On Wed, 30 Jan 2019 10:08:30 +0100 Sebastian Benoit <[email protected]> wrote: > http://feuf.eu/.well-known/acme-challenge/ > reports a 404 not found. I would expect a 403 Permission Denied there > if you have DirectoryIndex turned off. > > Also feuf.eu claims it is "Apache/2.4.10 (Debian) Server at feuf.eu > Port 80". How does your setup look like? What does the log of that > Apache Server show? > > Is acme-client really writing the challenge into the correct dir? > Is a NFS share involved? > > /Benno
Ah, sorry, my failure. feuf.eu no longer points to my server. However, I removed account and domain key of a domain I actually control t= o reproduce: # /usr/sbin/acme-client -AD -vv git.dl6tom.de acme-client: /etc/acme/letsencrypt-privkey.pem: generated RSA account key acme-client: /etc/ssl/private/git.dl6tom.de.key: generated RSA domain key acme-client: https://acme-v01.api.letsencrypt.org/directory: directories acme-client: acme-v01.api.letsencrypt.org: DNS: 104.111.246.175 acme-client: transfer buffer: [{ "YIdc87IVfIg": "https://community.letsenc= rypt.org/t/adding-random-entries-to-the-directory/33417", "key-change": "h= ttps://acme-v01.api.letsencrypt.org/acme/key-change", "meta": { "caaIdenti= ti es": [ "letsencrypt.org" ], "terms-of-service": "https://letsencrypt.org/d= ocuments/LE-SA-v1.2-November-15-2017.pdf", "website": "https://letsencrypt= .org" }, "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz= ", "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert";, "new-re= g": "https://acme-v01.api.letsencrypt.org/acme/new-reg";, "revoke-cert": "h= ttps://acme-v01.api.letsencrypt.org/acme/revoke-cert" }] (658 bytes) acme-client: https://acme-v01.api.letsencrypt.org/acme/new-reg: new-reg acme-client: acme-v01.api.letsencrypt.org: cached acme-client: acme-v01.api.letsencrypt.org: cached acme-client: transfer buffer: [{ "id": 50553897, "key": { "kty": "RSA", "n= ": "zciLVEpq5dhhvGX6r1IocvGioS5i0Kaga-QMGwwR0MzcxScNgNJW8Qz4eTjiB50gkfYi7N= ne3Wmfudmk-xKersV1RnWRPd5vaQtoZOdCAIPwHIgySgwrK2li5UDEuPvfBlGKr0kM_f8LP_Ti= KY Zt2-kgLWeTqwj_eyrVnwzamiHYoffpvBcyrdp4bnXsS9RTJLzYpPu8uYykKwwFon1OylC0H_tV= E0ipOmW77nw6I3d1VJo9vKOWHtcCFG1ANk_SHtCB16bsuHaAdGllsu3XV4Usjga80k36J-UaUz= _J4x_OyqZtaFZD3S2_oLrmqs_251hE6GN-UZGF-JIn-QGrkdr5JsB6fRlyO6r0Emy0seqrUpgf= rX tvbC1Vh5NJ_5CXfBPv-Gqr24trUXkGM72oNdugWvKd2KKI0qVdA3WQsBd56Sig6pjR53ERLcr6= c8sMeB2ihNX-m2j1AVmgtqzzAyzlamkLx8VUX4DxLr16ePsTHXeOCx1x7BCyEa9dqGs3CV1Mem= BOHU6K8do58dbHRwMhZ9g1cqMw9H-ahbqIQeJddtZMwZKhzRXhTT026gmnweaGlY4KAAciV_UN= hX vXA5KWOl4npQmRjFRZ7d5O28CD1fIE5PSh4I9rDamvxx7TeJlprxhWrPgZpBaQLHHebR9oIUuJ= STjIDmO0QUlTszU", "e": "AQAB" }, "contact": [], "agreement": "https://lets= encrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf", "initialIp": "88.9= 9. 190.88", "createdAt": "2019-01-30T19:07:03.979206299Z", "status": "valid" = }] (968 bytes) acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth= : git.dl6tom.de acme-client: acme-v01.api.letsencrypt.org: cached acme-client: acme-v01.api.letsencrypt.org: cached acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": "= git.dl6tom.de" }, "status": "pending", "expires": "2019-02-06T19:07:04Z", = "challenges": [ { "type": "tls-alpn-01", "status": "pending", "uri": "http= s: //acme-v01.api.letsencrypt.org/acme/challenge/RPrDl_yEEcwfO9h81Ds73VO_KY3T= 0YGpaOE-o3P88Lg/12061394976", "token": "GIEFsxcTDwuCyH-11E_uDvcGCo-nMY5NFa= 240Ts61VM" }, { "type": "http-01", "status": "pending", "uri": "https://ac= me -v01.api.letsencrypt.org/acme/challenge/RPrDl_yEEcwfO9h81Ds73VO_KY3T0YGpaO= E-o3P88Lg/12061394978", "token": "ssbrru-U9JHaV3JjUN4bgf53nZcCV7pHC7UVmBsI= VBo" }, { "type": "dns-01", "status": "pending", "uri": "https://acme-v01.= ap i.letsencrypt.org/acme/challenge/RPrDl_yEEcwfO9h81Ds73VO_KY3T0YGpaOE-o3P88= Lg/12061394979", "token": "y8AwuKyt58Drb3QkwTk7lbTPCNPAaMkTIF1gfeFAU90" } = ], "combinations": [ [ 0 ], [ 1 ], [ 2 ] ] }] (995 bytes) acme-client: /var/www/acme/ssbrru-U9JHaV3JjUN4bgf53nZcCV7pHC7UVmBsIVBo: cr= eated acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/RPrDl_yEE= cwfO9h81Ds73VO_KY3T0YGpaOE-o3P88Lg/12061394978: challenge acme-client: acme-v01.api.letsencrypt.org: cached acme-client: acme-v01.api.letsencrypt.org: cached acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", "= uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/RPrDl_yEEcwfO9h= 81Ds73VO_KY3T0YGpaOE-o3P88Lg/12061394978", "token": "ssbrru-U9JHaV3JjUN4bg= f5 3nZcCV7pHC7UVmBsIVBo", "keyAuthorization": "ssbrru-U9JHaV3JjUN4bgf53nZcCV7= pHC7UVmBsIVBo.o3Ws_wJ8W2-_phVmKFKOd8gvouWSmIj7luYaMGzJYKg" }] (337 bytes) acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/RPrDl_yEE= cwfO9h81Ds73VO_KY3T0YGpaOE-o3P88Lg/12061394978: status acme-client: acme-v01.api.letsencrypt.org: cached acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: certifica= te acme-client: acme-v01.api.letsencrypt.org: cached acme-client: acme-v01.api.letsencrypt.org: cached acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: bad HTTP:= 403 acme-client: transfer buffer: [{ "type": "urn:acme:error:unauthorized", "d= etail": "Error creating new cert :: authorizations for these names not fou= nd or expired: git.dl6tom.de", "status": 403 }] (169 bytes) acme-client: bad exit: netproc(60953): 1 The line ending in ": status" is from dochngcheck in netproc.c. Since the = dump of the transfer buffer before shows "status": "pending" it should wai= t and loop, but doesn't. With the patch below it works: # /usr/sbin/acme-client -AD -vv git.dl6tom.de acme-client: /etc/acme/letsencrypt-privkey.pem: generated RSA account key acme-client: /etc/ssl/private/git.dl6tom.de.key: generated RSA domain key acme-client: https://acme-v01.api.letsencrypt.org/directory: directories acme-client: acme-v01.api.letsencrypt.org: DNS: 104.86.56.76 acme-client: transfer buffer: [{ "DhoYhCNn9jA": "https://community.letsenc= rypt.org/t/adding-random-entries-to-the-directory/33417", "key-change": "h= ttps://acme-v01.api.letsencrypt.org/acme/key-change", "meta": { "caaIdenti= ti es": [ "letsencrypt.org" ], "terms-of-service": "https://letsencrypt.org/d= ocuments/LE-SA-v1.2-November-15-2017.pdf", "website": "https://letsencrypt= .org" }, "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz= ", "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert";, "new-re= g": "https://acme-v01.api.letsencrypt.org/acme/new-reg";, "revoke-cert": "h= ttps://acme-v01.api.letsencrypt.org/acme/revoke-cert" }] (658 bytes) acme-client: https://acme-v01.api.letsencrypt.org/acme/new-reg: new-reg acme-client: acme-v01.api.letsencrypt.org: cached acme-client: acme-v01.api.letsencrypt.org: cached acme-client: transfer buffer: [{ "id": 50555563, "key": { "kty": "RSA", "n= ": "wBJ3zfJEHrJ4Di4PUzmfzmEW8J6oaK90oNXn0hXKnyQ7X1gx_rbq7aUpm2hxqyCOTzfZrP= 9wfsgINWlJwtm6HhInuO2XHGPkgQP-KVi4yL3CX989v8o3PbdmsXrQNLb9HR5Cx1Z55cE8kesG= XV ZA9of6IP9ZOv-FDBg4cYV40yKNl9xPWT4-tpe-WW2iqLYI9a_DUL_Np7_bCs6ZjU7oxLqeWOgh= nwxJVXVZ9VMe6LKyv3s3pAyTbTMIaNzn8dncxUK-qJrbVG6W2VENmF0JaaF8kxxJrJkaNbaSAW= cV79Qd0igic-YMba3Fvu0T0XKtoO15v5KehZn1oPcwJSttgOD6nAAoORAd5j_lldD4WGg8GKr7= EU 3gXk6pM8t1YKCAs91GxXYSQ_07OSGV5MNY0OLIg31vt0Z8oYwrWV1T1TPcJHNlKyZvDQxCuKQA= xBbkhX7Y-dRH96EPI9rXxNfcnGzgJM9DkJM9dLlsHyCntt6ZEBTUmy_5f1_tOa_A9wFcfo7vGO= wfmox5KJZSsDzKKV8VaGN51UZcvCOvSqQn4o1NRALWkKGbvYEtiE6E5zrVbNoSc_YDRRj9kTXx= 1P LPHx3C5p9YCgTL2KSuS9dokdesixd415IxoNQg6Xb79wgDLoP3_hYT24I8U25kM0h1OQwki9xG= yhzKL_zQcoVjrDc", "e": "AQAB" }, "contact": [], "agreement": "https://lets= encrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf", "initialIp": "88.9= 9. 190.88", "createdAt": "2019-01-30T19:40:36.912066432Z", "status": "valid" = }] (968 bytes) acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth= : git.dl6tom.de acme-client: acme-v01.api.letsencrypt.org: cached acme-client: acme-v01.api.letsencrypt.org: cached acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": "= git.dl6tom.de" }, "status": "pending", "expires": "2019-02-06T19:40:37Z", = "challenges": [ { "type": "http-01", "status": "pending", "uri": "https://= ac me-v01.api.letsencrypt.org/acme/challenge/IIaO4MKgcyXYlnOSX_Dm3L7uMmNJZ1hP= nbMjsnsn-tg/12062194525", "token": "4BI7woLNoup99HAhDVZkqzTTEZRcX2ndqh8Mzc= ndFXk" }, { "type": "dns-01", "status": "pending", "uri": "https://acme-v0= 1. api.letsencrypt.org/acme/challenge/IIaO4MKgcyXYlnOSX_Dm3L7uMmNJZ1hPnbMjsns= n-tg/12062194526", "token": "t5vXWDb_oZDWYR-EpfFkdwrT0Iwf0qFoaeAbcsG0IRc" = }, { "type": "tls-alpn-01", "status": "pending", "uri": "https://acme-v01.= ap i.letsencrypt.org/acme/challenge/IIaO4MKgcyXYlnOSX_Dm3L7uMmNJZ1hPnbMjsnsn-= tg/12062194527", "token": "OsLgX7m8cmXmVVEMWIOjMlkqA0mERjZ4NLo4GXIFKQQ" } = ], "combinations": [ [ 1 ], [ 0 ], [ 2 ] ] }] (995 bytes) acme-client: /var/www/acme/4BI7woLNoup99HAhDVZkqzTTEZRcX2ndqh8MzcndFXk: cr= eated acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/IIaO4MKgc= yXYlnOSX_Dm3L7uMmNJZ1hPnbMjsnsn-tg/12062194525: challenge acme-client: acme-v01.api.letsencrypt.org: cached acme-client: acme-v01.api.letsencrypt.org: cached acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", "= uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/IIaO4MKgcyXYlnO= SX_Dm3L7uMmNJZ1hPnbMjsnsn-tg/12062194525", "token": "4BI7woLNoup99HAhDVZkq= zT TEZRcX2ndqh8MzcndFXk", "keyAuthorization": "4BI7woLNoup99HAhDVZkqzTTEZRcX2= ndqh8MzcndFXk.yKtkztq1yFjFghUeQoJNzj_rG9tuTtshWl3UWy8nbJQ" }] (337 bytes) acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/IIaO4MKgc= yXYlnOSX_Dm3L7uMmNJZ1hPnbMjsnsn-tg/12062194525: status acme-client: acme-v01.api.letsencrypt.org: cached acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/IIaO4MKgc= yXYlnOSX_Dm3L7uMmNJZ1hPnbMjsnsn-tg/12062194525: status acme-client: acme-v01.api.letsencrypt.org: cached acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/IIaO4MKgc= yXYlnOSX_Dm3L7uMmNJZ1hPnbMjsnsn-tg/12062194525: status acme-client: acme-v01.api.letsencrypt.org: cached acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: certifica= te acme-client: acme-v01.api.letsencrypt.org: cached acme-client: acme-v01.api.letsencrypt.org: cached acme-client: transfer buffer: [0??Q0??9????????m??ER????w?'?8???0 ? *?H?? = ?? ??0J1 0 ??U????US1?0???U? ? Let's Encrypt1#0!??U????Let's Encrypt Autho= rity X30?? 190130184054Z? 190430184054Z0?1?0???U??? git.dl6tom.de0??"0 ? *= ?H?? ??????????0?? ?????????C?j??f???[??si???????X??XA?\?? ?P?????%Z?????L= *?q??s\???e??g???????p?{??K?????<*??.?g>|#.??????#0?$/]???3kQcv?In??1?????= ? ????????nJ?_???;??2?W?????!???????M6n????Ca? .i?? Ft???k?M?y ??t??x??] ?= 4?g~^;???b??? ????EBq?|*??#??h=3D????.?]s???BkD?n????^?{??/??0??n5??????>E= r<X???W?4 ?J??;????? ??,; b?Y??}??m??????y?S?????=3DOVJ?e???]'??????M?????= ??n*???O?????????2[?<??Q]?0Q??M?{5Fz ?9?????`!??Vh?c???"???lB??????????~rn= J??L?*?a??![4???q?#???]}?nF/R?%?r??t~%?7([???5?'&??3#l????)???u???3?&???wl= J??????uF9???[???5?j??????????a0??]0???U???????????0???U?%??0???+?????????= +???????0 ??U???????0?0???U????????Y ?\?%?"9???}?4???0???U?#??0????Jjc?}??= ??9??Ee?????0o??+????????c0a0.??+?????0??"http://ocsp.int-x3.letsencrypt.o= rg0/??+?????0??#http://cert.int-x3.letsencrypt.org/0???U????0?? git.dl6tom= .de0L??U? ?E0C0???g? ???07? +??????????0(0&??+?????????http://cps.letsencr= ypt.org0???? +?????y????????????v??iK?&??@ ????;??>??t????(??????????h?GO?= ?????G0E?!???x?u7? h? z?+???G{4??3?s??Qd?S?? Q*?7?????fAp???????<???i??{?-= +?d?u?c????;?,? r?'Wk3??aw??u?8??hTK?????h?GR%?????F0D? v??/????????????+]= ????????7???!?? !???)??;?z???;??3?f}Q????O????<?0 ? *?H?? ?? ???????d_>L' ?2?a~Y???,??9?#?= "?????*?>?+}?J ?`????????+??~~?S{c_??'??j7?q?L?%??e??X?.??dbB\1d/????Zd???= ????tg ???? (??8???h4???Q??1VS?Y1?mNA[<?/_??&=3D??v?pQ|?x???W ???n???}?@d?= ??:?6??U?????`?????t1?f??\3?N???[B??'?:Y???ju??????-? ????????`???~a?7?? ?= ?WL?u??jh????a] (1621 bytes) acme-client: http://cert.int-x3.letsencrypt.org/: full chain acme-client: cert.int-x3.letsencrypt.org: DNS: 104.86.32.126 acme-client: transfer buffer: [0???0??z??????? ?AB???S?sj ????0 ? *?H?? ??= ??0?1$0"??U? ??Digital Signature Trust Co.1?0???U????DST Root CA X30?? 16= 0317164046Z? 210317164046Z0J1 0 ??U????US1?0???U? ? Let's Encrypt1#0!??U??= ??Let's Encrypt Authority X30??"0 ? *?H?? ??????????0?? ??????? ?Z?.G?r]7?= ?hc0??5&?%???5?p?/??KA????5?X??*?h? ??u????bq?y?`???????xgq?i????????`<H?~= ?Mw?$?G?Z????7????{????J??A?6????m<?h?#*B? ?tg?????Ra???e???????V?????????= ????k ??}?+?e???6u?k?J???Ix/??O* %)??t??1??18????3?C????0??y1?=3D-6????3j?= 91???? ?d?3???)?? ??}??????????}0??y0???U???????0???????0???U???????????0?= ??+????????s0q02??+?????0??&http://isrg.trustid.ocsp.identrust.com0;??+???= ??0??/http://apps.identrust.com/roots/dstrootcax3.p7c0???U?#??0???????{,q?= ??K?u???`???0T??U? ?M0K0???g? ???0?? +??????????000.??+????????"http://cps= .root-x1.letsencrypt.org0<??U???50301?/?-?+http://crl.identrust.com/DSTROO= TCAX3CRL.crl0???U???????Jjc?}????9??Ee?????0 ? *?H?? ?? ????????3???cX8???= ? U?vV?pH?iG'{?$???Z?J?)7$tQ?bh???pg????N(Q?????????Z??????j?j?>W#????b???= ?????? H????eb??T??*? ?????????2???w??ye?+?(?:?R??R ._????3?wl?@?2???\A?tl= [] _3?M??8?/{,b????o%?/???F=3D?~??z???zm??%???????/X??/,h&?K???? ????CJ?DN= osz(???n{L}?????D????4[?B] (1174 bytes) acme-client: /etc/ssl/git.dl6tom.de.crt: created acme-client: /etc/ssl/git.dl6tom.de.fullchain.pem: created diff --git netproc.c netproc.c index e5845401862..12a1a1bb81a 100644 =2D-- netproc.c +++ netproc.c @@ -759,19 +759,26 @@ netproc(int kfd, int afd, int Cfd, int cfd, int dfd,= int rfd, * every five seconds. */ - for (i =3D 0; i < altsz; i++) { - if (chngs[i].status =3D=3D 1) - continue; + for (;;) { + for (i =3D 0; i < altsz; i++) { + if (chngs[i].status =3D=3D 1) + continue; - if (chngs[i].retry++ >=3D RETRY_MAX) { - warnx("%s: too many tries", chngs[i].uri); - goto out; - } + if (chngs[i].retry++ >=3D RETRY_MAX) { + warnx("%s: too many tries", chngs[i].uri); + goto out; + } - /* Sleep before every attempt. */ - sleep(RETRY_DELAY); - if (!dochngcheck(&c, &chngs[i])) - goto out; + /* Sleep before every attempt. */ + sleep(RETRY_DELAY); + if (!dochngcheck(&c, &chngs[i])) + goto out; + } + for (i =3D 0; i < altsz; i++) + if (chngs[i].status < 1) + break; + if (i =3D=3D altsz) + break; } /*
