>Synopsis: acme-client: renewal fails
>Category: system
>Environment:
System : OpenBSD 6.4
Details : OpenBSD 6.4 (GENERIC.MP) #364: Thu Oct 11 13:30:23 MDT
2018
[email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
Architecture: OpenBSD.amd64
Machine : amd64
>Description:
Renewal fails:
# acme-client -vv lists.dl6tom.de
acme-client: /etc/acme/letsencrypt-privkey.pem: loaded RSA account key
acme-client: /etc/ssl/lists.dl6tom.de.crt: certificate renewable: -42 days left
acme-client: /etc/ssl/private/lists.dl6tom.de.key: loaded RSA domain key
acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
acme-client: acme-v01.api.letsencrypt.org: DNS: 104.111.246.175
acme-client: transfer buffer: [{ "0wdNjYxn8kA":
"https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417";,
"key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change";, "meta":
{ "caaIdentities": [ "letsencrypt.org" ], "terms-of-service":
"https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf";, "website":
"https://letsencrypt.org"; }, "new-authz":
"https://acme-v01.api.letsencrypt.org/acme/new-authz";, "new-cert":
"https://acme-v01.api.letsencrypt.org/acme/new-cert";, "new-reg":
"https://acme-v01.api.letsencrypt.org/acme/new-reg";, "revoke-cert":
"https://acme-v01.api.letsencrypt.org/acme/revoke-cert"; }] (658 bytes)
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth:
lists.dl6tom.de
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value":
"lists.dl6tom.de" }, "status": "pending", "expires": "2019-01-29T18:19:20Z",
"challenges": [ { "type": "tls-alpn-01", "status": "pending", "uri":
"https://acme-v01.api.letsencrypt.org/acme/challenge/IibpqF0ckn28LYY5bfA-_qbAlYsWq-DJcQlAw0SWCE0/11749882442";,
"token": "v8oZc_-YhBHNLCaALLEBZ03hEl--KM63pMdqixg_9Io" }, { "type": "http-01",
"status": "pending", "uri":
"https://acme-v01.api.letsencrypt.org/acme/challenge/IibpqF0ckn28LYY5bfA-_qbAlYsWq-DJcQlAw0SWCE0/11749882443";,
"token": "yW3-6mo2IK-ZASKPB6lV6rPq1qbvfP1NdUE9AV0xRTs" }, { "type":
"tls-sni-01", "status": "pending", "uri":
"https://acme-v01.api.letsencrypt.org/acme/challenge/IibpqF0ckn28LYY5bfA-_qbAlYsWq-DJcQlAw0SWCE0/11749882444";,
"token": "yfhU9kYZg5wHaRlxLmg6m_DWgzzEdwUnztXAKBmhE6w" }, { "type": "dns-01",
"status": "pending", "uri":
"https://acme-v01.api.letsencrypt.org/acme/challenge/IibpqF0ckn28LYY5bfA-_qbAlYsWq-DJcQlAw0SWCE0/11749882445";,
"token": "iDBP2CeNpp0r5NCWTbpKUoiBOSZz8cJN8HphHRVXULk" } ], "combinations": [
[ 2 ], [ 0 ], [ 1 ], [ 3 ] ] }] (1271 bytes)
acme-client: /var/www/acme/yW3-6mo2IK-ZASKPB6lV6rPq1qbvfP1NdUE9AV0xRTs: created
acme-client:
https://acme-v01.api.letsencrypt.org/acme/challenge/IibpqF0ckn28LYY5bfA-_qbAlYsWq-DJcQlAw0SWCE0/11749882443:
challenge
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", "uri":
"https://acme-v01.api.letsencrypt.org/acme/challenge/IibpqF0ckn28LYY5bfA-_qbAlYsWq-DJcQlAw0SWCE0/11749882443";,
"token": "yW3-6mo2IK-ZASKPB6lV6rPq1qbvfP1NdUE9AV0xRTs", "keyAuthorization":
"yW3-6mo2IK-ZASKPB6lV6rPq1qbvfP1NdUE9AV0xRTs.YJLLEKdoM4e4WocQ9C9xvXqa6dAO4zUn6hdCgEgIfBs"
}] (337 bytes)
acme-client:
https://acme-v01.api.letsencrypt.org/acme/challenge/IibpqF0ckn28LYY5bfA-_qbAlYsWq-DJcQlAw0SWCE0/11749882443:
status
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: certificate
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: bad HTTP: 403
acme-client: transfer buffer: [{ "type": "urn:acme:error:unauthorized",
"detail": "Error creating new cert :: authorizations for these names not found
or expired: lists.dl6tom.de", "status": 403 }] (171 bytes)
acme-client: bad exit: netproc(61794): 1
/var/www/logs/access.log says:
default 66.133.109.36 - - [22/Jan/2019:19:19:31 +0100] "GET
/.well-known/acme-challenge/yW3-6mo2IK-ZASKPB6lV6rPq1qbvfP1NdUE9AV0xRTs
HTTP/1.1" 404 0
I fetched the acme-client source and modified it to not delete the token (sry,
did not find the post pointing to the "status: pending" problem), now I get:
# acme-client -vv lists.dl6tom.de
acme-client: /etc/acme/letsencrypt-privkey.pem: loaded RSA account key
acme-client: /etc/ssl/lists.dl6tom.de.crt: certificate renewable: -42 days left
acme-client: /etc/ssl/private/lists.dl6tom.de.key: loaded RSA domain key
acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
acme-client: acme-v01.api.letsencrypt.org: DNS: 104.111.246.175
acme-client: transfer buffer: [{ "K7_kgkaQbu0":
"https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417";,
"key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change";, "meta":
{ "caaIdentities": [ "letsencrypt.org" ], "terms-of-service":
"https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf";, "website":
"https://letsencrypt.org"; }, "new-authz":
"https://acme-v01.api.letsencrypt.org/acme/new-authz";, "new-cert":
"https://acme-v01.api.letsencrypt.org/acme/new-cert";, "new-reg":
"https://acme-v01.api.letsencrypt.org/acme/new-reg";, "revoke-cert":
"https://acme-v01.api.letsencrypt.org/acme/revoke-cert"; }] (658 bytes)
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth:
lists.dl6tom.de
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value":
"lists.dl6tom.de" }, "status": "pending", "expires": "2019-01-29T18:21:10Z",
"challenges": [ { "type": "tls-sni-01", "status": "pending", "uri":
"https://acme-v01.api.letsencrypt.org/acme/challenge/x1Rh_VhMUuYxk_v22zHe32fL2zh7sRNh2LSKFNwkqxA/11749932856";,
"token": "pedbWPKfQ3SS_6EB1nZUz8vMOjLXyVsq_W7aALRaVbE" }, { "type": "http-01",
"status": "pending", "uri":
"https://acme-v01.api.letsencrypt.org/acme/challenge/x1Rh_VhMUuYxk_v22zHe32fL2zh7sRNh2LSKFNwkqxA/11749932858";,
"token": "FF1lMKPyjmEeEURPWUyLwBe8ZRj3ozkdUGkyfOmGT5s" }, { "type": "dns-01",
"status": "pending", "uri":
"https://acme-v01.api.letsencrypt.org/acme/challenge/x1Rh_VhMUuYxk_v22zHe32fL2zh7sRNh2LSKFNwkqxA/11749932860";,
"token": "Fc-aeqzccqH82AKNN2vJ3KY6u_jBV0yzXEpVd3yFuCo" }, { "type":
"tls-alpn-01", "status": "pending", "uri":
"https://acme-v01.api.letsencrypt.org/acme/challenge/x1Rh_VhMUuYxk_v22zHe32fL2zh7sRNh2LSKFNwkqxA/11749932862";,
"token": "NuPrsMpxl05_qBBWjog2_ogK1w-VptNsECjwSatGfAE" } ], "combinations": [
[ 2 ], [ 1 ], [ 0 ], [ 3 ] ] }] (1271 bytes)
acme-client: /var/www/acme/FF1lMKPyjmEeEURPWUyLwBe8ZRj3ozkdUGkyfOmGT5s: created
acme-client:
https://acme-v01.api.letsencrypt.org/acme/challenge/x1Rh_VhMUuYxk_v22zHe32fL2zh7sRNh2LSKFNwkqxA/11749932858:
challenge
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", "uri":
"https://acme-v01.api.letsencrypt.org/acme/challenge/x1Rh_VhMUuYxk_v22zHe32fL2zh7sRNh2LSKFNwkqxA/11749932858";,
"token": "FF1lMKPyjmEeEURPWUyLwBe8ZRj3ozkdUGkyfOmGT5s", "keyAuthorization":
"FF1lMKPyjmEeEURPWUyLwBe8ZRj3ozkdUGkyfOmGT5s.YJLLEKdoM4e4WocQ9C9xvXqa6dAO4zUn6hdCgEgIfBs"
}] (337 bytes)
acme-client:
https://acme-v01.api.letsencrypt.org/acme/challenge/x1Rh_VhMUuYxk_v22zHe32fL2zh7sRNh2LSKFNwkqxA/11749932858:
status
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: certificate
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: bad HTTP: 403
acme-client: transfer buffer: [{ "type": "urn:acme:error:unauthorized",
"detail": "Error creating new cert :: authorizations for these names not found
or expired: lists.dl6tom.de", "status": 403 }] (171 bytes)
acme-client: bad exit: netproc(64946): 1
/var/www/logs/access.log says:
default 66.133.109.36 - - [22/Jan/2019:19:21:22 +0100] "GET
/.well-known/acme-challenge/FF1lMKPyjmEeEURPWUyLwBe8ZRj3ozkdUGkyfOmGT5s
HTTP/1.1" 200 87
Token seems ok:
# cat /var/www/acme/FF1lMKPyjmEeEURPWUyLwBe8ZRj3ozkdUGkyfOmGT5s
FF1lMKPyjmEeEURPWUyLwBe8ZRj3ozkdUGkyfOmGT5s.YJLLEKdoM4e4WocQ9C9xvXqa6dAO4zUn6hdCgEgIfBs
>How-To-Repeat:
Renew a cert with acme-client.
>Fix:
dmesg:
OpenBSD 6.4 (GENERIC.MP) #364: Thu Oct 11 13:30:23 MDT 2018
[email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 2130558976 (2031MB)
avail mem = 2056777728 (1961MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf68c0 (9 entries)
bios0: vendor SeaBIOS version "1.10.2" date 04/01/2014
bios0: Hetzner vServer
acpi0 at bios0: rev 0
acpi0: sleep states S5
acpi0: tables DSDT FACP APIC HPET
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel Xeon Processor (Sandy Bridge, IBRS), 2100.50 MHz, 06-2a-01
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,HV,NXE,RDTSCP,LONG,LAHF,IBRS,IBPB,ARAT,XSAVEOPT,MELTDOWN
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line
16-way L2 cache
cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 1000MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel Xeon Processor (Sandy Bridge, IBRS), 2100.01 MHz, 06-2a-01
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,HV,NXE,RDTSCP,LONG,LAHF,IBRS,IBPB,ARAT,XSAVEOPT,MELTDOWN
cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line
16-way L2 cache
cpu1: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu1: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 0 pa 0xfec00000, version 11, 24 pins
acpihpet0 at acpi0: 100000000 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: C1(@1 halt!)
acpicpu1 at acpi0: C1(@1 halt!)
"ACPI0006" at acpi0 not configured
acpicmos0 at acpi0
"PNP0A06" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"QEMU0002" at acpi0 not configured
"ACPI0010" at acpi0 not configured
pvbus0 at mainbus0: KVM
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0
wired to compatibility, channel 1 wired to compatibility
pciide0: channel 0 disabled (no drives)
atapiscsi0 at pciide0 channel 1 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0: <QEMU, QEMU DVD-ROM, 2.5+> ATAPI 5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
uhci0 at pci0 dev 1 function 2 "Intel 82371SB USB" rev 0x01: apic 0 int 11
piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 0 int 9
iic0 at piixpm0
vga1 at pci0 dev 2 function 0 "Bochs VGA" rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
virtio0 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00
vio0 at virtio0: address 52:54:a2:01:d8:d2
virtio0: msix shared
virtio1 at pci0 dev 4 function 0 "Qumranet Virtio SCSI" rev 0x00
vioscsi0 at virtio1: qsize 128
scsibus2 at vioscsi0: 255 targets
sd0 at scsibus2 targ 0 lun 0: <QEMU, QEMU HARDDISK, 2.5+> SCSI3 0/direct fixed
sd0: 48828MB, 512 bytes/sector, 99999744 sectors, thin
virtio1: msix shared
virtio2 at pci0 dev 5 function 0 "Qumranet Virtio Memory" rev 0x00
viomb0 at virtio2
virtio2: apic 0 int 10
isa0 at pcib0
isadma0 at isa0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
usb0 at uhci0: USB revision 1.0
uhub0 at usb0 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00
addr 1
uhidev0 at uhub0 port 1 configuration 1 interface 0 "QEMU QEMU USB Tablet" rev
2.00/0.00 addr 2
uhidev0: iclass 3/0
ums0 at uhidev0: 3 buttons, Z dir
wsmouse1 at ums0 mux 0
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
root on sd0a (f0688e0dff2127a5.a) swap on sd0b dump on sd0b
fd0 at fdc0 drive 1: density unknown
usbdevs:
Controller /dev/usb0:
addr 01: 8086:0000 Intel, UHCI root hub
full speed, self powered, config 1, rev 1.00
driver: uhub0
addr 02: 0627:0001 QEMU, QEMU USB Tablet
full speed, power 100 mA, config 1, rev 0.00, iSerialNumber 42
driver: uhidev0
