_SIZE="ec-256"
elif [ "${KEY_SIZE}" = "secp521r1" ]; then
KEY_SIZE="ec-521"
fi

And it is not only checking for an integer now anymore.

I think in 7 days it will all be working again (need to wait for that rate limit to end).

Strange that there is no 'upgrade' possible, and that you need to do it manually.
 
Last edited:
Closing words.

The upgrade of the script solved this issue. The certificate was renewed after the 5 days limit and now all is well.

I am leaving this thread -as is- for in case someone else has this same issue (by chance) or something similar. All you need is the link to the folder where to download the script (see above).
 
Last edited:
@sec-is For those who are reading and rate limit / test some links

letsencrypt.org

Staging Environment

We highly recommend testing against our staging environment before using our production environment. This will allow you to get things right before issuing trusted certificates and reduce the chance of your running up against rate limits. The ACME URL for our ACME v2 staging environment is...
letsencrypt.org

crt.sh | Certificate Search

Free CT Log Certificate Search Tool from Sectigo (formerly Comodo CA)
crt.sh

crt.sh | Certificate Search

Free CT Log Certificate Search Tool from Sectigo (formerly Comodo CA)
crt.sh
 
You must log in or register to reply here.
Back
Top