Acme not working on OpenWrt 23.05.2

Installation failed with parse error. I had to remove the last line (validation) of the config to be able to start the configuration from web UI.

But even after filling the e-mail and certificate properties the certificate is not issued.

/etc/config/acme (redacted):

config acme
option account_email '<<MY E-MAIL>>'
option debug '1'

config cert '<<MY CN>>'
option enabled '1'
option use_staging '0'
option keylength '2048'
list domains '<<MY CN>>'
option update_uhttpd '1'
option validation_method 'standalone'

output of /etc/init.d/acme start (redacted):

acme: added nft rule: handle 302
acme-acmesh: Running ACME for <<MY CN>>
/usr/lib/acme/hook: line 121: standalone: parameter not set
acme: cleaning up

I also tried to move uhttpd from port 80 to 8080 as is mentioned in "Standalone Mode Validation" on Wiki but I think the problem is in the startup.

I'm having the same issue with 23.05.2 and using standalone...

Found the solution, edit /etc/init.d/acme and ensure the standalone variable is exported like so:

config_get standalone "$section" standalone
export standalone        # <-- Add this line
[ -n "$standalone" ] && log warn "Option \"standalone\" is deprecated."

Then, ensure symlinks are pointing in the right direction:

mkdir /www/.well-known
ln -s /var/run/acme/challenge/.well-known/acme-challenge /www/.well-known/acme-challenge 

Finally, use option standalone 1 in your /etc/config/acme, for example:

config cert 'mycertificate'
        option enabled 1
        option staging 0
        option standalone 1
        list domains openwrt.mydomain.com

Hopefully, it should work. (May also need to stop then restart the uhttpd service).

It's strange, because the /etc/init.d/acme script complains that certain options are deprecated and replaces them with newer options (like validation_method), but the /usr/lib/acme/hook script doesn't even try to use these new options. Perhaps the packager accidentally forgot to update the hook script in version 4.0.0 or something?

1 Like

The hook doesn't use the $standalone var anymore but here it seems that you have an old version of the acme-acmesh package. So you upgraded only the acme-common but not upgraded the complimentary acme-acmesh package.

Try to execute opkg update; opkg upgrade acme-acmesh acme-common.

Please tell me if that helped.

You may also check the PR

For me, I get:

acme: Option 'keylength' is deprecated, please use key_type (e.g., ec256, rsa2048) instead.
/usr/lib/acme/hook: line 47: keylength: parameter not set

/etc/config/acme has both option keylength '2048' and option key_type 'rsa2048'
I have tried with either and both.

acme 4.0.0
acme-acmesh 3.0.7-1
acme-acmesh-dnsapi 3.0.7-1
acme-common 1.0.4
luci-app-acme git-23.074.38708-acf40dc

I'm on the same versions and --keylength 2048 works as expected for me:

/usr/lib/acme/client/acme.sh -d *.mydomain.com --keylength 2048 --accountemail myuser@mydomain.com --server letsencrypt_test --dns dns_cf --dnssleep 60 --issue --home "/etc/acme"

What is your CLI command?

@account4538 you are running the acme.sh directly, why @hedzwillroll has a problem with the UCI config.
@hedzwillroll please try to upgrade acme packages:

opkg update
opkg upgrade acme-acmesh acme-acmesh-dnsapi acme-common

The fix for the problem was backported to openwrt-23.05 so in day it should be built the new package.
Please upgrade packages.
Sorry for inconvenience and thanks for reporting.
Here I created a support topic Let'sEncrypt, ACME.sh and LUCI App Acme support topic