Option --use_alt_chain=1 causes IndexError: list index out of range #164
Description
It seems that since recently Let's Encrypt stopped providing alternative chain for certificates, which you could use before with this option:
--use_alt_chain CHAIN_NO
If non-zero, then use nth alternative certificate chain. For example using
"1" with Let's Encrypt may be required to work-around a bug in clients with
OpenSSL-1.0.2:
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
(default: 0)
So now, when you use --use_alt_chain=1, then you'll be getting error:
2024-07-15 13:37:07,115:INFO:simp_le:1468: Generating new certificate private key
2024-07-15 13:37:10,345:ERROR:simp_le:1134: Could not remove validation file at
+/var/www/mail…-le/.well-known/acme-challenge/HVhm… : [Errno 2] No such file or directory:
+'/var/www/mail…-le/.well-known/acme-challenge/HVhm…'
Traceback (most recent call last):
File "/home/le/.local/lib/python3.12/site-packages/simp_le.py", line 1618, in main
return main_with_exceptions(cli_args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/le/.local/lib/python3.12/site-packages/simp_le.py", line 1602, in main_with_exceptions
persist_new_data(args, existing_data)
File "/home/le/.local/lib/python3.12/site-packages/simp_le.py", line 1497, in persist_new_data
pems = list(split_pems(fullchain_pems[args.use_alt_chain]))
~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^
IndexError: list index out of range
Unhandled error has happened, traceback is above
Debugging tips: -v improves output verbosity. Help is available under --help.
After trying several times (for example with daily cron):
2024-07-15 17:16:26,868:INFO:simp_le:1468: Generating new certificate private key
ACME server returned an error: urn:ietf:params:acme:error:rateLimited
:: There were too many requests of a given type :: Error creating new order
:: too many certificates (5) already issued for this exact set of domains in the last 168 hours:
…, retry after 2024-07-16T22:23:07Z: see https://letsencrypt.org/docs/duplicate-certificate-limit/
Unfortunately I've noticed the error only after my cert expired and I can't refresh it now for the next 29h :-( It's not too important, so there's not much pain involved, but still.
Maybe simp_le should check the pem length, and if there's not enough of them, then issue a warning and use chain 0. This should be very easy to implement.