I do not know about acme-client, but certbot works pretty well:
mwavetorture# rcctl stop httpd ; certbot certonly --agree-tos
--standalone -d web.XXX.com.br
On 2023-04-12 10:36, rea...@catastrophe.net wrote:
I started having some problems with cert renewal using acme-client
after
upgrading to 7.3 (not really sure 7.3 has anything to do with the
following,
however). I've verified that nothing has changed and that httpd is
listening
correctly, etc.
When I run acme-client and watch for any changes to
/var/www/htdocs/example.org/.well-known/acme-client I never see any
files
being written to that directory (which is likely leading to the 404).
Is
the client supposed to write a temporary file for remote validation?
Does anyone see any issues with the configurations that follow the
output
which may have any errors?
Thanks in advance.
# acme-client -v www.example.com
acme-client: /etc/ssl/certs/www.example.com.chain.pem: certificate
renewable: 29 days left
acme-client: https://acme-v02.api.letsencrypt.org/directory:
directories
acme-client: acme-v02.api.letsencrypt.org: DNS: 172.65.32.248
acme-client: acme-v02.api.letsencrypt.org: DNS:
2606:4700:60:0:f53d:5624:85c7:3a2c
acme-client: dochngreq:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728127
acme-client: challenge, token:
2b9DyMVkYZGU3RNgxaywEc0uHLFp2E8RtOrQotGXugk, uri:
https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728127/CSJfMg,
status: 0
acme-client: /var/www/acme/2b9DyMVkYZGU3RNgxaywEc0uHLFp2E8RtOrQotGXugk:
created
acme-client: dochngreq:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728137
acme-client: challenge, token:
8WJnGzDwxV_tKSJaV4fsavxB5maBIkaDhozevCWPwH8, uri:
https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728137/sCRFpw,
status: 0
acme-client: /var/www/acme/8WJnGzDwxV_tKSJaV4fsavxB5maBIkaDhozevCWPwH8:
created
acme-client:
https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728127/CSJfMg:
challenge
acme-client:
https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728137/sCRFpw:
challenge
acme-client: order.status 0
acme-client: dochngreq:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728127
acme-client: challenge, token:
2b9DyMVkYZGU3RNgxaywEc0uHLFp2E8RtOrQotGXugk, uri:
https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728127/CSJfMg,
status: -1
acme-client: dochngreq:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728137
acme-client: challenge, token:
8WJnGzDwxV_tKSJaV4fsavxB5maBIkaDhozevCWPwH8, uri:
https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728137/sCRFpw,
status: -1
acme-client: order.status -1
acme-client: dochngreq:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728127
acme-client: 2600:fee:bee::e:8:0: Invalid response from
https://www.example.com/.well-known/acme-challenge/2b9DyMVkYZGU3RNgxaywEc0uHLFp2E8RtOrQotGXugk:
404
acme-client: dochngreq:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728137
acme-client: 2600:fee:bee::e:8:0: Invalid response from
https://www.example.com/.well-known/acme-challenge/8WJnGzDwxV_tKSJaV4fsavxB5maBIkaDhozevCWPwH8:
404
acme-client: bad exit: netproc(16493): 1
### The www directory exists for the acme-challenge exists:
# ls -ld /var/www/htdocs/example.com/.well-known/acme-challenge/
drwxr-xr-x 2 username staff 512 Apr 12 08:08
/var/www/htdocs/example.com/.well-known/acme-challenge/
### Relevant portions of my httpd.conf
www_v4="x.y.10.10"
www_v6_a="2600:fee:bee::e:8:0"
server "www.example.com" {
listen on $www_v4 tls port 443
listen on $www_v6_a tls port 443
tls {
certificate "/etc/ssl/certs/www.example.com.chain.pem"
key "/etc/ssl/private/www.example.com.key.pem"
protocols "TLSv1.2,TLSv1.3"
}
hsts {
max-age 31536000
preload
subdomains
}
log style combined
log { access "access.log", error "error.log" }
root "/htdocs/example.com"
directory auto index
}
server "example.com" {
listen on $www_v4 tls port 443
listen on $www_v6_a tls port 443
tls {
certificate "/etc/ssl/certs/www.example.com.chain.pem"
key "/etc/ssl/private/www.example.com.key.pem"
protocols "TLSv1.2,TLSv1.3"
}
hsts {
max-age 31536000
preload
subdomains
}
log style combined
log { access "access.log", error "error.log" }
root "/htdocs/example.com"
directory auto index
}
server "www.example.com" {
listen on $www_v4 port 80
listen on $www_v6_a port 80
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
block return 301 "https://www.example.com$REQUEST_URI"
}
server "example.com" {
listen on $www_v4 port 80
listen on $www_v6_a port 80
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
block return 301 "https://www.example.com$REQUEST_URI"
}
### ACME client config
# acme-client.conf
authority letsencrypt {
api url "https://acme-v02.api.letsencrypt.org/directory"
account key "/etc/acme/letsencrypt-privkey.pem"
}
authority letsencrypt-staging {
api url
"https://acme-staging-v02.api.letsencrypt.org/directory"
account key "/etc/acme/letsencrypt-staging-privkey.pem"
}
domain www.example.com {
alternative names { example.com }
domain key "/etc/ssl/private/www.example.com.key.pem"
domain full chain certificate
"/etc/ssl/certs/www.example.com.chain.pem"
sign with letsencrypt
}