Re: acme-client fails to renew certificate

Mike Fischer Wed, 12 Apr 2023 07:05:56 -0700

Well as long as you always use the sane challenge directory /var/www/acme/ then 
I would first simplify this by only defining one server block for all port 80 
access:


server "www.example.com“ {
   listen on $www_v4 port 80
   listen on $www_v6_a port 80

   alias "example.com"

   block return 301 "https://$HTTP_HOST$REQUEST_URI";

   location "/.well-known/acme-challenge/*" {
       pass
       # /var/www/acme
       root "/acme"
       request strip 2
   }
}

You can do the same for the port 443 servers unless you want there to be some 
difference between https://www.example.com and https://example.com. Less typing 
and less places to make mistakes.

As you are getting 404 errors you where probably missing the pass in the 
challenge location.

Did you actually test the challenge?
Place a small text file into the challenge dir:
# echo 'Test' > /var/www/acme/test

The use something like curl to see what happens when you try to access this 
file:
curl --head --url 'http://www.example.com/.well-known/acme-challenge/test'
and 
curl --head --url 'http://example.com/.well-known/acme-challenge/test'


You may also need to specify the challenge dir in /etc/acme-client.conf but 
/var/www/acme seems to be the default so you are probably good:
domain www.example.com {
   alternative names { example.com }
   domain key "/etc/ssl/private/www.example.com.key.pem“
   domain full chain certificate "/etc/ssl/certs/www.example.com.chain.pem“
   sign with letsencrypt
   challengedir "/var/www/acme"
}


HTH
Mike

> Am 12.04.2023 um 15:36 schrieb rea...@catastrophe.net:
> 
> I started having some problems with cert renewal using acme-client after
> upgrading to 7.3 (not really sure 7.3 has anything to do with the following,
> however). I've verified that nothing has changed and that httpd is listening
> correctly, etc.
> 
> When I run acme-client and watch for any changes to 
> /var/www/htdocs/example.org/.well-known/acme-client I never see any files
> being written to that directory (which is likely leading to the 404). Is
> the client supposed to write a temporary file for remote validation?
> 
> Does anyone see any issues with the configurations that follow the output
> which may have any errors?
> 
> Thanks in advance.
> 
> 
> # acme-client -v www.example.com
> acme-client: /etc/ssl/certs/www.example.com.chain.pem: certificate renewable: 
> 29 days left
> acme-client: https://acme-v02.api.letsencrypt.org/directory: directories
> acme-client: acme-v02.api.letsencrypt.org: DNS: 172.65.32.248
> acme-client: acme-v02.api.letsencrypt.org: DNS: 
> 2606:4700:60:0:f53d:5624:85c7:3a2c
> acme-client: dochngreq: 
> https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728127
> acme-client: challenge, token: 2b9DyMVkYZGU3RNgxaywEc0uHLFp2E8RtOrQotGXugk, 
> uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728127/CSJfMg, 
> status: 0
> acme-client: /var/www/acme/2b9DyMVkYZGU3RNgxaywEc0uHLFp2E8RtOrQotGXugk: 
> created
> acme-client: dochngreq: 
> https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728137
> acme-client: challenge, token: 8WJnGzDwxV_tKSJaV4fsavxB5maBIkaDhozevCWPwH8, 
> uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728137/sCRFpw, 
> status: 0
> acme-client: /var/www/acme/8WJnGzDwxV_tKSJaV4fsavxB5maBIkaDhozevCWPwH8: 
> created
> acme-client: 
> https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728127/CSJfMg: 
> challenge
> acme-client: 
> https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728137/sCRFpw: 
> challenge
> acme-client: order.status 0
> acme-client: dochngreq: 
> https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728127
> acme-client: challenge, token: 2b9DyMVkYZGU3RNgxaywEc0uHLFp2E8RtOrQotGXugk, 
> uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728127/CSJfMg, 
> status: -1
> acme-client: dochngreq: 
> https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728137
> acme-client: challenge, token: 8WJnGzDwxV_tKSJaV4fsavxB5maBIkaDhozevCWPwH8, 
> uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728137/sCRFpw, 
> status: -1
> acme-client: order.status -1
> acme-client: dochngreq: 
> https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728127
> acme-client: 2600:fee:bee::e:8:0: Invalid response from 
> https://www.example.com/.well-known/acme-challenge/2b9DyMVkYZGU3RNgxaywEc0uHLFp2E8RtOrQotGXugk:
>  404
> acme-client: dochngreq: 
> https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728137
> acme-client: 2600:fee:bee::e:8:0: Invalid response from 
> https://www.example.com/.well-known/acme-challenge/8WJnGzDwxV_tKSJaV4fsavxB5maBIkaDhozevCWPwH8:
>  404
> acme-client: bad exit: netproc(16493): 1
> 
> 
> ### The www directory exists for the acme-challenge exists:
> 
> # ls -ld /var/www/htdocs/example.com/.well-known/acme-challenge/
> drwxr-xr-x  2 username  staff  512 Apr 12 08:08 
> /var/www/htdocs/example.com/.well-known/acme-challenge/
> 
> 
> ### Relevant portions of my httpd.conf 
> 
> www_v4="x.y.10.10"
> www_v6_a="2600:fee:bee::e:8:0"
> 
> server "www.example.com" {
> listen on $www_v4 tls port 443
> listen on $www_v6_a tls port 443
> tls {
>   certificate "/etc/ssl/certs/www.example.com.chain.pem"
>   key "/etc/ssl/private/www.example.com.key.pem"
>   protocols "TLSv1.2,TLSv1.3"
> }
> hsts {
>   max-age 31536000
>   preload
>   subdomains
> }
> log style combined
>   log { access "access.log", error "error.log" } 
> root "/htdocs/example.com"
> directory auto index
> }
> 
> server "example.com" {
> listen on $www_v4 tls port 443
> listen on $www_v6_a tls port 443
> tls {
>   certificate "/etc/ssl/certs/www.example.com.chain.pem"
>   key "/etc/ssl/private/www.example.com.key.pem"
>   protocols "TLSv1.2,TLSv1.3"
> }
> hsts {
>   max-age 31536000
>   preload
>   subdomains
> }
> log style combined
>   log { access "access.log", error "error.log" } 
> root "/htdocs/example.com"
> directory auto index
> }
> 
> server "www.example.com" {
> listen on $www_v4   port 80
> listen on $www_v6_a port 80
> location "/.well-known/acme-challenge/*" {
>   root "/acme"
>   request strip 2
> }
> block return 301 "https://www.example.com$REQUEST_URI";
> }
> 
> server "example.com" {
> listen on $www_v4   port 80
> listen on $www_v6_a port 80
> location "/.well-known/acme-challenge/*" {
>   root "/acme"
>   request strip 2
> }
> block return 301 "https://www.example.com$REQUEST_URI";
> }
> 
> 
> ### ACME client config
> 
> # acme-client.conf
> authority letsencrypt {
>       api url "https://acme-v02.api.letsencrypt.org/directory";
>       account key "/etc/acme/letsencrypt-privkey.pem"
> }
> 
> authority letsencrypt-staging {
>       api url "https://acme-staging-v02.api.letsencrypt.org/directory";
>       account key "/etc/acme/letsencrypt-staging-privkey.pem"
> }
> 
> domain www.example.com {
> alternative names { example.com }
> domain key "/etc/ssl/private/www.example.com.key.pem"
> domain full chain certificate "/etc/ssl/certs/www.example.com.chain.pem"
>       sign with letsencrypt
> }

Re: acme-client fails to renew certificate

Reply via email to