Re: acme-client fails to renew certificate

misc Wed, 12 Apr 2023 07:01:10 -0700


I do not know about acme-client, but certbot works pretty well:

mwavetorture# rcctl stop httpd ; certbot certonly --agree-tos--standalone -d web.XXX.com.br



On 2023-04-12 10:36, rea...@catastrophe.net wrote:

I started having some problems with cert renewal using acme-clientafterupgrading to 7.3 (not really sure 7.3 has anything to do with thefollowing,however). I've verified that nothing has changed and that httpd islistening
correctly, etc.

When I run acme-client and watch for any changes to
/var/www/htdocs/example.org/.well-known/acme-client I never see anyfilesbeing written to that directory (which is likely leading to the 404).Is
the client supposed to write a temporary file for remote validation?
Does anyone see any issues with the configurations that follow theoutput
which may have any errors?

Thanks in advance.


# acme-client -v www.example.com
acme-client: /etc/ssl/certs/www.example.com.chain.pem: certificaterenewable: 29 days leftacme-client: https://acme-v02.api.letsencrypt.org/directory:directories
acme-client: acme-v02.api.letsencrypt.org: DNS: 172.65.32.248
acme-client: acme-v02.api.letsencrypt.org: DNS:2606:4700:60:0:f53d:5624:85c7:3a2cacme-client: dochngreq:https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728127acme-client: challenge, token:2b9DyMVkYZGU3RNgxaywEc0uHLFp2E8RtOrQotGXugk, uri:https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728127/CSJfMg,status: 0acme-client: /var/www/acme/2b9DyMVkYZGU3RNgxaywEc0uHLFp2E8RtOrQotGXugk:createdacme-client: dochngreq:https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728137acme-client: challenge, token:8WJnGzDwxV_tKSJaV4fsavxB5maBIkaDhozevCWPwH8, uri:https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728137/sCRFpw,status: 0acme-client: /var/www/acme/8WJnGzDwxV_tKSJaV4fsavxB5maBIkaDhozevCWPwH8:createdacme-client:https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728127/CSJfMg:challengeacme-client:https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728137/sCRFpw:challenge
acme-client: order.status 0
acme-client: dochngreq:https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728127acme-client: challenge, token:2b9DyMVkYZGU3RNgxaywEc0uHLFp2E8RtOrQotGXugk, uri:https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728127/CSJfMg,status: -1acme-client: dochngreq:https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728137acme-client: challenge, token:8WJnGzDwxV_tKSJaV4fsavxB5maBIkaDhozevCWPwH8, uri:https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728137/sCRFpw,status: -1
acme-client: order.status -1
acme-client: dochngreq:https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728127acme-client: 2600:fee:bee::e:8:0: Invalid response fromhttps://www.example.com/.well-known/acme-challenge/2b9DyMVkYZGU3RNgxaywEc0uHLFp2E8RtOrQotGXugk:404acme-client: dochngreq:https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728137acme-client: 2600:fee:bee::e:8:0: Invalid response fromhttps://www.example.com/.well-known/acme-challenge/8WJnGzDwxV_tKSJaV4fsavxB5maBIkaDhozevCWPwH8:404
acme-client: bad exit: netproc(16493): 1


### The www directory exists for the acme-challenge exists:

# ls -ld /var/www/htdocs/example.com/.well-known/acme-challenge/
drwxr-xr-x 2 username staff 512 Apr 12 08:08/var/www/htdocs/example.com/.well-known/acme-challenge/
### Relevant portions of my httpd.conf

www_v4="x.y.10.10"
www_v6_a="2600:fee:bee::e:8:0"

server "www.example.com" {
  listen on $www_v4 tls port 443
  listen on $www_v6_a tls port 443
  tls {
    certificate "/etc/ssl/certs/www.example.com.chain.pem"
    key "/etc/ssl/private/www.example.com.key.pem"
    protocols "TLSv1.2,TLSv1.3"
  }
  hsts {
    max-age 31536000
    preload
    subdomains
  }
  log style combined
    log { access "access.log", error "error.log" }
  root "/htdocs/example.com"
  directory auto index
}

server "example.com" {
  listen on $www_v4 tls port 443
  listen on $www_v6_a tls port 443
  tls {
    certificate "/etc/ssl/certs/www.example.com.chain.pem"
    key "/etc/ssl/private/www.example.com.key.pem"
    protocols "TLSv1.2,TLSv1.3"
  }
  hsts {
    max-age 31536000
    preload
    subdomains
  }
  log style combined
    log { access "access.log", error "error.log" }
  root "/htdocs/example.com"
  directory auto index
}

server "www.example.com" {
  listen on $www_v4   port 80
  listen on $www_v6_a port 80
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
  block return 301 "https://www.example.com$REQUEST_URI";
}

server "example.com" {
  listen on $www_v4   port 80
  listen on $www_v6_a port 80
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
  block return 301 "https://www.example.com$REQUEST_URI";
}


### ACME client config

# acme-client.conf
authority letsencrypt {
        api url "https://acme-v02.api.letsencrypt.org/directory";
        account key "/etc/acme/letsencrypt-privkey.pem"
}

authority letsencrypt-staging {
api url"https://acme-staging-v02.api.letsencrypt.org/directory";
        account key "/etc/acme/letsencrypt-staging-privkey.pem"
}

domain www.example.com {
 alternative names { example.com }
 domain key "/etc/ssl/private/www.example.com.key.pem"
domain full chain certificate"/etc/ssl/certs/www.example.com.chain.pem"
        sign with letsencrypt
}

Re: acme-client fails to renew certificate

Reply via email to