|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
acme-client fail
I am having some difficulty getting acme-client to work.
Code:
# uname -a OpenBSD bsd420 6.2 GENERIC.MP#134 amd64 Code:
# acme-client -DAvv www.domain.tld acme-client: /etc/ssl/private/domain.tld.key: generated RSA domain key acme-client: /etc/acme/letsencrypt-privkey.pem: generated RSA account key acme-client: https://acme-v01.api.letsencrypt.org/directory: directories acme-client: acme-v01.api.letsencrypt.org: DNS: 104.116.104.206 acme-client: transfer buffer: [{ "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change", "meta": { "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf" }, "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz", "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert", "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg", "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert", "w6htaga31TU": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417" }] (562 bytes) acme-client: https://acme-v01.api.letsencrypt.org/acme/new-reg: new-reg acme-client: acme-v01.api.letsencrypt.org: cached acme-client: acme-v01.api.letsencrypt.org: cached acme-client: transfer buffer: [{ "id": 29501689, "key": { "kty": "RSA", "n": "zjLhAW454vdleLnhDglheydIDKTYkTz8OU8r3bPWw_I0kPxDRmkbq1EDoUg1_37R_9wuMfFuP1xmr2Ohq1lMgB9HsQEpdqCwbagQTSaF0fgd4haH4-LN6gV4nVzoWmZ7d2JdYNC3QLsfwyClrw9aK_qwU5kamgPc9F9ZklmjGL-zEjlts8-vDquZ4kwq9V2QQleF7ifdEGsn9pZ8pzp-Ap0ddGOJJoI3u_s7KSlGuy_oaYhN0q6v2mSVJZrqEdIiNGw9VUhpJCTFGqB3XMP2oVuJR-IcJdPBFBGAgznDlbT5k7FuZpSaSUPqHxQ3tlX-DRAsLtzoisfwGM57GHPKSffhZX8XdUere4cS0KXo34i6JK6t93Lf0MfInEfZrzGeXgd3idsNwqDRvs4Z8_o6S1dj0-BjAtkiWthEuQ8I7oub8zLbOVh-IK69-QR0-2tocYKfwiDwX_kngpGaYA827NPeRhCPy_z5QyMKmpLV48VpMU41t7p7oPVnNah3EwWFVhC3_vLc4V9h2aveG8ZI_JBVVq_kVYaxtAY-mLixKwJiSySfZeAXsHyK8QcCZySQ93QFgpl8Owe6JALZL0dbumazR-jvAndkb_7ctoXlUGoY3inneBKg-L9JrVyH2_GoSRc-bk9WThQUGdhS_EoCJiE1wfsXK6HJepmWhR11C0U", "e": "AQAB" }, "contact": [], "agreement": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf", "initialIp": "101.161.18.12", "createdAt": "2018-02-15T04:05:00.790207171Z", "status": "valid" }] (969 bytes) acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: www.domain.tld acme-client: acme-v01.api.letsencrypt.org: cached acme-client: acme-v01.api.letsencrypt.org: cached acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": "www.domain.tld" }, "status": "pending", "expires": "2018-02-22T04:05:02.621001171Z", "challenges": [ { "type": "http-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/6_vnkXGE_2RQhlciPcdlOOd-8WhV0edebGdynaM1H6c/3465411652", "token": "Ttc8wLleRopUqvAK9hdrJVjI85Dldn4uwEUIyb2cFfk" }, { "type": "dns-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/6_vnkXGE_2RQhlciPcdlOOd-8WhV0edebGdynaM1H6c/3465411654", "token": "YBSFrkUpPVPyRFrKphTT8pEVbgUPTGyaHj6XNwJEP2E" } ], "combinations": [ [ 1 ], [ 0 ] ] }] (729 bytes) acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: domain.tld acme-client: acme-v01.api.letsencrypt.org: cached acme-client: acme-v01.api.letsencrypt.org: cached acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": "domain.tld" }, "status": "pending", "expires": "2018-02-22T04:05:06.210188187Z", "challenges": [ { "type": "dns-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/CasCvjhS7BL2DombvQ76R60jIHbBdWCtgIWFPbVbz80/3465412431", "token": "6ITrOq3m4hmHSIjbmvtx7s0YuzS3E5DXYV7axkYGgBI" }, { "type": "http-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/CasCvjhS7BL2DombvQ76R60jIHbBdWCtgIWFPbVbz80/3465412432", "token": "1rxYyVIj4cDNK-jgRnTeGJQGtwjPkin_3TKqkLAXP5Q" } ], "combinations": [ [ 1 ], [ 0 ] ] }] (725 bytes) acme-client: /var/www/acme/.well-known/acme-challenge/Ttc8wLleRopUqvAK9hdrJVjI85Dldn4uwEUIyb2cFfk: created acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/6_vnkXGE_2RQhlciPcdlOOd-8WhV0edebGdynaM1H6c/3465411652: challenge acme-client: acme-v01.api.letsencrypt.org: cached acme-client: acme-v01.api.letsencrypt.org: cached acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/6_vnkXGE_2RQhlciPcdlOOd-8WhV0edebGdynaM1H6c/3465411652", "token": "Ttc8wLleRopUqvAK9hdrJVjI85Dldn4uwEUIyb2cFfk", "keyAuthorization": "Ttc8wLleRopUqvAK9hdrJVjI85Dldn4uwEUIyb2cFfk.gFr7yk8NHaNsYQUJfqeJyR5qgM7F9poM2vQDmOL4kyo" }] (336 bytes) acme-client: /var/www/acme/.well-known/acme-challenge/1rxYyVIj4cDNK-jgRnTeGJQGtwjPkin_3TKqkLAXP5Q: created acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/CasCvjhS7BL2DombvQ76R60jIHbBdWCtgIWFPbVbz80/3465412432: challenge acme-client: acme-v01.api.letsencrypt.org: cached acme-client: acme-v01.api.letsencrypt.org: cached acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/CasCvjhS7BL2DombvQ76R60jIHbBdWCtgIWFPbVbz80/3465412432", "token": "1rxYyVIj4cDNK-jgRnTeGJQGtwjPkin_3TKqkLAXP5Q", "keyAuthorization": "1rxYyVIj4cDNK-jgRnTeGJQGtwjPkin_3TKqkLAXP5Q.gFr7yk8NHaNsYQUJfqeJyR5qgM7F9poM2vQDmOL4kyo" }] (336 bytes) acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/6_vnkXGE_2RQhlciPcdlOOd-8WhV0edebGdynaM1H6c/3465411652: status acme-client: acme-v01.api.letsencrypt.org: cached acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/6_vnkXGE_2RQhlciPcdlOOd-8WhV0edebGdynaM1H6c/3465411652: bad response acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid", "error": { "type": "urn:acme:error:unauthorized", "detail": "Invalid response from http://www.domain.tld/.well-known/acme-challenge/Ttc8wLleRopUqvAK9hdrJVjI85Dldn4uwEUIyb2cFfk: \"\u003c!DOCTYPE html\u003e\n\u003chtml\u003e\n\u003chead\u003e\n\u003cmeta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"/\u003e\n\u003ctitle\u003e404 Not Found\u003c/title\u003e\n\"", "status": 403 }, "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/6_vnkXGE_2RQhlciPcdlOOd-8WhV0edebGdynaM1H6c/3465411652", "token": "Ttc8wLleRopUqvAK9hdrJVjI85Dldn4uwEUIyb2cFfk", "keyAuthorization": "Ttc8wLleRopUqvAK9hdrJVjI85Dldn4uwEUIyb2cFfk.gFr7yk8NHaNsYQUJfqeJyR5qgM7F9poM2vQDmOL4kyo", "validationRecord": [ { "url": "http://www.domain.tld/.well-known/acme-challenge/Ttc8wLleRopUqvAK9hdrJVjI85Dldn4uwEUIyb2cFfk", "hostname": "www.domain.tld", "port": "80", "addressesResolved": [ "101.161.18.12" ], "addressUsed": "101.161.18.12" } ] }] (1055 bytes) acme-client: bad exit: netproc(22696): 1 # httpd.conf is stripped of everything but essential acme config: Code:
# cat /etc/httpd.conf ext_addr="*" server "domain.tld" { listen on $ext_addr port 80 location "/.well-known/acme-challenge/*" { root "/var/www/acme" root strip 2 } } # acme-client.conf is configured as follows: Code:
# cat /etc/acme-client.conf # # $OpenBSD: acme-client.conf,v 1.4 2017/03/22 11:14:14 benno Exp $ # authority letsencrypt { agreement url "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf" api url "https://acme-v01.api.letsencrypt.org/directory" account key "/etc/acme/letsencrypt-privkey.pem" } authority letsencrypt-staging { agreement url "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf" api url "https://acme-staging.api.letsencrypt.org/directory" account key "/etc/acme/letsencrypt-staging-privkey.pem" } domain www.domain.tld { alternative names { domain.tld } domain key "/etc/ssl/private/domain.tld.key" domain certificate "/etc/ssl/domain.tld.crt" domain full chain certificate "/etc/ssl/domain.tld.fullchain.pem" sign with letsencrypt challengedir "/var/www/acme/.well-known/acme-challenge" } httpd server directories are setup as follows: Code:
# ls -al /var/www/ total 56 drwxr-xr-x 14 root daemon 512 Feb 15 05:09 . drwxr-xr-x 24 root wheel 512 Feb 15 02:36 .. drwxr-xr-x 3 root daemon 512 Feb 15 15:01 acme drwxr-xr-x 2 root daemon 512 Feb 15 02:39 bin drwx-----T 2 www daemon 512 Oct 4 14:13 cache drwxr-xr-x 2 root daemon 512 Oct 4 14:13 cgi-bin drwxr-xr-x 3 root daemon 512 Feb 15 04:00 conf drwxr-xr-x 2 root daemon 512 Feb 15 05:10 etc drwxr-xr-x 5 root daemon 512 Feb 15 04:00 htdocs drwxr-xr-x 2 root daemon 512 Feb 15 01:09 logs drwxr-xr-x 2 root daemon 512 Feb 15 05:02 run drwx-----T 2 www www 512 Feb 15 05:11 tmp drwxr-xr-x 4 root daemon 512 Feb 15 02:58 usr # ls -al /var/www/acme/ total 16 drwxr-xr-x 3 root daemon 512 Feb 15 15:01 . drwxr-xr-x 14 root daemon 512 Feb 15 05:09 .. drwxr-xr-x 3 root daemon 512 Feb 15 14:56 .well-known # ls -al /var/www/acme/.well-known/ total 12 drwxr-xr-x 3 root daemon 512 Feb 15 14:56 . drwxr-xr-x 3 root daemon 512 Feb 15 15:01 .. drwxr-xr-x 2 root daemon 512 Feb 15 15:05 acme-challenge # ls -al /var/www/acme/.well-known/acme-challenge/ total 8 drwxr-xr-x 2 root daemon 512 Feb 15 15:05 . drwxr-xr-x 3 root daemon 512 Feb 15 14:56 .. # I've spent the last day and night trying different configurations and searching for a fix but am officially at a loss. What do I need to do? Thank you. Last edited by toprank; 15th February 2018 at 11:59 AM. Reason: system info |
|
|||
Check the example httpd.conf config in the acme-client man page again. "root" within a location block is relative to the chroot of the server.
|
|
|||
Quote:
Code:
# cat /etc/httpd.conf ext_addr="*" server "domain.tld" { listen on $ext_addr port 80 location "/.well-known/acme-challenge/*" { root "/acme" root strip 2 } } # /etc/rc.d/httpd restart httpd(ok) httpd(ok) # httpd -f /etc/httpd.conf # acme-client -DAvv www.domain.tld acme-client: /etc/ssl/private/domain.tld.key: generated RSA domain key acme-client: /etc/acme/letsencrypt-privkey.pem: generated RSA account key acme-client: https://acme-v01.api.letsencrypt.org/directory: directories acme-client: acme-v01.api.letsencrypt.org: DNS: 104.116.104.206 acme-client: transfer buffer: [{ "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change", "meta": { "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf" }, "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz", "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert", "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg", "oxn-Dj-ipKg": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert" }] (562 bytes) acme-client: https://acme-v01.api.letsencrypt.org/acme/new-reg: new-reg acme-client: acme-v01.api.letsencrypt.org: cached acme-client: acme-v01.api.letsencrypt.org: cached acme-client: transfer buffer: [{ "id": 29529464, "key": { "kty": "RSA", "n": "vhwZ9lexJbtG8FzfYRC5EXQ9pCMXZ8ZKOomsnixhgaDC7DvS-rXKFUWzoSnHkpiSbfDEBLA__6x_MOKmSg8KW_QC0gtGPJq3izlNF42ksyZuX_YZjSXEugBe1TInektmEB3kLS9gvVEz1epWbdMZhiQ0frVaKiMwqnlQ7jnwQ515PJmCEI_CzGNMJnJwQkgoLFgnZyNod9NHHw1LqZzK9u6worgPnp__xoS6MNhjpFj5IcM9Aqa09St_YFDmEOx7Hrk758Hl319vH05bwgyOhSqZ2Th5E69j7g_DJMSHOUQKO_8Z1W32MZk35nxDDi66KQ7VSVjeZJgvxR1cVsWegB6L4diI76CAg__D-06_hiVAtq2OtZewoO4Ga2HEJcox1nL9Djvo4mjZazel8SFvw2N76qsH2oBWFpY-pzRJMz2TN8ZKFkTE1yUIDAnVmdKLJSkGoyfSmy34K3exaAtbddtv_tmAoFhRjsA5n5r7Bmc6bksvR322WMcHwdnbRwby_i3mZso490sqyFwhcDapQQbp4xK_i8477dCxZrT1_2-J4IScryUn86ALRkqTSKHRGNA-NBKkBAfMOVMqJkgoWvAAcE3IFUcl2fRKSMstyeQo5Krj3WjxGxo8Ad3MskwBcd7qZmxxVmztOB0MGcFT-4dlCUlDs1BbbpmFi0SSl-M", "e": "AQAB" }, "contact": [], "agreement": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf", "initialIp": "101.161.18.12", "createdAt": "2018-02-15T15:51:08.053191059Z", "status": "valid" }] (969 bytes) acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: < snip > acme-client: acme-v01.api.letsencrypt.org: cached acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/59nXX7IzvBAtcDM3qhypx9hYOc6Ohj0ZKdfiOg-jshQ/3471455313: bad response acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid", "error": { "type": "urn:acme:error:unauthorized", "detail": "Invalid response from http://domain.tld/.well-known/acme-challenge/N7-U9RBiMaq93mLpb5B8RUiYV-6C8ChyZ8UE79Gxllg: \"\u003c!DOCTYPE html\u003e\n\u003chtml\u003e\n\u003chead\u003e\n\u003cmeta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"/\u003e\n\u003ctitle\u003e404 Not Found\u003c/title\u003e\n\"", "status": 403 }, "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/59nXX7IzvBAtcDM3qhypx9hYOc6Ohj0ZKdfiOg-jshQ/3471455313", "token": "N7-U9RBiMaq93mLpb5B8RUiYV-6C8ChyZ8UE79Gxllg", "keyAuthorization": "N7-U9RBiMaq93mLpb5B8RUiYV-6C8ChyZ8UE79Gxllg.PS2AzgPLXmuBMFt3sF5INiI_FAT47DSspN_5mFO0wkE", "validationRecord": [ { "url": "http://www.domain.tld/.well-known/acme-challenge/N7-U9RBiMaq93mLpb5B8RUiYV-6C8ChyZ8UE79Gxllg", "hostname": "domain.tld", "port": "80", "addressesResolved": [ "101.161.18.12" ], "addressUsed": "101.161.18.12" } ] }] (1055 bytes) acme-client: bad exit: netproc(36359): 1 # Last edited by toprank; 15th February 2018 at 04:09 PM. |
|
|||
It's getting a 404 file not found from your server when trying to look for the challenge.
Drop an index.html file or something in /acme and make sure you can reach it externally. Could be permissions, could be firewall rules. Make sure paths in httpd.conf and acme-client.conf match. Also alias your server to www.domain.tld |
|
|||
index.html located at /var/www/htdocs/acme/index.html is reachable at www.domain.tld/acme/
|
|
|||
I finally found a sane configuration that processed it!!!
Thank you, Tron. I must've spent several hours trying to make this work. I will edit this post to provide working config in the hope it helps someone else and saves them from spending so much time testing. |
|
|||
Ok, great!
I'd be interested to know what the actual problem was. I just did this on a server a couple days ago but don't have access to the configs from where I am. I was going to compare later today and try to update. You beat me to it. |
|
|||
Okay, here is the working configuration:
/etc/httpd.conf Code:
ext_addr="*" server "domain.tld" { alias www.domain.tld listen on $ext_addr port 80 location "/.well-known/acme-challenge/*" { root "/htdocs/acme" root strip 2 } } Code:
# $OpenBSD: acme-client.conf,v 1.4 2017/03/22 11:14:14 benno Exp $ # authority letsencrypt { agreement url "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf" api url "https://acme-v01.api.letsencrypt.org/directory" account key "/etc/acme/letsencrypt-privkey.pem" } authority letsencrypt-staging { agreement url "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf" api url "https://acme-staging.api.letsencrypt.org/directory" account key "/etc/acme/letsencrypt-staging-privkey.pem" } domain www.domain.tld { alternative names { domain.tld sub1.domain.tld sub2.domain.tld sub3.domain.tld } domain key "/etc/ssl/private/domain.tld.key" domain certificate "/etc/ssl/domain.tld.crt" domain full chain certificate "/etc/ssl/domain.tld.fullchain.pem" sign with letsencrypt challengedir "/var/www/htdocs/acme" } Code:
total 12 drwxr-xr-x 2 www www 512 Feb 23 22:42 acme NB. It DOES NOT work with httpd serving root "/var/www/acme" or root "/acme" for location "/.well-known/acme-challenge/*" for some reason. You MUST mkdir /var/www/htdocs/acme and chown -R www:www /var/www/htdocs/acme. This was tested on two different servers and both returned error 1 when using default /acme location of /var/www/acme. I don't know why, but that's how it is. Last edited by toprank; 23rd February 2018 at 12:00 PM. |
Tags |
acme, acme-client, openbsd 6.2, ssl, tls |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
why does it fail to create drawable ? | daemonfowl | OpenBSD General | 4 | 11th May 2012 03:33 PM |
PF Dual WAN Fail Over Issue (one box) | alpha202ej | OpenBSD Security | 13 | 24th April 2012 08:39 PM |
OBSD client hangs mounting NFS; Linux client doesn't | amorphousone | OpenBSD General | 7 | 26th August 2010 05:21 AM |
Basic networking fail. | diw | OpenBSD General | 13 | 31st March 2009 09:29 AM |
RAID-1 over NFS with fail-over | PatrickBaer | FreeBSD General | 0 | 12th October 2008 12:03 AM |