The location { … } block in the port 80 server is non-functional because all requests are redirected to HTTPS. Add a `pass` to make it functional. Note: If you do then you don’t need the corresponding location { … } block in the port 443 server any more.
Also, instead of: > block return 301 "https://www-server.example.com$REQUEST_URI“ you could write: block return 301 "https://$HTTP_HOST$REQUEST_URI" server "www-server.example.com" { listen on * port 80 location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 pass } block return 301 "https://$HTTP_HOST$REQUEST_URI" } But those are just optimisations that don’t address your issue. To start debugging the issue put a small test file into your /var/www/acme directory and test access using e.g. curl: # echo 'test'>/var/www/acme/test Preferably from a different host: $ curl --url 'http://www-server.example.com/.well-known/acme-challenge/test' HTH Mike PS. see more comments below… > Am 15.04.2024 um 15:02 schrieb rea...@catastrophe.net: > > I started seeing an error where acme-client is not able to renew > Lets Encrypt certificates. I've tried on several different servers > but they all display the same error: "Error getting validation data" > > Is anyone else seeing the same behavior? > > Here are my configurations; these have been working for a couple years > now. Thanks in advance for any assistance. > > > $ uname -a > OpenBSD www-server 7.5 GENERIC#79 amd64 > > acme-client configuration > ------------------------- > > authority letsencrypt { > api url "https://acme-v02.api.letsencrypt.org/directory" > account key "/etc/acme/letsencrypt-privkey.pem" > } > > authority letsencrypt-staging { > api url "https://acme-staging-v02.api.letsencrypt.org/directory" > account key "/etc/acme/letsencrypt-staging-privkey.pem" > } > > domain www-server.example.com { > domain key "/etc/ssl/private/www-server.example.com.key.pem" > domain full chain certificate > "/etc/ssl/certs/www-server.example.com.chain.pem" > sign with letsencrypt > } > > > httpd configuration > ------------------- > > server "www-server.example.com" { > listen on * tls port 443 > tls { > certificate "/etc/ssl/certs/www-server.example.com.chain.pem" > key "/etc/ssl/private/www-server.example.com.key.pem" > protocols "TLSv1.3,TLSv1.2" > } > hsts { > max-age 31536000 > preload > subdomains > } > log style combined > log { access "access.log", error "error.log" } > directory auto index > root "/htdocs/www" > location "/.well-known/acme-challenge/*" { > root "/acme" > request strip 2 > } > } > > server "www-server.example.com" { > listen on * port 80 > location "/.well-known/acme-challenge/*" { > root "/acme" > request strip 2 > } > block return 301 "https://www-server.example.com$REQUEST_URI" > } > > > directory permissions for acme-client verification > -------------------------------------------------- > > # find /var/www/htdocs/www/.well-known/ -ls > 51875 4 drwxr-xr-x 3 w3admin staff 512 Mar 16 2022 > /var/www/htdocs/www/.well-known/ > 51876 4 drwxr-xr-x 2 w3admin staff 512 Mar 16 2022 > /var/www/htdocs/www/.well-known/acme-challenge These directories are irrelevant. You want to look at: /var/www/acme as your location { … } block reroutes /.well-known/acme-challenge to /acme (in the /var/www chroot(2) environment). /var/www/acme is there by default and it should have 755 root:daemon permissions. > > > output of running the client manually > ------------------------------------- > > # acme-client -v www-server.example.com > acme-client: /etc/ssl/certs/www-server.example.com.chain.pem: certificate > renewable: 29 days left > acme-client: https://acme-v02.api.letsencrypt.org/directory: directories > acme-client: acme-v02.api.letsencrypt.org: DNS: 172.65.32.248 > acme-client: acme-v02.api.letsencrypt.org: DNS: > 2606:4700:60:0:f53d:5624:85c7:3a2c > acme-client: dochngreq: > https://acme-v02.api.letsencrypt.org/acme/authz-v3/338785251177 > acme-client: challenge, token: iG6ptUbu8wblA1NcB36yC7PRi1-h-lXoMx4MAOn0CoE, > uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/338785251177/Efb4Qg, > status: 0 > acme-client: /var/www/acme/iG6ptUbu8wblA1NcB36yC7PRi1-h-lXoMx4MAOn0CoE: > created > acme-client: > https://acme-v02.api.letsencrypt.org/acme/chall-v3/338785251177/Efb4Qg: > challenge > acme-client: order.status 0 > acme-client: dochngreq: > https://acme-v02.api.letsencrypt.org/acme/authz-v3/338785251177 > acme-client: challenge, token: iG6ptUbu8wblA1NcB36yC7PRi1-h-lXoMx4MAOn0CoE, > uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/338785251177/Efb4Qg, > status: -1 > acme-client: order.status -1 > acme-client: dochngreq: > https://acme-v02.api.letsencrypt.org/acme/authz-v3/338785251177 > acme-client: 203.0.113.51: Fetching > https://www-server.example.com/.well-known/acme-challenge/iG6ptUbu8wblA1NcB36yC7PRi1-h-lXoMx4MAOn0CoE: > Error getting validation data > acme-client: bad exit: netproc(20490): 1 >