From: "Massimo S." Received: from [192.168.100.201] (HELO mail.2rosenthals.com) by 2rosenthals.com (CommuniGate Pro SMTP 5.4.10) with ESMTP id 11070579 for ecs-isp@2rosenthals.com; Mon, 07 Oct 2024 14:48:30 -0400 Received: from [192.168.200.201] (port=38774 helo=mail2.2rosenthals.com) by mail.2rosenthals.com with esmtp (Exim 4.97.1) (envelope-from ) id 1sxsmK-000000006Cp-1WAs for ecs-isp@2rosenthals.com; Mon, 07 Oct 2024 14:48:21 -0400 Received: from mail2.quasarbbs.net ([80.86.52.115]:10139) by mail2.2rosenthals.com with esmtp (Exim 4.97.1) (envelope-from ) id 1sxsmF-000000001B7-22Dp for ecs-isp@2rosenthals.com; Mon, 07 Oct 2024 14:48:16 -0400 X-SASI-Hits: BODY_SIZE_9000_9999 0.000000, CTE_8BIT 0.000000, HTML_00_01 0.050000, HTML_00_10 0.050000, IN_REP_TO 0.000000, LEGITIMATE_SIGNS 0.000000, MSGID_SAMEAS_FROM_HEX_844412 0.100000, MSG_THREAD 0.000000, REFERENCES 0.000000, REPLYTO_SAMEAS_FROM 0.000000, SENDER_NO_AUTH 0.000000, SUSP_DH_NEG 0.000000, TO_IN_SUBJECT 0.500000, USER_AGENT 0.000000, __ANY_URI 0.000000, __BODY_NO_MAILTO 0.000000, __BOUNCE_CHALLENGE_SUBJ 0.000000, __BOUNCE_NDR_SUBJ_EXEMPT 0.000000, __CP_URI_IN_BODY 0.000000, __CT 0.000000, __CTE 0.000000, __CT_TEXT_PLAIN 0.000000, __DQ_NEG_DOMAIN 0.000000, __DQ_NEG_HEUR 0.000000, __DQ_NEG_IP 0.000000, __FORWARDED_MSG 0.000000, __FRAUD_PARTNERSHIP 0.000000, __FROM_DOMAIN_NOT_IN_BODY 0.000000, __FROM_NAME_NOT_IN_ADDR 0.000000, __FROM_NAME_NOT_IN_BODY 0.000000, __FUR_HEADER 0.000000, __HAS_FROM 0.000000, __HAS_MSGID 0.000000, __HAS_REFERENCES 0.000000, __HAS_REPLYTO 0.000000, __HEADER_ORDER_FROM 0.000000, __HIGHBITS 0.000000, __HTTPS_URI 0.000000, __INVOICE_MULTILINGUAL 0.000000, __IN_REP_TO 0.000000, __MAIL_CHAIN 0.000000, __MIME_BOUND_CHARSET 0.000000, __MIME_TEXT_ONLY 0.000000, __MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000, __MIME_VERSION 0.000000, __MOZILLA_USER_AGENT 0.000000, __MSGID_HEX_844412 0.000000, __MULTIPLE_URI_TEXT 0.000000, __NO_HTML_TAG_RAW 0.000000, __PHISH_PHRASE1_A 0.000000, __REFERENCES 0.000000, __REPLYTO_SAMEAS_FROM_ACC 0.000000, __REPLYTO_SAMEAS_FROM_ADDY 0.000000, __REPLYTO_SAMEAS_FROM_DOMAIN 0.000000, __SANE_MSGID 0.000000, __SCAN_D_NEG 0.000000, __SCAN_D_NEG2 0.000000, __SCAN_D_NEG_HEUR 0.000000, __SCAN_D_NEG_HEUR2 0.000000, __SUBJ_ALPHA_NEGATE 0.000000, __SUBJ_REPLY 0.000000, __TO_IN_SUBJECT 0.000000, __TO_MALFORMED_2 0.000000, __TO_NAME 0.000000, __TO_NAME_DIFF_FROM_ACC 0.000000, __TO_REAL_NAMES 0.000000, __URI_HAS_HYPHEN_USC 0.000000, __URI_IN_BODY 0.000000, __URI_IN_BODY_HTTP_X10 0.000000, __URI_MAILTO 0.000000, __URI_NOT_IMG 0.000000, __URI_NS 0.000000, __URI_WITHOUT_PATH 0.000000, __URI_WITH_PATH 0.000000, __USER_AGENT 0.000000, __WEBINAR_PHRASE 0.000000 X-SASI-Probability: 10% X-SASI-RCODE: 200 X-SASI-Version: Antispam-Engine: 5.1.4, AntispamData: 2024.10.7.180615 X-SASI-Hits: BODY_SIZE_9000_9999 0.000000, CTE_8BIT 0.000000, HTML_00_01 0.050000, HTML_00_10 0.050000, IN_REP_TO 0.000000, LEGITIMATE_SIGNS 0.000000, MSGID_SAMEAS_FROM_HEX_844412 0.100000, MSG_THREAD 0.000000, REFERENCES 0.000000, REPLYTO_SAMEAS_FROM 0.000000, SUSP_DH_NEG 0.000000, TO_IN_SUBJECT 0.500000, USER_AGENT 0.000000, __ANY_URI 0.000000, __AUTH_RES_PASS 0.000000, __BODY_NO_MAILTO 0.000000, __BOUNCE_CHALLENGE_SUBJ 0.000000, __BOUNCE_NDR_SUBJ_EXEMPT 0.000000, __CP_URI_IN_BODY 0.000000, __CT 0.000000, __CTE 0.000000, __CT_TEXT_PLAIN 0.000000, __DQ_NEG_DOMAIN 0.000000, __DQ_NEG_HEUR 0.000000, __DQ_NEG_IP 0.000000, __FORWARDED_MSG 0.000000, __FRAUD_PARTNERSHIP 0.000000, __FROM_DOMAIN_NOT_IN_BODY 0.000000, __FROM_NAME_NOT_IN_ADDR 0.000000, __FROM_NAME_NOT_IN_BODY 0.000000, __FUR_HEADER 0.000000, __HAS_FROM 0.000000, __HAS_MSGID 0.000000, __HAS_REFERENCES 0.000000, __HAS_REPLYTO 0.000000, __HEADER_ORDER_FROM 0.000000, __HIGHBITS 0.000000, __HTTPS_URI 0.000000, __INVOICE_MULTILINGUAL 0.000000, __IN_REP_TO 0.000000, __MAIL_CHAIN 0.000000, __MIME_BOUND_CHARSET 0.000000, __MIME_TEXT_ONLY 0.000000, __MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000, __MIME_VERSION 0.000000, __MOZILLA_USER_AGENT 0.000000, __MSGID_HEX_844412 0.000000, __MULTIPLE_URI_TEXT 0.000000, __NO_HTML_TAG_RAW 0.000000, __PHISH_PHRASE1_A 0.000000, __REFERENCES 0.000000, __REPLYTO_SAMEAS_FROM_ACC 0.000000, __REPLYTO_SAMEAS_FROM_ADDY 0.000000, __REPLYTO_SAMEAS_FROM_DOMAIN 0.000000, __SANE_MSGID 0.000000, __SCAN_D_NEG 0.000000, __SCAN_D_NEG2 0.000000, __SCAN_D_NEG_HEUR 0.000000, __SCAN_D_NEG_HEUR2 0.000000, __SUBJ_ALPHA_NEGATE 0.000000, __SUBJ_REPLY 0.000000, __TO_IN_SUBJECT 0.000000, __TO_MALFORMED_2 0.000000, __TO_NAME 0.000000, __TO_NAME_DIFF_FROM_ACC 0.000000, __TO_REAL_NAMES 0.000000, __URI_HAS_HYPHEN_USC 0.000000, __URI_IN_BODY 0.000000, __URI_IN_BODY_HTTP_X10 0.000000, __URI_MAILTO 0.000000, __URI_NOT_IMG 0.000000, __URI_NS 0.000000, __URI_WITHOUT_PATH 0.000000, __URI_WITH_PATH 0.000000, __USER_AGENT 0.000000, __WEBINAR_PHRASE 0.000000 X-SASI-Probability: 10% X-SASI-RCODE: 200 X-SASI-Version: Antispam-Engine: 5.1.4, AntispamData: 2024.10.7.180615 Received: from [192.168.10.199] (dtp [192.168.10.199]) by srv2 (Weasel v2.9-0001 ) for ; Mon, 07 Oct 2024 19:59:02 -0000 Reply-To: ml@ecomstation.it Subject: Re: [eCS-ISP] HTTPS-Misery (for Steven) To: eCS ISP Mailing List References: Organization: Massimo S. Message-ID: <3256ce60-46c3-d1d7-4dcf-f6bfe1aef28a@ecomstation.it> Date: Mon, 7 Oct 2024 20:48:12 +0200 User-Agent: Mozilla/5.0 (OS/2; U; Warp 4.5; it-IT; rv:1.7.13) Gecko/20060424 Thunderbird/1.0.8 Mnenhy/0.7.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: it-IT Content-Transfer-Encoding: 8bit what should i get (i can only see it if a use the rexx command "say" in the script) begin http-01 www.domain.com VfD7yNIXE4R3KaS8CsBD8thkrZo3W9a3YDyWQHcOxVo VfD7yNIXE4R3KaS8CsBD8thkrZo3W9a3YDyWQHcOxVo.zyhanFlpd0tloojCJrdfZjZwx4LbkQHuYa75ndsa-Qs X:\apache\htdocs\mydomain\.well-known\acme-challenge\VfD7yNIXE4R3KaS8CsBD8thkrZo3W9a3YDyWQHcOxVo done so if var1 is not = "http-01" exit massimo Il 07/10/2024 20:22, Massimo S. ha scritto: > Hi Steven, > > i'm trying to catch that challenge value to verify when they accept HTTP-01 to improve the script > > if i start this rexx from the command line it write the (re7.log) log file > but if i call the hook script from uacme i get no output, neither the file: > > uacme issue www.mywebsite.com --c c:/mptn/etc/ssl/uacme -h zhook_mywebsite.cmd 2>X:\uacme\re6.log > > and here the hook script code: > > /* hook for client uacme */ > > parse arg var1 var2 var3 var4 var5 > > 'echo . >re7.log' > 'echo var1 'var1' >>re7.log' > 'echo var1 'var2' >>re7.log' > 'echo var1 'var3' >>re7.log' > 'echo var1 'var4' >>re7.log' > 'echo var1 'var5' >>re7.log' > > myfile = 'X:\apache\htdocs\mywebsite\.well-known\acme-challenge\'||var4 > call SysFileDelete 'X:\apache\htdocs\mywebsite\.well-known\acme-challenge\'||var4 > rc= LINEOUT(myfile,var5) > > > massimo > > > Il 07/10/2024 18:54, Massimo S. ha scritto: >> >> >> Il 07/10/2024 16:10, Massimo S. ha scritto: >>> the point is this: >>> >>> "Yes, as I said, somewhere in the recent past Let's Encrypt randomises the order of the challenges in the >>> autz. So you've got ⅓ chance of getting http-01 as the first one. >>> >>> Your script needs to check which challenge is being processed by it and only respond if it's the http-01 >>> challenge, just like how the sh script does it. I know you can't use it directly, but you should use the sh >>> script as an example how the workflow needs to be." >>> >>> so we need a script that understand if LE is serving an HTTP-01 challenge or not >>> if not just exit and retry >>> >>> but i've asked also to Nicola Dilieto a solution for this issue. >>> >>> https://github.com/ndilieto/uacme/issues/88 >>> >>> or with have to make as script (eg. rexx) that do something like this >> >> sorry typO >> >> i mean or we have to modify the hook script to exit if it do not >> receive an http-01 challenge type >> >> this is clearly a way to make life more difficult to the users >> >> it has no sense to randomize the challenge type server side >> it makes to manage certificates more complex >> >> massimo >> >>> >>> https://github.com/ndilieto/uacme/blob/master/uacme.sh >>> >>> >>> massimo >>> >>> >>> Il 07/10/2024 11:53, Massimo S. ha scritto: >>>> Hi Dan, >>>> >>>> i'm facing a strange issue these days with LE. >>>> >>>> If you are interested follow this topic: >>>> >>>> https://community.letsencrypt.org/t/renew-of-certificates-fails-randomly-in-the-last-month/227025 >>>> >>>> massimo >>>> >>>> Il 12/08/2024 21:54, Dan Napier, MS, CIH, CAC ha scritto: >>>>> Here is where I am now? >>>>> >>>>> uacme.exe: challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/38943333 >>>>> 6946/-1Wx1w failed with status invalid >>>>> uacme.exe: the server reported the following error: >>>>> { >>>>>      "type": "urn:ietf:params:acme:error:dns", >>>>>      "detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.ns1.dnac >>>>> ih.com - check that a DNS record exists for this domain", >>>>>      "status": 400 >>>>> } >>>>> uacme.exe: failed to authorize order at https://acme-v02.api.letsencrypt.org/acm >>>>> e/order/1887586636/295703974986 >>>>> >>>>> Any Idea what the DNS txt line should look like? >>>>> In the correct place of course--Context is everything ain't it! >>>>> >>>>> _acme-challenge     TXT = "WTF goe Here?" >>>>> >>>>> Looking as some of the discussion changes bi monthly? >>>>> >>>>> >>>>> -- >>>>> Certified Industrial Hygienist >>>>> Certified Asbestos Consultant >>>>> >>>>> Dan Napier, MS, CIH, CAC >>>>> 92-0614 8/24/24 >>>>> 2520 Artesia Boulevard >>>>> Redondo Beach, CA 90278-3210 >>>>> 310-644-1924 x 103 >>>>> CSLB 773462 >>>>> >>>>> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >>>>> This message is sent to you because you are subscribed to >>>>>    the mailing list . >>>>> To unsubscribe, E-mail to: >>>>> To switch to the DIGEST mode, E-mail to >>>>> To switch to the INDEX mode, E-mail to >>>>> Send administrative queries to  >>>>> To subscribe (new addresses), E-mail to: and reply to the confirmation email. >>>>> Web archives are publicly available at: http://lists.2rosenthals.com >>>>> >>>>> This list is hosted by Rosenthal & Rosenthal, LLC >>>>> P.O. Box 281, Deer Park, NY 11729-0281. Non- >>>>> electronic communications related to content >>>>> contained in these messages should be directed >>>>> to the above address. (CAN-SPAM Act of 2003) >>>>> >>>>> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >>>>> >>>> >>>> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >>>> This message is sent to you because you are subscribed to >>>>   the mailing list . >>>> To unsubscribe, E-mail to: >>>> To switch to the DIGEST mode, E-mail to >>>> To switch to the INDEX mode, E-mail to >>>> Send administrative queries to  >>>> To subscribe (new addresses), E-mail to: and reply to the confirmation email. >>>> Web archives are publicly available at: http://lists.2rosenthals.com >>>> >>>> This list is hosted by Rosenthal & Rosenthal, LLC >>>> P.O. Box 281, Deer Park, NY 11729-0281. Non- >>>> electronic communications related to content >>>> contained in these messages should be directed >>>> to the above address. (CAN-SPAM Act of 2003) >>>> >>>> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >>>> >>> >>> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >>> This message is sent to you because you are subscribed to >>>   the mailing list . >>> To unsubscribe, E-mail to: >>> To switch to the DIGEST mode, E-mail to >>> To switch to the INDEX mode, E-mail to >>> Send administrative queries to  >>> To subscribe (new addresses), E-mail to: and reply to the confirmation email. >>> Web archives are publicly available at: http://lists.2rosenthals.com >>> >>> This list is hosted by Rosenthal & Rosenthal, LLC >>> P.O. Box 281, Deer Park, NY 11729-0281. Non- >>> electronic communications related to content >>> contained in these messages should be directed >>> to the above address. (CAN-SPAM Act of 2003) >>> >>> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >>> >> >> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >> This message is sent to you because you are subscribed to >>   the mailing list . >> To unsubscribe, E-mail to: >> To switch to the DIGEST mode, E-mail to >> To switch to the INDEX mode, E-mail to >> Send administrative queries to  >> To subscribe (new addresses), E-mail to: and reply to the confirmation email. >> Web archives are publicly available at: http://lists.2rosenthals.com >> >> This list is hosted by Rosenthal & Rosenthal, LLC >> P.O. Box 281, Deer Park, NY 11729-0281. Non- >> electronic communications related to content >> contained in these messages should be directed >> to the above address. (CAN-SPAM Act of 2003) >> >> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >> > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > This message is sent to you because you are subscribed to >  the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > To switch to the INDEX mode, E-mail to > Send administrative queries to  > To subscribe (new addresses), E-mail to: and reply to the confirmation email. > Web archives are publicly available at: http://lists.2rosenthals.com > > This list is hosted by Rosenthal & Rosenthal, LLC > P.O. Box 281, Deer Park, NY 11729-0281. Non- > electronic communications related to content > contained in these messages should be directed > to the above address. (CAN-SPAM Act of 2003) > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >