Re: Acme-client error getting validation data when updating LetsEncrypt certs on 7.5

Mike Fischer Mon, 15 Apr 2024 18:13:07 -0700

The location { … } block in the port 80 server is non-functional because all 
requests are redirected to HTTPS. Add a `pass` to make it functional. Note: If 
you do then you don’t need the corresponding location { … } block in the port 
443 server any more.


Also, instead of:
>  block return 301 "https://www-server.example.com$REQUEST_URI“
you could write:
  block return 301 "https://$HTTP_HOST$REQUEST_URI";

server "www-server.example.com" {
 listen on * port 80
 location "/.well-known/acme-challenge/*" {
   root "/acme"
   request strip 2
   pass
 }
 block return 301 "https://$HTTP_HOST$REQUEST_URI";
}

But those are just optimisations that don’t address your issue.

To start debugging the issue put a small test file into your /var/www/acme 
directory and test access using e.g. curl:

# echo 'test'>/var/www/acme/test

Preferably from a different host:
$ curl --url 'http://www-server.example.com/.well-known/acme-challenge/test' 


HTH
Mike

PS. see more comments below…

> Am 15.04.2024 um 15:02 schrieb rea...@catastrophe.net:
> 
> I started seeing an error where acme-client is not able to renew 
> Lets Encrypt certificates. I've tried on several different servers
> but they all display the same error: "Error getting validation data"
> 
> Is anyone else seeing the same behavior?
> 
> Here are my configurations; these have been working for a couple years
> now. Thanks in advance for any assistance.
> 
> 
> $ uname -a
> OpenBSD www-server 7.5 GENERIC#79 amd64
> 
> acme-client configuration
> -------------------------
> 
> authority letsencrypt {
>        api url "https://acme-v02.api.letsencrypt.org/directory";
>        account key "/etc/acme/letsencrypt-privkey.pem"
> }
> 
> authority letsencrypt-staging {
>        api url "https://acme-staging-v02.api.letsencrypt.org/directory";
>        account key "/etc/acme/letsencrypt-staging-privkey.pem"
> }
> 
> domain www-server.example.com {
> domain key "/etc/ssl/private/www-server.example.com.key.pem"
> domain full chain certificate 
> "/etc/ssl/certs/www-server.example.com.chain.pem"
>        sign with letsencrypt
> }
> 
> 
> httpd configuration
> -------------------
> 
> server "www-server.example.com" {
>  listen on * tls port 443
>  tls {
>    certificate "/etc/ssl/certs/www-server.example.com.chain.pem"
>    key "/etc/ssl/private/www-server.example.com.key.pem"
>    protocols "TLSv1.3,TLSv1.2"
>  }
>  hsts {
>    max-age 31536000
>    preload
>    subdomains
>  }
>  log style combined
>  log { access "access.log", error "error.log" } 
>  directory auto index
>  root "/htdocs/www"
>  location "/.well-known/acme-challenge/*" {
>    root "/acme"
>    request strip 2
>  }
> }
> 
> server "www-server.example.com" {
>  listen on * port 80
>  location "/.well-known/acme-challenge/*" {
>    root "/acme"
>    request strip 2
>  }
>  block return 301 "https://www-server.example.com$REQUEST_URI";
> }
> 
> 
> directory permissions for acme-client verification
> --------------------------------------------------
> 
> # find /var/www/htdocs/www/.well-known/ -ls
> 51875    4 drwxr-xr-x    3 w3admin     staff         512 Mar 16  2022 
> /var/www/htdocs/www/.well-known/
> 51876    4 drwxr-xr-x    2 w3admin     staff         512 Mar 16  2022 
> /var/www/htdocs/www/.well-known/acme-challenge

These directories are irrelevant. You want to look at: /var/www/acme as your 
location { … } block reroutes /.well-known/acme-challenge to /acme (in the 
/var/www chroot(2) environment).

/var/www/acme is there by default and it should have 755 root:daemon 
permissions.


> 
> 
> output of running the client manually
> -------------------------------------
> 
> # acme-client -v www-server.example.com
> acme-client: /etc/ssl/certs/www-server.example.com.chain.pem: certificate 
> renewable: 29 days left
> acme-client: https://acme-v02.api.letsencrypt.org/directory: directories
> acme-client: acme-v02.api.letsencrypt.org: DNS: 172.65.32.248
> acme-client: acme-v02.api.letsencrypt.org: DNS: 
> 2606:4700:60:0:f53d:5624:85c7:3a2c
> acme-client: dochngreq: 
> https://acme-v02.api.letsencrypt.org/acme/authz-v3/338785251177
> acme-client: challenge, token: iG6ptUbu8wblA1NcB36yC7PRi1-h-lXoMx4MAOn0CoE, 
> uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/338785251177/Efb4Qg, 
> status: 0
> acme-client: /var/www/acme/iG6ptUbu8wblA1NcB36yC7PRi1-h-lXoMx4MAOn0CoE: 
> created
> acme-client: 
> https://acme-v02.api.letsencrypt.org/acme/chall-v3/338785251177/Efb4Qg: 
> challenge
> acme-client: order.status 0
> acme-client: dochngreq: 
> https://acme-v02.api.letsencrypt.org/acme/authz-v3/338785251177
> acme-client: challenge, token: iG6ptUbu8wblA1NcB36yC7PRi1-h-lXoMx4MAOn0CoE, 
> uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/338785251177/Efb4Qg, 
> status: -1
> acme-client: order.status -1
> acme-client: dochngreq: 
> https://acme-v02.api.letsencrypt.org/acme/authz-v3/338785251177
> acme-client: 203.0.113.51: Fetching 
> https://www-server.example.com/.well-known/acme-challenge/iG6ptUbu8wblA1NcB36yC7PRi1-h-lXoMx4MAOn0CoE:
>  Error getting validation data
> acme-client: bad exit: netproc(20490): 1
>

Re: Acme-client error getting validation data when updating LetsEncrypt certs on 7.5

Reply via email to