It seems Let's Encrypt have changed the address of the full chain
certificate, so it's now a 301 redirect that acme-client can't follow:
$ doas acme-client -vv walcyrge.org
[...]
acme-client: http://cert.int-x3.letsencrypt.org/: full chain
acme-client: cert.int-x3.letsencrypt.org: DNS: 104.116.134.206
acme-client: http://cert.int-x3.letsencrypt.org/: bad HTTP: 301
acme-client: short read: chain length
$ nc cert.int-x3.letsencrypt.org 80
GET / HTTP/1.1
Host: cert.int-x3.letsencrypt.org
HTTP/1.1 301 Moved Permanently
Server: AkamaiGHost
Content-Length: 0
Location: https://cert.int-x3.letsencrypt.org/
Cache-Control: max-age=0
Expires: Sun, 11 Mar 2018 12:51:16 GMT
Date: Sun, 11 Mar 2018 12:51:16 GMT
Connection: keep-alive
My certs last renewed on January 10 with no problems, so this must have
changed since then.
This is on:
OpenBSD 6.2 (GENERIC) #6: Wed Feb 28 20:36:37 CET 2018
[email protected]:/usr/src/sys/arch/amd64/compile/GENERIC
--
Carlin
