Got this error trying to issue a new certificate:
{“type”:”urn:ietf:params:acme:error:badCSR”,”detail”:”ClientAuth certificates are being deprecated by Q2 2026, please see https://pki.goog/updates/may2025-clientauth.html for the phased rollout schedule. Requests for clientAuth certificates must set the `?client_auth=true` query parameter in the ACME directory URL.”,”requestID”:”pn1B3IfzwR8Di0WuFK2UVg”}
FIX:
Upgrade asme.sh to the latest dev version:
acme.sh --upgrade -b dev因为这个app(v26.2)没有内置acme 的中间证书,所以服务器端需要配置成使用fullchain.cer,
否则mobile app 的url测试失败。
# Install acme.sh tool
git clone https://github.com/Neilpang/acme.sh.git
cd acme.sh
./acme.sh --install
#install cert
cd ~/.acme.sh
# issue a RSA cert
sudo ./acme.sh --issue --d blog.zhenglei.net -w /var/www/html/wordpress
# issue a ECC cert
./acme.sh --issue -d blog.zhenglei.net -w /var/www/html/wordpress --keylength ec-256
# Copy the cert into target directory
sudo mkdir -p /etc/nginx/ssl
sudo ./acme.sh --installcert -d blog.zhenglei.net --key-file /etc/nginx/ssl/blog.zhenglei.net.ecc.key --fullchain-file /etc/nginx/ssl/blog.zhenglei.net.ecc.bundle --ecc
sudo ./acme.sh --installcert -d blog.zhenglei.net --key-file /etc/nginx/ssl/blog.zhenglei.net.key --fullchain-file /etc/nginx/ssl/blog.zhenglei.net.bundle# Update nginx config
server {
#listen 80;
listen 443;
ssl on;
ssl_certificate ssl/blog.zhenglei.net.bundle;
ssl_certificate_key ssl/blog.zhenglei.net.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;
...
}
server {
listen 80 default_server;
server_name blog.zhenglei.net;
# Let's Encrypt, http method
location ~ \.well-known
{
root /var/www/html/wordpress/;
allow all;
access_log on;
log_not_found on;
}
return 301 https://$server_name$request_uri;
}