Autocert unable to authorize

Hello, I’m trying to start a new copy of Drone, but I’m getting this:

drone-server_1  | http: TLS handshake error from 191.32.201.89:63582: acme/autocert: unable to authorize "drone.exemple.com"; tried ["tls-sni-02" "tls-sni-01"]
drone-server_1  | http: TLS handshake error from 191.32.201.89:63646: acme/autocert: missing certificate

What is wrong?

Obs: I have change the url because of privacy

Lets encrypt found a security vulnerability last week with the tls-sni-01 and tls-sni-02 challenge protocols [1] and disabled their use for authoring new certificates. The autocert package used these protocols, and is therefore no longer working in older versions of drone.

We merged a patched version of the autocert package that uses http-01 challenge protocol last week [2]. You will need to use the drone/drone:latest image to take advantage of these changes.

[1] https://github.com/golang/go/issues/21890
[2] https://github.com/drone/drone/issues/2300

Hi bradrydzewski, I follow the discussion on GitHub. I have erased all my images and got the latest drone image from Docker Hub. I even tried the alpine version, but I’m still getting the error.

The docker-compose.yml configuration has changed for the http-01 challenge protocol?

The docker-compose.yml configuration has changed for the http-01 challenge protocol?

No, there are no configuration changes required

There is something that I can provide to make easier to fix it?

unable to authorize “drone.exemple.com”; tried [“tls-sni-02” “tls-sni-01”]

Your error messages shows that tls-sni-01 and tls-sni-02 challenge protocols are still being used which could indicate you still do not have the latest image. Or it could indicate an issue with the current implementation. I’m not sure.

My certificates do not expire until march, and I am busy with some other work, so this is not something I can work on right now. If you continue to experience issues, please consider sending a pull request to improve the current implementation, and I can help expedite getting it merged. Thanks!

@rafaelncarvalho can you post your docker-compose file, I’ve tested the implementation. Be sure that you expose both port 80 and 443 , 80 its mandatory for Let’s encrypt verification.

I’ve found the issue sending a patch now

Sure:

version: '2'

services:
  drone-server:
    image: drone/drone:latest

    ports:
      - 80:80
      - 443:443
      - 9000:9000
    volumes:
      - /var/lib/drone:/var/lib/drone/
    restart: always
    environment:
      - DRONE_OPEN=false
      - DRONE_ADMIN=rafaelncarvalho
      - DRONE_HOST=${DRONE_HOST}
      - DRONE_SECRET=secret
      - DRONE_LETS_ENCRYPT=true
      - DRONE_GITHUB=true
      - DRONE_GITHUB_CLIENT=xxxxxxxx
      - DRONE_GITHUB_SECRET=xxxxxxxx

  drone-agent:
    image: drone/agent:latest

    command: agent
    restart: always
    depends_on:
      - drone-server
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - DRONE_SERVER=drone-server:9000
      - DRONE_SECRET=secret

And the ports are open

PR sent

ls -ltrah ~/.cache/golang-autocert/
total 16K
drwx------ 4 root root 4.0K Jan 18 11:31 ..
-rw------- 1 root root  227 Jan 18 11:31 acme_account.key
-rw------- 1 root root 3.4K Jan 18 11:31 drone.jhernandez.me
drwx------ 2 root root 4.0K Jan 18 11:31 .

Thank you

I got the last image, but I still have the same error

the image from docker is built based on a different repo drone-enterprise which I assume doesn’t have that change yet.

Oh thanks! I will wait. Thank you for all the help

Seems like you can pull now

Perfect! It works! Thank you again