Hi,
possibly there is a problem with your account key. Can you move it to the side mv /etc/acme/letsencrypt-privkey.pem /etc/acme/letsencrypt-privkey.pem.OLD and then create a new one with acme-client -AD -vv lists.dl6tom.de /Benno [email protected]([email protected]) on 2019.01.28 21:40:42 +0100: > >Synopsis: acme-client: renewal fails > >Category: system > >Environment: > System : OpenBSD 6.4 > Details : OpenBSD 6.4 (GENERIC.MP) #364: Thu Oct 11 13:30:23 MDT > 2018 > > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP >=20 > Architecture: OpenBSD.amd64 > Machine : amd64 > >Description: > Renewal fails: > # acme-client -vv lists.dl6tom.de > acme-client: /etc/acme/letsencrypt-privkey.pem: loaded RSA account key > acme-client: /etc/ssl/lists.dl6tom.de.crt: certificate renewable: -42 day= s left > acme-client: /etc/ssl/private/lists.dl6tom.de.key: loaded RSA domain key > acme-client: https://acme-v01.api.letsencrypt.org/directory: directories > acme-client: acme-v01.api.letsencrypt.org: DNS: 104.111.246.175 > acme-client: transfer buffer: [{ "0wdNjYxn8kA": "https://community.letsen= crypt.org/t/adding-random-entries-to-the-directory/33417", "key-change": "h= ttps://acme-v01.api.letsencrypt.org/acme/key-change", "meta": { "caaIdentit= ies": [ "letsencrypt.org" ], "terms-of-service": "https://letsencrypt.org/d= ocuments/LE-SA-v1.2-November-15-2017.pdf", "website": "https://letsencrypt.= org" }, "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",= "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert";, "new-reg= ": "https://acme-v01.api.letsencrypt.org/acme/new-reg";, "revoke-cert": "htt= ps://acme-v01.api.letsencrypt.org/acme/revoke-cert" }] (658 bytes) > acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-aut= h: lists.dl6tom.de > acme-client: acme-v01.api.letsencrypt.org: cached > acme-client: acme-v01.api.letsencrypt.org: cached > acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": = "lists.dl6tom.de" }, "status": "pending", "expires": "2019-01-29T18:19:20Z"= , "challenges": [ { "type": "tls-alpn-01", "status": "pending", "uri": "htt= ps://acme-v01.api.letsencrypt.org/acme/challenge/IibpqF0ckn28LYY5bfA-_qbAlY= sWq-DJcQlAw0SWCE0/11749882442", "token": "v8oZc_-YhBHNLCaALLEBZ03hEl--KM63p= Mdqixg_9Io" }, { "type": "http-01", "status": "pending", "uri": "https://ac= me-v01.api.letsencrypt.org/acme/challenge/IibpqF0ckn28LYY5bfA-_qbAlYsWq-DJc= QlAw0SWCE0/11749882443", "token": "yW3-6mo2IK-ZASKPB6lV6rPq1qbvfP1NdUE9AV0x= RTs" }, { "type": "tls-sni-01", "status": "pending", "uri": "https://acme-v= 01.api.letsencrypt.org/acme/challenge/IibpqF0ckn28LYY5bfA-_qbAlYsWq-DJcQlAw= 0SWCE0/11749882444", "token": "yfhU9kYZg5wHaRlxLmg6m_DWgzzEdwUnztXAKBmhE6w"= }, { "type": "dns-01", "status": "pending", "uri": "https://acme-v01.api.l= etsencrypt.org/acme/challenge/IibpqF0ckn28LYY5bfA-_qbAlYsWq-DJcQlAw0SWCE0/1= 1749882445", "token": "iDBP2CeNpp0r5NCWTbpKUoiBOSZz8cJN8HphHRVXULk" } ], "c= ombinations": [ [ 2 ], [ 0 ], [ 1 ], [ 3 ] ] }] (1271 bytes) > acme-client: /var/www/acme/yW3-6mo2IK-ZASKPB6lV6rPq1qbvfP1NdUE9AV0xRTs: c= reated > acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/IibpqF0c= kn28LYY5bfA-_qbAlYsWq-DJcQlAw0SWCE0/11749882443: challenge > acme-client: acme-v01.api.letsencrypt.org: cached > acme-client: acme-v01.api.letsencrypt.org: cached > acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", = "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/IibpqF0ckn28LYY= 5bfA-_qbAlYsWq-DJcQlAw0SWCE0/11749882443", "token": "yW3-6mo2IK-ZASKPB6lV6r= Pq1qbvfP1NdUE9AV0xRTs", "keyAuthorization": "yW3-6mo2IK-ZASKPB6lV6rPq1qbvfP= 1NdUE9AV0xRTs.YJLLEKdoM4e4WocQ9C9xvXqa6dAO4zUn6hdCgEgIfBs" }] (337 bytes) > acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/IibpqF0c= kn28LYY5bfA-_qbAlYsWq-DJcQlAw0SWCE0/11749882443: status > acme-client: acme-v01.api.letsencrypt.org: cached > acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: certific= ate > acme-client: acme-v01.api.letsencrypt.org: cached > acme-client: acme-v01.api.letsencrypt.org: cached > acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: bad HTTP= : 403 > acme-client: transfer buffer: [{ "type": "urn:acme:error:unauthorized", "= detail": "Error creating new cert :: authorizations for these names not fou= nd or expired: lists.dl6tom.de", "status": 403 }] (171 bytes) > acme-client: bad exit: netproc(61794): 1 >=20 > /var/www/logs/access.log says: > default 66.133.109.36 - - [22/Jan/2019:19:19:31 +0100] "GET /.well-known/= acme-challenge/yW3-6mo2IK-ZASKPB6lV6rPq1qbvfP1NdUE9AV0xRTs HTTP/1.1" 404 0 >=20 > I fetched the acme-client source and modified it to not delete the token = (sry, did not find the post pointing to the "status: pending" problem), now= I get: > # acme-client -vv lists.dl6tom.de > acme-client: /etc/acme/letsencrypt-privkey.pem: loaded RSA account key > acme-client: /etc/ssl/lists.dl6tom.de.crt: certificate renewable: -42 day= s left > acme-client: /etc/ssl/private/lists.dl6tom.de.key: loaded RSA domain key > acme-client: https://acme-v01.api.letsencrypt.org/directory: directories > acme-client: acme-v01.api.letsencrypt.org: DNS: 104.111.246.175 > acme-client: transfer buffer: [{ "K7_kgkaQbu0": "https://community.letsen= crypt.org/t/adding-random-entries-to-the-directory/33417", "key-change": "h= ttps://acme-v01.api.letsencrypt.org/acme/key-change", "meta": { "caaIdentit= ies": [ "letsencrypt.org" ], "terms-of-service": "https://letsencrypt.org/d= ocuments/LE-SA-v1.2-November-15-2017.pdf", "website": "https://letsencrypt.= org" }, "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",= "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert";, "new-reg= ": "https://acme-v01.api.letsencrypt.org/acme/new-reg";, "revoke-cert": "htt= ps://acme-v01.api.letsencrypt.org/acme/revoke-cert" }] (658 bytes) > acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-aut= h: lists.dl6tom.de > acme-client: acme-v01.api.letsencrypt.org: cached > acme-client: acme-v01.api.letsencrypt.org: cached > acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": = "lists.dl6tom.de" }, "status": "pending", "expires": "2019-01-29T18:21:10Z"= , "challenges": [ { "type": "tls-sni-01", "status": "pending", "uri": "http= s://acme-v01.api.letsencrypt.org/acme/challenge/x1Rh_VhMUuYxk_v22zHe32fL2zh= 7sRNh2LSKFNwkqxA/11749932856", "token": "pedbWPKfQ3SS_6EB1nZUz8vMOjLXyVsq_W= 7aALRaVbE" }, { "type": "http-01", "status": "pending", "uri": "https://acm= e-v01.api.letsencrypt.org/acme/challenge/x1Rh_VhMUuYxk_v22zHe32fL2zh7sRNh2L= SKFNwkqxA/11749932858", "token": "FF1lMKPyjmEeEURPWUyLwBe8ZRj3ozkdUGkyfOmGT= 5s" }, { "type": "dns-01", "status": "pending", "uri": "https://acme-v01.ap= i.letsencrypt.org/acme/challenge/x1Rh_VhMUuYxk_v22zHe32fL2zh7sRNh2LSKFNwkqx= A/11749932860", "token": "Fc-aeqzccqH82AKNN2vJ3KY6u_jBV0yzXEpVd3yFuCo" }, {= "type": "tls-alpn-01", "status": "pending", "uri": "https://acme-v01.api.l= etsencrypt.org/acme/challenge/x1Rh_VhMUuYxk_v22zHe32fL2zh7sRNh2LSKFNwkqxA/1= 1749932862", "token": "NuPrsMpxl05_qBBWjog2_ogK1w-VptNsECjwSatGfAE" } ], "c= ombinations": [ [ 2 ], [ 1 ], [ 0 ], [ 3 ] ] }] (1271 bytes) > acme-client: /var/www/acme/FF1lMKPyjmEeEURPWUyLwBe8ZRj3ozkdUGkyfOmGT5s: c= reated > acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/x1Rh_VhM= UuYxk_v22zHe32fL2zh7sRNh2LSKFNwkqxA/11749932858: challenge > acme-client: acme-v01.api.letsencrypt.org: cached > acme-client: acme-v01.api.letsencrypt.org: cached > acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", = "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/x1Rh_VhMUuYxk_v= 22zHe32fL2zh7sRNh2LSKFNwkqxA/11749932858", "token": "FF1lMKPyjmEeEURPWUyLwB= e8ZRj3ozkdUGkyfOmGT5s", "keyAuthorization": "FF1lMKPyjmEeEURPWUyLwBe8ZRj3oz= kdUGkyfOmGT5s.YJLLEKdoM4e4WocQ9C9xvXqa6dAO4zUn6hdCgEgIfBs" }] (337 bytes) > acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/x1Rh_VhM= UuYxk_v22zHe32fL2zh7sRNh2LSKFNwkqxA/11749932858: status > acme-client: acme-v01.api.letsencrypt.org: cached > acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: certific= ate > acme-client: acme-v01.api.letsencrypt.org: cached > acme-client: acme-v01.api.letsencrypt.org: cached > acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: bad HTTP= : 403 > acme-client: transfer buffer: [{ "type": "urn:acme:error:unauthorized", "= detail": "Error creating new cert :: authorizations for these names not fou= nd or expired: lists.dl6tom.de", "status": 403 }] (171 bytes) > acme-client: bad exit: netproc(64946): 1 >=20 > /var/www/logs/access.log says: > default 66.133.109.36 - - [22/Jan/2019:19:21:22 +0100] "GET /.well-known/= acme-challenge/FF1lMKPyjmEeEURPWUyLwBe8ZRj3ozkdUGkyfOmGT5s HTTP/1.1" 200 87 >=20 > Token seems ok: > # cat /var/www/acme/FF1lMKPyjmEeEURPWUyLwBe8ZRj3ozkdUGkyfOmGT5s > FF1lMKPyjmEeEURPWUyLwBe8ZRj3ozkdUGkyfOmGT5s.YJLLEKdoM4e4WocQ9C9xvXqa6dAO4= zUn6hdCgEgIfBs >=20 > >How-To-Repeat: > Renew a cert with acme-client. > >Fix: >=20 >=20 > dmesg: > OpenBSD 6.4 (GENERIC.MP) #364: Thu Oct 11 13:30:23 MDT 2018 > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP > real mem =3D 2130558976 (2031MB) > avail mem =3D 2056777728 (1961MB) > mpath0 at root > scsibus0 at mpath0: 256 targets > mainbus0 at root > bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf68c0 (9 entries) > bios0: vendor SeaBIOS version "1.10.2" date 04/01/2014 > bios0: Hetzner vServer > acpi0 at bios0: rev 0 > acpi0: sleep states S5 > acpi0: tables DSDT FACP APIC HPET > acpi0: wakeup devices > acpitimer0 at acpi0: 3579545 Hz, 24 bits > acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat > cpu0 at mainbus0: apid 0 (boot processor) > cpu0: Intel Xeon Processor (Sandy Bridge, IBRS), 2100.50 MHz, 06-2a-01 > cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,P= SE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,CX16,PCID,SSE4.1,SSE4.2= ,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,HV,NXE,RDTSCP,LONG,LAHF,IBRS,IBPB,ARA= T,XSAVEOPT,MELTDOWN > cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b= /line 16-way L2 cache > cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped > cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped > cpu0: smt 0, core 0, package 0 > mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges > cpu0: apic clock running at 1000MHz > cpu1 at mainbus0: apid 1 (application processor) > cpu1: Intel Xeon Processor (Sandy Bridge, IBRS), 2100.01 MHz, 06-2a-01 > cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,P= SE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,CX16,PCID,SSE4.1,SSE4.2= ,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,HV,NXE,RDTSCP,LONG,LAHF,IBRS,IBPB,ARA= T,XSAVEOPT,MELTDOWN > cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b= /line 16-way L2 cache > cpu1: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped > cpu1: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped > cpu1: smt 0, core 1, package 0 > ioapic0 at mainbus0: apid 0 pa 0xfec00000, version 11, 24 pins > acpihpet0 at acpi0: 100000000 Hz > acpiprt0 at acpi0: bus 0 (PCI0) > acpicpu0 at acpi0: C1(@1 halt!) > acpicpu1 at acpi0: C1(@1 halt!) > "ACPI0006" at acpi0 not configured > acpicmos0 at acpi0 > "PNP0A06" at acpi0 not configured > "PNP0A06" at acpi0 not configured > "PNP0A06" at acpi0 not configured > "QEMU0002" at acpi0 not configured > "ACPI0010" at acpi0 not configured > pvbus0 at mainbus0: KVM > pci0 at mainbus0 bus 0 > pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02 > pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00 > pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, chann= el 0 wired to compatibility, channel 1 wired to compatibility > pciide0: channel 0 disabled (no drives) > atapiscsi0 at pciide0 channel 1 drive 0 > scsibus1 at atapiscsi0: 2 targets > cd0 at scsibus1 targ 0 lun 0: <QEMU, QEMU DVD-ROM, 2.5+> ATAPI 5/cdrom re= movable > cd0(pciide0:1:0): using PIO mode 4, DMA mode 2 > uhci0 at pci0 dev 1 function 2 "Intel 82371SB USB" rev 0x01: apic 0 int 11 > piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 0 i= nt 9 > iic0 at piixpm0 > vga1 at pci0 dev 2 function 0 "Bochs VGA" rev 0x02 > wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) > wsdisplay0: screen 1-5 added (80x25, vt100 emulation) > virtio0 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00 > vio0 at virtio0: address 52:54:a2:01:d8:d2 > virtio0: msix shared > virtio1 at pci0 dev 4 function 0 "Qumranet Virtio SCSI" rev 0x00 > vioscsi0 at virtio1: qsize 128 > scsibus2 at vioscsi0: 255 targets > sd0 at scsibus2 targ 0 lun 0: <QEMU, QEMU HARDDISK, 2.5+> SCSI3 0/direct = fixed > sd0: 48828MB, 512 bytes/sector, 99999744 sectors, thin > virtio1: msix shared > virtio2 at pci0 dev 5 function 0 "Qumranet Virtio Memory" rev 0x00 > viomb0 at virtio2 > virtio2: apic 0 int 10 > isa0 at pcib0 > isadma0 at isa0 > fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 > com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo > pckbc0 at isa0 port 0x60/5 irq 1 irq 12 > pckbd0 at pckbc0 (kbd slot) > wskbd0 at pckbd0: console keyboard, using wsdisplay0 > pms0 at pckbc0 (aux slot) > wsmouse0 at pms0 mux 0 > pcppi0 at isa0 port 0x61 > spkr0 at pcppi0 > usb0 at uhci0: USB revision 1.0 > uhub0 at usb0 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/= 1.00 addr 1 > uhidev0 at uhub0 port 1 configuration 1 interface 0 "QEMU QEMU USB Tablet= " rev 2.00/0.00 addr 2 > uhidev0: iclass 3/0 > ums0 at uhidev0: 3 buttons, Z dir > wsmouse1 at ums0 mux 0 > vscsi0 at root > scsibus3 at vscsi0: 256 targets > softraid0 at root > scsibus4 at softraid0: 256 targets > root on sd0a (f0688e0dff2127a5.a) swap on sd0b dump on sd0b > fd0 at fdc0 drive 1: density unknown >=20 > usbdevs: > Controller /dev/usb0: > addr 01: 8086:0000 Intel, UHCI root hub > full speed, self powered, config 1, rev 1.00 > driver: uhub0 > addr 02: 0627:0001 QEMU, QEMU USB Tablet > full speed, power 100 mA, config 1, rev 0.00, iSerialNumber 42 > driver: uhidev0 >=20
