|
|
|||||||
| OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
|
Thread Tools | Display Modes |
15th February 2018
|
|||
|
|||
acme-client fail
I am having some difficulty getting acme-client to work.
Code:
# uname -a OpenBSD bsd420 6.2 GENERIC.MP#134 amd64 Code:
# acme-client -DAvv www.domain.tld
acme-client: /etc/ssl/private/domain.tld.key: generated RSA domain key
acme-client: /etc/acme/letsencrypt-privkey.pem: generated RSA account key
acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
acme-client: acme-v01.api.letsencrypt.org: DNS: 104.116.104.206
acme-client: transfer buffer: [{ "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change", "meta": { "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf" }, "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz", "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert", "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg", "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert", "w6htaga31TU": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417" }] (562 bytes)
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-reg: new-reg
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: transfer buffer: [{ "id": 29501689, "key": { "kty": "RSA", "n": "zjLhAW454vdleLnhDglheydIDKTYkTz8OU8r3bPWw_I0kPxDRmkbq1EDoUg1_37R_9wuMfFuP1xmr2Ohq1lMgB9HsQEpdqCwbagQTSaF0fgd4haH4-LN6gV4nVzoWmZ7d2JdYNC3QLsfwyClrw9aK_qwU5kamgPc9F9ZklmjGL-zEjlts8-vDquZ4kwq9V2QQleF7ifdEGsn9pZ8pzp-Ap0ddGOJJoI3u_s7KSlGuy_oaYhN0q6v2mSVJZrqEdIiNGw9VUhpJCTFGqB3XMP2oVuJR-IcJdPBFBGAgznDlbT5k7FuZpSaSUPqHxQ3tlX-DRAsLtzoisfwGM57GHPKSffhZX8XdUere4cS0KXo34i6JK6t93Lf0MfInEfZrzGeXgd3idsNwqDRvs4Z8_o6S1dj0-BjAtkiWthEuQ8I7oub8zLbOVh-IK69-QR0-2tocYKfwiDwX_kngpGaYA827NPeRhCPy_z5QyMKmpLV48VpMU41t7p7oPVnNah3EwWFVhC3_vLc4V9h2aveG8ZI_JBVVq_kVYaxtAY-mLixKwJiSySfZeAXsHyK8QcCZySQ93QFgpl8Owe6JALZL0dbumazR-jvAndkb_7ctoXlUGoY3inneBKg-L9JrVyH2_GoSRc-bk9WThQUGdhS_EoCJiE1wfsXK6HJepmWhR11C0U", "e": "AQAB" }, "contact": [], "agreement": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf", "initialIp": "101.161.18.12", "createdAt": "2018-02-15T04:05:00.790207171Z", "status": "valid" }] (969 bytes)
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: www.domain.tld
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": "www.domain.tld" }, "status": "pending", "expires": "2018-02-22T04:05:02.621001171Z", "challenges": [ { "type": "http-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/6_vnkXGE_2RQhlciPcdlOOd-8WhV0edebGdynaM1H6c/3465411652", "token": "Ttc8wLleRopUqvAK9hdrJVjI85Dldn4uwEUIyb2cFfk" }, { "type": "dns-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/6_vnkXGE_2RQhlciPcdlOOd-8WhV0edebGdynaM1H6c/3465411654", "token": "YBSFrkUpPVPyRFrKphTT8pEVbgUPTGyaHj6XNwJEP2E" } ], "combinations": [ [ 1 ], [ 0 ] ] }] (729 bytes)
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: domain.tld
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": "domain.tld" }, "status": "pending", "expires": "2018-02-22T04:05:06.210188187Z", "challenges": [ { "type": "dns-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/CasCvjhS7BL2DombvQ76R60jIHbBdWCtgIWFPbVbz80/3465412431", "token": "6ITrOq3m4hmHSIjbmvtx7s0YuzS3E5DXYV7axkYGgBI" }, { "type": "http-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/CasCvjhS7BL2DombvQ76R60jIHbBdWCtgIWFPbVbz80/3465412432", "token": "1rxYyVIj4cDNK-jgRnTeGJQGtwjPkin_3TKqkLAXP5Q" } ], "combinations": [ [ 1 ], [ 0 ] ] }] (725 bytes)
acme-client: /var/www/acme/.well-known/acme-challenge/Ttc8wLleRopUqvAK9hdrJVjI85Dldn4uwEUIyb2cFfk: created
acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/6_vnkXGE_2RQhlciPcdlOOd-8WhV0edebGdynaM1H6c/3465411652: challenge
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/6_vnkXGE_2RQhlciPcdlOOd-8WhV0edebGdynaM1H6c/3465411652", "token": "Ttc8wLleRopUqvAK9hdrJVjI85Dldn4uwEUIyb2cFfk", "keyAuthorization": "Ttc8wLleRopUqvAK9hdrJVjI85Dldn4uwEUIyb2cFfk.gFr7yk8NHaNsYQUJfqeJyR5qgM7F9poM2vQDmOL4kyo" }] (336 bytes)
acme-client: /var/www/acme/.well-known/acme-challenge/1rxYyVIj4cDNK-jgRnTeGJQGtwjPkin_3TKqkLAXP5Q: created
acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/CasCvjhS7BL2DombvQ76R60jIHbBdWCtgIWFPbVbz80/3465412432: challenge
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/CasCvjhS7BL2DombvQ76R60jIHbBdWCtgIWFPbVbz80/3465412432", "token": "1rxYyVIj4cDNK-jgRnTeGJQGtwjPkin_3TKqkLAXP5Q", "keyAuthorization": "1rxYyVIj4cDNK-jgRnTeGJQGtwjPkin_3TKqkLAXP5Q.gFr7yk8NHaNsYQUJfqeJyR5qgM7F9poM2vQDmOL4kyo" }] (336 bytes)
acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/6_vnkXGE_2RQhlciPcdlOOd-8WhV0edebGdynaM1H6c/3465411652: status
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/6_vnkXGE_2RQhlciPcdlOOd-8WhV0edebGdynaM1H6c/3465411652: bad response
acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid", "error": { "type": "urn:acme:error:unauthorized", "detail": "Invalid response from http://www.domain.tld/.well-known/acme-challenge/Ttc8wLleRopUqvAK9hdrJVjI85Dldn4uwEUIyb2cFfk: \"\u003c!DOCTYPE html\u003e\n\u003chtml\u003e\n\u003chead\u003e\n\u003cmeta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"/\u003e\n\u003ctitle\u003e404 Not Found\u003c/title\u003e\n\"", "status": 403 }, "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/6_vnkXGE_2RQhlciPcdlOOd-8WhV0edebGdynaM1H6c/3465411652", "token": "Ttc8wLleRopUqvAK9hdrJVjI85Dldn4uwEUIyb2cFfk", "keyAuthorization": "Ttc8wLleRopUqvAK9hdrJVjI85Dldn4uwEUIyb2cFfk.gFr7yk8NHaNsYQUJfqeJyR5qgM7F9poM2vQDmOL4kyo", "validationRecord": [ { "url": "http://www.domain.tld/.well-known/acme-challenge/Ttc8wLleRopUqvAK9hdrJVjI85Dldn4uwEUIyb2cFfk", "hostname": "www.domain.tld", "port": "80", "addressesResolved": [ "101.161.18.12" ], "addressUsed": "101.161.18.12" } ] }] (1055 bytes)
acme-client: bad exit: netproc(22696): 1
#
httpd.conf is stripped of everything but essential acme config: Code:
# cat /etc/httpd.conf
ext_addr="*"
server "domain.tld" {
listen on $ext_addr port 80
location "/.well-known/acme-challenge/*" {
root "/var/www/acme"
root strip 2
}
}
#
acme-client.conf is configured as follows: Code:
# cat /etc/acme-client.conf
#
# $OpenBSD: acme-client.conf,v 1.4 2017/03/22 11:14:14 benno Exp $
#
authority letsencrypt {
agreement url "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
api url "https://acme-v01.api.letsencrypt.org/directory"
account key "/etc/acme/letsencrypt-privkey.pem"
}
authority letsencrypt-staging {
agreement url "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
api url "https://acme-staging.api.letsencrypt.org/directory"
account key "/etc/acme/letsencrypt-staging-privkey.pem"
}
domain www.domain.tld {
alternative names { domain.tld }
domain key "/etc/ssl/private/domain.tld.key"
domain certificate "/etc/ssl/domain.tld.crt"
domain full chain certificate "/etc/ssl/domain.tld.fullchain.pem"
sign with letsencrypt
challengedir "/var/www/acme/.well-known/acme-challenge"
}
httpd server directories are setup as follows: Code:
# ls -al /var/www/ total 56 drwxr-xr-x 14 root daemon 512 Feb 15 05:09 . drwxr-xr-x 24 root wheel 512 Feb 15 02:36 .. drwxr-xr-x 3 root daemon 512 Feb 15 15:01 acme drwxr-xr-x 2 root daemon 512 Feb 15 02:39 bin drwx-----T 2 www daemon 512 Oct 4 14:13 cache drwxr-xr-x 2 root daemon 512 Oct 4 14:13 cgi-bin drwxr-xr-x 3 root daemon 512 Feb 15 04:00 conf drwxr-xr-x 2 root daemon 512 Feb 15 05:10 etc drwxr-xr-x 5 root daemon 512 Feb 15 04:00 htdocs drwxr-xr-x 2 root daemon 512 Feb 15 01:09 logs drwxr-xr-x 2 root daemon 512 Feb 15 05:02 run drwx-----T 2 www www 512 Feb 15 05:11 tmp drwxr-xr-x 4 root daemon 512 Feb 15 02:58 usr # ls -al /var/www/acme/ total 16 drwxr-xr-x 3 root daemon 512 Feb 15 15:01 . drwxr-xr-x 14 root daemon 512 Feb 15 05:09 .. drwxr-xr-x 3 root daemon 512 Feb 15 14:56 .well-known # ls -al /var/www/acme/.well-known/ total 12 drwxr-xr-x 3 root daemon 512 Feb 15 14:56 . drwxr-xr-x 3 root daemon 512 Feb 15 15:01 .. drwxr-xr-x 2 root daemon 512 Feb 15 15:05 acme-challenge # ls -al /var/www/acme/.well-known/acme-challenge/ total 8 drwxr-xr-x 2 root daemon 512 Feb 15 15:05 . drwxr-xr-x 3 root daemon 512 Feb 15 14:56 .. # I've spent the last day and night trying different configurations and searching for a fix but am officially at a loss. What do I need to do? Thank you. Last edited by toprank; 15th February 2018 at 11:59 AM. Reason: system info 
|
| Tags |
| acme, acme-client, openbsd 6.2, ssl, tls |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| why does it fail to create drawable ? | daemonfowl | OpenBSD General | 4 | 11th May 2012 03:33 PM |
| PF Dual WAN Fail Over Issue (one box) | alpha202ej | OpenBSD Security | 13 | 24th April 2012 08:39 PM |
| OBSD client hangs mounting NFS; Linux client doesn't | amorphousone | OpenBSD General | 7 | 26th August 2010 05:21 AM |
| Basic networking fail. | diw | OpenBSD General | 13 | 31st March 2009 09:29 AM |
| RAID-1 over NFS with fail-over | PatrickBaer | FreeBSD General | 0 | 12th October 2008 12:03 AM |
Threaded Mode