Letsencrypt not working

[ed.n1n2]

There has been a couple of guides on how to do this recently (5.9,6.0)

https://spin.atomicobject.com/2016/0...-lets-encrypt/
https://lab.rickauer.com/post/2016/0...ypt-on-OpenBSD

Both are using https://kristaps.bsd.lv/acme-client/ which has supposedly been included in the -current branch for 6.0

None of that crap works. None of it. Which really surprises me since they make it sound like ABC123.

I've followed both guides verbatim on relatively fresh installs of 6.0 and receive the following error:

Code:

acme-client: /etc/acme/privkey.pem: account key exists (not creating)
acme-client: /etc/ssl/acme/private/privkey.pem: domain key exists (not creating)
acme-client: /etc/ssl/acme/private/privkey.pem: PEM_read_PrivateKey
2256225808:error:0906D06C:PEM routines:PEM_read_bio:no start line:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/pem/pem_lib.c:704:Expecting: ANY PRIVATE KEY
acme-client: bad exit: keyproc(33902): 1

Under no circumstances does it *just work*. I have absolutely no idea why.

Code:

acme-client \
        -C /var/www/letsencrypt/.well-known/acme-challenge \
        -c /etc/ssl/acme \
        -k /etc/ssl/acme/private/privkey.pem \
        -f /etc/acme/privkey.pem \
        -vNn my.domain

The acme-challenge should work just fine. I tested the webserver itself and I can pull files out of that directory without issue. All of the other directories were created as the guide(s) indicated (I used their different respective paths)

I'm used to the letsencrypt-auto that I download via git. I use it all the time in various Linux boxes without issue. In 5.8, IIRC, I was able to download the source and did indeed get it working. None of that works now in 6.0, and you cannot get what was downloaded with git to work in it.

How are other people getting LE to work on OpenBSD? Are there any success stories out there? Any guides I can find online are just too out of date, and I'm looking for updated information.

[ocicat]

Quote:

Originally Posted by ed.n1n2

How are other people getting LE to work on OpenBSD? Are there any success stories out there? Any guides I can find online are just too out of date, and I'm looking for updated information.

While someone may step up with salient information, I suspect none in this community will be able to answer your question(s). My recommendation would be to contact the original authors of the how-to's/tutorials used.

[ed.n1n2]

You mean that nobody in this community has any interest, at all, in free certificates from LetsEncrypt?

I guess everyone here is worth billions or something and doesn't mind paying the SSL mafiaa for their stuff to work

With all due respect, LE is now a basic requirement. Almost every piece of vendor hardware that I know is for all intents and purposes crippled with anything less than CA verified SSL certs. Nothing self-signed works anymore.

Forgive me, but I'm astounded that there would be no interest in making this happen.

I'm super pissed at the lack of LE support in OpenBSD, which makes it look like an inferior operating system. I hope somebody here can help, but an LE tutorial should be a sticky for OpenBSD when we have one that works.

[jggimi]

It has been just about an hour, Ed, since your first post in this thread.

I use acme-client with Letsencrypt. Successfully.

I began using it with OpenBSD 6.0, and used Kristaps Dzonsons's acme-client-0.1.16 with that release.

When I upgraded the server to 6.1 last month, I transitioned to using the built-in acme-client(1), which is an updated version of Kristaps' application.

[ed.n1n2]

Would you be interested in making a tutorial?

I'm doing this on two different 6.0 boxes that I created. Nothing has been done to them in terms of SSL/HTTP from that basic install.

Nginx is easy enough to get working and the acme-challenge is served up in my web browser without incident.

Absolutely none of the tutorials anywhere will work. So either my two fresh boxes are wholly broken (although working otherwise).... or.... the tutorials are all out of date. Which they all seem to be over 6 months, and there has been a lot of movement and change from letskencrypt and acme-client.

I *NEED* https working on my boxes to go forward at all, and this is disheartening to say the least.

Code:

acme-client: /etc/ssl/acme/private/privkey.pem: PEM_read_PrivateKey
2173063696:error:0906D06C:PEM routines:PEM_read_bio:no start line:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/pem/pem_lib.c:704:Expecting: ANY PRIVATE KEY

Multiple boxes and the only thing I ever receive are SSL errors that make no sense. These are fresh installs and the tutorials maddeningly indicate the commands should 'just work'.

On another note, I'm trying to get the letsencrypt-auto source to work from git, but there is nothing in it that understands OpenBSD as an OS. However, I swear that I got it to work under 5.8 or 5.9. Got it done in 30 minutes in an afternoon, and here 6 months later, can't be done at all.

Extremely frustrating.

[TronDD]

I was using acme-client 0.1.11 built from github with 6.0 as well and transitioned to the base acme-client with 6.1.

Which version are you using? Did you try following the example in the manpage?

[jggimi]

I would recommend upgrading to 6.1, and using the built-in acme-client. Both Trondd and I have done this, so you would not be breaking any new ground.

The acme-client.conf(5) and acme-client(8) man pages that come with 6.1 have clear examples.

[ed.n1n2]

I'm aware that there are clear examples. It's the fact that they are so clear, and not working, that has driven me insane.

In 6.0 acme-client is not available from pkg_add, only letskencrypt is. That is letskencrypt-0.1.7. I downloaded acme-client-0.1.16 and its portable version.

Following the man pages is one of the first things that I did, sans Apache. I used nginx instead to serve the acme-challenge which should not be an issue. The webserver does serve pages so....

Everything runs right as expected right up to the point where it complains about the private key, even though it is fully responsible for generating it in the first place.

I guess I can try upgrading these to 6.1 since LE support in 6.0 seems to be lacking.

[jggimi]

Quote:

I guess I can try upgrading these to 6.1 since LE support in 6.0 seems to be lacking.

If you have not upgraded, I can pull my 6.0-stable configuration from an old backup.

Just let me know.

[scottro]

There are commercial solutions like a Comodo for $5.00 USD a year.

https://www.ssls.com/brand/comodo-ssl-certificates

(That's apparently a reseller, I just vaguely remembered there were cheap ones and googled comodo cheap SSL and that was the first hit).

[ed.n1n2]

@scottro

Comodo is okay, but what I'm creating is a specialized server that can be installed via a script. Since it is all automated I really need to use LE for that reason. It's the only method that I'm aware of, that's also free, in which you can automatically receive and renew a "commercial" SSL certificate. As I understand it, one of the reasons why there was a push for acme in the first place was to have a standardized method for administrating SSL. So even if I did use Comodo instead of LE, I still need it work with an acme-like installer.

@jggmi

The configuration would be appreciated. I've not upgraded yet.

[jggimi]

noted. I will be able to run a restore and post provisioning information in about 4 or 5 hours.

[jggimi]

My 6.0-stable Letsencrypt provisioning

I installed acme-client-0.1.16, and then followed the guidance in the acme-client(1) man page, except that my webserver was httpd(8), rather than www/nginx.

httpd.conf(5):

Code:

server "default" {
        listen on * port www
        listen on * tls port https
        listen on :: port www
        listen on :: tls port https
        tls certificate "/etc/ssl/acme/fullchain.pem"
        tls key "/etc/ssl/acme/private/privkey.pem"
        location "/.well-known/acme-challenge/*" {
                root "/acme"
                root strip 2
           }
}

Following the man page, I set up the /var/www/acme directory used for challenges, and the directories for certificates and keys:

Code:

# mkdir /var/www/acme
# mkdir /etc/ssl/acme
# mkdir /etc/ssl/acme/private /etc/acme
# chmod 0700 /etc/ssl/acme/private /etc/acme

I then established the first keys, testing with the staging server first, before removing the -s option to create production keys. I'm showing jggimi.net in this example, but I included several altnames.

# acme-client -vNns jggimi.net

Then, later...

# acme-client -vNn jggimi.net

I added a short script based on the one in the man page, which I called from daily.local(8). This ran the daily challenge and then restarted the webserver whenever new keys were established.

Certificates and Keys:

Running acme-client(1) with -n will create a new account key if needed, and store it in /etc/acme/privkey.pem.

Running acme-client(1) with -N will create a new domain key if needed. The key and certificates are stored in /etc/ssl/acme.

Transition to acme-client 1.0 in OpenBSD-6.1

The big operational change is the transition to an acme-client.conf(5) configuration file. The recommended update script was simplified.