Bad record mac

[Nikatik]

Hello.

I have installed step (cli.0.16.1+ca.0.16.0), initialized pki, added acme, configured for myself (mysql, claims, e.g.).
Then i have replaced root cert and issued intermediate one with initialized intermediate key.

Lets start.
Health is ok. Account registration works. But then acme.sh and certbot is dying...

• Certbot: Requesting a certificate for yggnode.ygg and 4 more domains An unexpected error occurred: requests.exceptions.SSLError: HTTPSConnectionPool(host='127.0.0.1', port=18534): Max retries exceeded with url: /acme/acme/new-order (Caused by SSLError(SSLError("read error: Error([('SSL routines', 'ssl3_get_record', 'decryption failed or bad record mac')])")))
• Acme.sh: Getting domain auth token for each domain Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 92 Create new order error. Le_OrderFinalize not found.

At the same time step-ca print info with POST block without any errors...

That trouble repeated with two different servers.

It's not my firewall, not my proxy and not my port, because i turned off firewall and connected to localhost:443.

Please, explain me, what can it be.

[maraino]

Hi @Nikatik, I've been able to reproduce the problem with Certbot, and I think the error in acme.sh is caused for the same reason. Certbot (and acme.sh) are not configured to trust the Root CA of step-ca.

To configure certbot you need to export the environment variable REQUESTS_CA_BUNDLE and it needs to point to the root certificate, for example:

export REQUESTS_CA_BUNDLE=$(step path)/certs/root_ca.crt
certbot ....

For acme.sh is I think is just adding the flag --ca-bundle $(step path)/certs/root_ca.crt

[Nikatik]

I'm so sorry, but this problem has been solved by magic incident, i guess... Now it is all right.

About your answer, no, root cert installed into system trust store. But i tried suggested ways too.