Certificate generation error

bksales · August 3, 2016, 2:51pm

anyone seen something like this before - was trying to generate a Let’s Encrypt certificate

There was an error updating the certificate: array_reduce() expects parameter 1 to be array, null given

tm1000 · August 5, 2016, 6:48am

Need the full error on this.

bksales · August 5, 2016, 2:28pm

i am happy to provide more detail - just let me know what you need. the error i reported was what is displayed in the GUI when attempting to make a Let’s Encrypt certificate request. the appropriate entries have been made in the firewall.

here is what is in the certificate request - i have blanked out the host name but it is a valid host name.

and here is what comes back

tm1000 · August 5, 2016, 3:47pm

Take the apostrophe out of the description

bksales · August 5, 2016, 4:06pm

two things:

removing the apostrophe did not change the error - i still get the same error
i have used the apostrophe in many other certificate descriptions without a problem.

are there some log files or some traces i can do to get to the bottom of this?

bksales · August 5, 2016, 4:27pm

i have figured out what causes it, now i just need a bit of help in fixing it.

if you attempt to request a certificate without updating the firewall first to include the additional url’s, the certificate request reports the error Cannot connect. if you then update the firewall and attempt to generate the certificate you get the error i reported.

tm1000 · August 6, 2016, 6:10am

The error comes from the upstream library we are using. It seems as though the Let’s Encrypt servers do not like your configuration. Basically the response from Let’s Encrypt has no challenges, or is invalid as if there is some device mangling the returned response on your network.

github.com

FreePBX/certman/blob/48b486ca2b024482a6ee844131db009b3ff89a89/vendor/analogic/lescript/Lescript.php#L72


// -------------------------------------------


$this->log("Requesting challenge for $domain");


$response = $this->signedRequest(
    "/acme/new-authz",
    array("resource" => "new-authz", "identifier" => array("type" => "dns", "value" => $domain))
);


// choose http-01 challange only
$challenge = array_reduce($response['challenges'], function($v, $w) { return $v ? $v : ($w['type'] == 'http-01' ? $w : false); });
if(!$challenge) throw new \RuntimeException("HTTP Challenge for $domain is not available. Whole response: ".json_encode($response));


$this->log("Got challenge token for $domain");
$location = $this->client->getLastLocation();




// 2. saving authentication token for web verification
// ---------------------------------------------------


$directory = $this->webRootDir.'/.well-known/acme-challenge';

bksales · August 6, 2016, 3:33pm

a bit more data. it appears that if the pbx is on the same public subnet as another pbx that has successfully pulled a certificate then i get the error. is there a different kind of certificate we need that we can load into all the systems on the same subnet?

tm1000 · August 6, 2016, 5:43pm

Wait so you are trying to put the same domain base certificate on two servers?

That won’t fly with lets encrypt.

bksales · August 6, 2016, 6:17pm

it works as long as the ip address resolves to a different subnet. so i assume what we should do is get some sort of san certificate and upload it into each pbx?

tm1000 · August 6, 2016, 8:18pm

Yes that’s what you should probably do. They are free from start ssl

bksales · August 7, 2016, 2:09pm

here are two answers i got from let’s encrypt

The error message you describe “There was an error updating the certificate: array_reduce() expects parameter 1 to be array, null given” seems to come from FreePBX, not Let’s Encrypt, and so they’re best placed to help directly, but volunteers like me would be happy to try to help their development team if they bring questions here too of course.

In regards to using one certificate on multiple servers in essence there’s no difference between Let’s Encrypt or StartSSL (when not a wildcard certificate). Just make sure all the required hostnames are in the SubjectAltNames field of the certificate.

tm1000 · August 7, 2016, 3:31pm

Actually not. As I said before the error comes from upstream but not freepbx. I also did not say it came from let’s encrypt. What I did say was that let’s encrypt was returning a null response. Eg there is no challenge. I also pointed you to the code in our repo from upstream above. I suggest you take a look at it.

Yes there is a difference. There is a rate limit of requesting certificates. Once you reach that limit then you’ll get errors. Unfortunately we do not support multiple domains at this time. What you want is the same certificate on multiple machines. Our implementation of let’s encrypt does not allow that. Sorry. You’d be better going with startssl

tm1000 · August 7, 2016, 3:49pm

I read your post over at https://community.letsencrypt.org/t/certificate-requests-for-systems-on-the-same-subnet-fail/18685

I wish that you had clarified your network topology here like you did over there. Our implementation of Let’s Encrypt should have no problems with this. However, Let’s Encrypt is returning a null response. If you like you can open a ticket with support (OUR support). Reference me. They will assign it to me and it will be free. I will figure the issue out for you.

bksales · August 7, 2016, 4:05pm

will do, i thought i did explain the network topology (same subnet) but perhaps i was more verbose on their site. i will open a ticket shortly. thanks

bksales · August 7, 2016, 4:23pm

I just created the issue - 12891 - i appreciate the help

tm1000 · August 7, 2016, 4:27pm

Please open a ticket through support. Issues is not support and I have no way to get onto your system through issues.

bksales · August 7, 2016, 4:55pm

done, ticket number 590463. i updated the pbx info in the portal. i think all i need is the ip address(es) where you will be coming in from so i can white list them.