Free SSL and Automatic HTTPS (ACME / Let's Encrypt v2 client) for node.js with Express, Connect, and other middleware systems
Home Page: https://greenlock.domains
License: Mozilla Public License 2.0
my greenlock.d/config.json file is updated correctly (root + correct access)
{
"sites": [
{
"subject": "mydomain.com",
"altnames": [
"mydomain.com"
],
"renewAt": 1
}
],
"defaults": {
"store": {
"module": "greenlock-store-fs"
},
"challenges": {
"http-01": {
"module": "acme-http-01-standalone"
}
},
"renewOffset": "-45d",
"renewStagger": "3d",
"accountKeyType": "EC-P256",
"serverKeyType": "RSA-2048",
"subscriberEmail": "[email protected]"
}
}
But still each time at start, it tries to renew the certificates, hitting the rate limit.
0|greenloc | By using this software you ([email protected]) are agreeing to the following:
0|greenloc | ACME Subscriber Agreement: https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf
0|greenloc | Greenlock/ACME.js Terms of Use: https://rootprojects.org/legal/#terms
0|greenloc |
0|greenloc | set greenlockOptions.notify to override the default logger
0|greenloc | certificate_order (more info available: account subject altnames challengeTypes)
0|greenloc | certificate_order (more info available: account subject altnames challengeTypes)
0|greenloc | certificate_order (more info available: account subject altnames challengeTypes)
0|greenloc | certificate_order (more info available: account subject altnames challengeTypes)
0|greenloc | certificate_order (more info available: account subject altnames challengeTypes)
0|greenloc | certificate_order (more info available: account subject altnames challengeTypes)
0|greenloc | Listening on 0.0.0.0:80 for ACME challenges, and redirecting to HTTPS
0|greenloc | Listening on 0.0.0.0:443 for secure traffic
0|greenloc | Ready to Serve:
0|greenloc | mydomain.com
0|greenlock-app | ACME Directory URL: https://acme-v02.api.letsencrypt.org/directory
0|greenlock-app | By using this software you ([email protected]) are agreeing to the following:
0|greenlock-app | ACME Subscriber Agreement: https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf
0|greenlock-app | Greenlock/ACME.js Terms of Use: https://rootprojects.org/legal/#terms
0|greenlock-app | set greenlockOptions.notify to override the default logger
0|greenlock-app | certificate_order (more info available: account subject altnames challengeTypes)
0|greenlock-app | Error cert_issue:
0|greenlock-app | [acme-v2.js] authorizations were not fetched for 'mydomain.com':
0|greenlock-app | {"type":"urn:ietf:params:acme:error:rateLimited","detail":"Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: mydomain.com, retry after 2022-10-08T17:26:38Z: see https://letsencrypt.org/docs/duplicate-certificate-limit/","status":429,"_identifiers":[{"type":"dns","value":"mydomain.com"}]}
0|greenlock-app | Error: [acme-v2.js] authorizations were not fetched for 'mydomain.com':
0|greenlock-app | {"type":"urn:ietf:params:acme:error:rateLimited","detail":"Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: mydomain.com, retry after 2022-10-08T17:26:38Z: see https://letsencrypt.org/docs/duplicate-certificate-limit/","status":429,"_identifiers":[{"type":"dns","value":"mydomain.com"}]}
0|greenlock-app | at Object.E.NO_AUTHORIZATIONS (/srv/apps/portal/server/node_modules/@root/acme/errors.js:75:9)
0|greenlock-app | at /srv/apps/portal/server/node_modules/@root/acme/acme.js:1198:11
0|greenlock-app | at processTicksAndRejections (node:internal/process/task_queues:96:5)
0|greenlock-app | Error cert_issue:
0|greenlock-app | [acme-v2.js] authorizations were not fetched for 'mydomain.com':
0|greenlock-app | {"type":"urn:ietf:params:acme:error:rateLimited","detail":"Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: mydomain.com, retry after 2022-10-08T17:26:38Z: see https://letsencrypt.org/docs/duplicate-certificate-limit/","status":429,"_identifiers":[{"type":"dns","value":"mydomain.com"}]}
0|greenlock-app | Error: [acme-v2.js] authorizations were not fetched for 'mydomain.com':
0|greenlock-app | {"type":"urn:ietf:params:acme:error:rateLimited","detail":"Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: mydomain.com, retry after 2022-10-08T17:26:38Z: see https://letsencrypt.org/docs/duplicate-certificate-limit/","status":429,"_identifiers":[{"type":"dns","value":"mydomain.com"}]}
0|greenlock-app | at Object.E.NO_AUTHORIZATIONS (/srv/apps/portal/server/node_modules/@root/acme/errors.js:75:9)
0|greenlock-app | at /srv/apps/portal/server/node_modules/@root/acme/acme.js:1198:11
0|greenlock-app | at processTicksAndRejections (node:internal/process/task_queues:96:5)
0|greenlock-app | Error cert_issue:
0|greenlock-app | [acme-v2.js] authorizations wer
Hi,
How can i do approved domain on the api server ?
I need a way to serve non-Letsencrypt certs together with the one managed by Greenlock. I can't find any suitable way, so I propose these little changes here: e63cdf2
with this changes, I will "ready" this HTTP(s) worker to greenlock-express
const greenlock = Greenlock
.init({ ... })
.ready(httpsWorker);
function httpsWorker(glx) {
const plainServer = glx.httpServer();
plainServer.listen(plainPort, plainAddr, () => {
logger.info(`Greenlock listening on ${plainAddr}:${plainPort} for ACME challenges, and redirecting to HTTPS`);
const secureServer = glx.httpsServer({ SNICallback }, app);
secureServer.listen(securePort, secureAddr, () => {
logger.info(`Greenlock listening on ${secureAddr}:${securePort} for secure traffic`);
});
});
}
And then provided my own SNICallback() like so
function SNICallback(greenlock, secureOpts, sni) {
function SNIFallback(servername, cb) {
return sni.create(greenlock, secureOpts)(servername, cb);
}
return (servername, cb) => {
// Do something or return SNIFallback(servername, cb)
}
}
Each time someone visits the secure port, it'll run my callback first and return it's secureContext if available, or continue to Greenlock SNI Callback as usual.
Let me know what you think
Hi,
When some domain was added by mistake, it will not pass the verification and I got the 'error' event via notify. But, after I call greenlock.remove{subject: domain}), the wrong domain is still there.
I can manually delete it from the json file but I am sure it's not the best way. And in my product, there may be a lot of wrong domains and mixed with correct domains.
What's the best way to remove the domains that can not pass verification ?
Thanks
Thank you for authoring greenlock.
I have a greenlock server that is sometimes run in port forwarded environments (like Xfinity) where the port forward works from the WAN side, but not the LAN side (they bind the admin interface of the router to WAN interface having the public IP, even though it doesn't need to be). The dry run therefore fails from the LAN side where greenlock resides. I am trying to do skipDryRun in the greenlock config in a way that passes down to ACME.js. The solution of adding an /etc/hosts file entry for each domain doesn't work because the domains are dynamically added, and I am looking for a simpler solution. The greenlock server is not the main server, so all calls to it are explicit, so skipDryRun isn't as needed. It is just handling the generation of certificates for shared mount with nginx.
I tried adding skipDryRun greenlock-express config, and that didn't seem to pass down. I added a config.json where the default one gets created, with skipDryRun in it, but on startup, the defaults overwrite that file. I don't see where to change the defaults with configuration. There is so much modularity and automatic config in the code that is a bit difficult to follow the whole chain.
Thank you,
Ben
The domain I used for security telemetry (ACME client User-Agent and contact email) in one of the original versions of Greenlocks has lapsed (after several years of going unused).
If you're version of Greenlock is affected, updating to the lastest minor release should fix it:
2.0.1 => 2.x3.0.1 => 3.xThe change should have never caused failure, it was simply a bug in the async / promise handling. The patch that was released several years ago fixes it.
I just found out it expired a few weeks ago, so if this still were a problem I imagine I've have heard about it by now. If it turns out to be a big issue for someone over the next 2.5 weeks, it's still reclaimable.
After that I imagine it will be snagged up by domain snipers who want thousands of dollars for it (since it has had residual traffic all this time), which I don't care to pay.
This is related to another issue therootcompany/greenlock.js#4
I have a few questions
packageRoot being used for? I don't particularly want files in my package. I'd rather put them in a seperate volume import {
IncomingMessage, ServerResponse,
Server as HttpServer
} from "http";
import {
Server as HttpsServer,
ServerOptions as HttpsServerOptions
} from "https";
import {
Http2SecureServer,
SecureServerOptions as Http2SecureServerOptions
} from "http2";
import Greenlock from "@root/greenlock";
type ReqHandler = (req: IncomingMessage, res: ServerResponse)=>any;
type ReqHandlerNext = (
req: IncomingMessage, res: ServerResponse,
next: (e?: any)=>any
)=>any;
/*
Note: You can't use both https and http2s at the same time
*/
interface Servers {
httpServer(onReq?: ReqHandlerNext): HttpServer
http2Server(
secureOps: Http2SecureServerOptions, onReq?: ReqHandler
): Http2SecureServer
httpsServer(
secureOps: HttpsServerOptions, onReq?: ReqHandler
): HttpsServer
serveApp(onReq: ReqHandler): Promise<void>
id(): string | number
}
interface Master {
ready(cb: (servers: Servers)=>any): Master;
master(): Master;
serve(onReq: ReqHandler): void;
}
type Options = {
packageRoot: string,
maintainerEmail: string,
configDir: string
cluster?: boolean
greenlock?: Greenlock
packageAgent?: string
notify?: (ev: string, params: any)=>any
};
export function init(opts: Options | (()=>Options)): Master
}Is there a way to run the HTTP and HTTPS servers on different ports than the standard 80 and 443?
Please provide full details of response from letsencrypt.
Today I've been struggling for a couple of hours because this module didn't show anything helpful except for "E_ACME_UNKNOWN".
Only by using certbot I could find out that the error was that I haven't set up CAA record for my domain.
I have an express server running greenlock-express and I have noticed that as I have increased the number of subdomains that I intend to support, I get an error:
Error cert_issue: | Cannot read property 'children' of undefined which points to a line 305 in the file node_modules/@root/csr/csr.js.
I think that the number of domains I am attempting to register is the only factor in the creation of this error.
Hi,
With createServer in node you monitor for listening with something like secureServer.on('listening', onListening);
Is there a way to do this with Greenlock?
thanks,
Within the README instructions Under step #2 (2. Initialize and Config (Dir or DB)) it says to use this command:
npx greenlock init --config-dir ./greenlock.d --maintainer-email '[email protected]'
But if you use quotes around the email like that it fails with this error:
missing or malformed maintainerEmail (or author from package.json)
Since it compares with quotes included against the author email string as is without quotes
Hope this helps!
Kind regards //ihostuplay
Hi, i'm trying to follow the tutorial/walkthrough, but I keep getting the following error. I'm not sure what I'm doing wrong.
Below is a screenshot and the code I use
require("greenlock-express")
.init({
packageRoot: __dirname,
configDir: "./greenlock.d",
maintainerEmail: "[email protected]",
cluster: false
})
.ready(httpsWorker);
function httpsWorker(glx) {
//
// HTTPS 1.1 is the default
// (HTTP2 would be the default but... https://github.com/expressjs/express/issues/3388)
//
// Get the raw https server:
var httpsServer = glx.httpsServer(null, function(req, res) {
res.end("Hello, Encrypted World!");
});
httpsServer.listen(443, "0.0.0.0", function() {
console.info("Listening on ", httpsServer.address());
});
// Note:
// You must ALSO listen on port 80 for ACME HTTP-01 Challenges
// (the ACME and http->https middleware are loaded by glx.httpServer)
var httpServer = glx.httpServer();
`
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.