Re: [OpenBSD 6.1] acme-client + nginx
Le 07/06/17 à 12:03, Stuart Henderson a écrit : (...) > > /usr/local/www seems unlikely on OpenBSD. > > I just have > > location /.well-known/acme-challenge { root /var/www/letsencrypt/; } > > and > > challengedir "/var/www/letsencrypt/.well-known/acme-challenge" > > but there are several ways you can configure this. (e.g. you might want > to use a different directory layout if you have anything else that uses > the RFC5785 .well-known URIs). It doesn't matter what you use as long as > letsencrypt can fetch the file that acme-client wrote. > > OK, it's run correctly as you wrote. I changed nginx: location ^~ /.well-known/acme-challenge { allow all; #default_type "text/plain"; root /var/www/acme/test.obsd4a.net/; } I changed acme-client.conf: challengedir "/var/www/acme/test.obsd4a.net/.well-known/acme-challenge" And, the result is: $ doas acme-client -vAD test.obsd4a.net acme-client: /etc/ssl/acme/private/test.obsd4a.net-privkey.pem: domain key exists (not creating) acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not creating) acme-client: https://acme-v01.api.letsencrypt.org/directory: directories acme-client: acme-v01.api.letsencrypt.org: DNS: 184.87.72.109 acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: test.obsd4a.net acme-client: /var/www/acme/test.obsd4a.net/.well-known/acme-challenge/cugIljWXyalHSHnsOa51W4BoBEW5n0_JctHP8Y59l8U: created acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/_8nN0V__nplwfEcqpwa698yd4bKBywHRWrOj8Hl33I8/1489582140: challenge acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/_8nN0V__nplwfEcqpwa698yd4bKBywHRWrOj8Hl33I8/1489582140: status acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: certificate acme-client: http://cert.int-x3.letsencrypt.org/: full chain acme-client: cert.int-x3.letsencrypt.org: DNS: 88.221.234.34 acme-client: /etc/ssl/acme//test.obsd4a.net-chain.pem: created acme-client: /etc/ssl/acme/test.obsd4a.net-cert.pem: created acme-client: /etc/ssl/acme//test.obsd4a.net-fullchain.pem: created Thank you! :D -- ~ " Fully Basic System Distinguish Life! " ~ " Libre as a BSD " +=<<< Stephane HUC as PengouinBSD or CIOTBSD b...@stephane-huc.net signature.asc Description: OpenPGP digital signature
Re: [OpenBSD 6.1] acme-client + nginx
On 2017-07-06, Stephane HUC "PengouinBSD" wrote: > This is an OpenPGP/MIME signed message (RFC 4880 and 3156) > --rkBdQXDqolEAWWU60OD3iD4CWuma05dgb > From: "Stephane HUC \"PengouinBSD\"" > Reply-To: b...@stephane-huc.net > To: misc@openbsd.org > Message-ID: <629618fb-cc48-f929-d285-46f9d08e8...@stephane-huc.net> > Subject: [OpenBSD 6.1] acme-client + nginx > Content-Language: fr-xx-classique+reforme1990 > Content-Type: text/plain; charset=utf-8 > Content-Transfer-Encoding: quoted-printable > > Hi, I attempt to use acme-client on server OpenBSD 6.1, with nginx runing. > > But it fail with a bad response. ... > acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid", > "error": { "type": "urn:acme:error:unauthorized", "detail": "Invalid > response from > http://test.obsd4a.net/.well-known/acme-challenge/L-pjGy6umVejj6q78_P_gW7rb= > hyJrV0AuLhjfsqI3aU: > \"\u003chtml\u003e\r\n\u003chead\u003e\u003ctitle\u003e404 Not > Found\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody ... LE fetches from http://test.obsd4a.net/.well-known/acme-challenge/(filename) but gets 404 Not Found. > I try with this nginx config: > > location ^~ /.well-known/acme-challenge { > #alias /var/www/acme; > #try_files $uri =3D404; > allow all; > default_type "text/plain"; > proxy_redirect off; > root /var/www/acme; > } With "root" it will look in /var/www/acme/.well-known/acme-challenge. Either adjust acme-client config to place the files there, or adjust nginx config to serve files from the actual location. Test by writing a file to the directory acme-client uses and make sure you can fetch it yourself. Only reattempt acme-client when this works, they have a rate-limit for bad auths and will blacklist you for a while if you exceed it. > or this: > > location ^~ /.well-known/acme-challenge { >alias /usr/local/www/acme; > try_files $uri =3D404; > } /usr/local/www seems unlikely on OpenBSD. I just have location /.well-known/acme-challenge { root /var/www/letsencrypt/; } and challengedir "/var/www/letsencrypt/.well-known/acme-challenge" but there are several ways you can configure this. (e.g. you might want to use a different directory layout if you have anything else that uses the RFC5785 .well-known URIs). It doesn't matter what you use as long as letsencrypt can fetch the file that acme-client wrote.
[OpenBSD 6.1] acme-client + nginx
Hi, I attempt to use acme-client on server OpenBSD 6.1, with nginx runing. But it fail with a bad response. doas acme-client -vAD test.obsd4a.net acme-client: /etc/ssl/acme/private/test.obsd4a.net-privkey.pem: domain key exists (not creating) acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not creating) acme-client: https://acme-v01.api.letsencrypt.org/directory: directories acme-client: acme-v01.api.letsencrypt.org: DNS: 23.206.21.80 acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: test.obsd4a.net acme-client: /var/www/htdocs/test.obsd4a.net/www/L-pjGy6umVejj6q78_P_gW7rbhyJrV0AuLhjfsqI3aU: created acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/hf0gCJFBvVlSBRp877_PVmTYLGNYmZDXC9eH2E_I0GE/1485696367: challenge acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/hf0gCJFBvVlSBRp877_PVmTYLGNYmZDXC9eH2E_I0GE/1485696367: status acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/hf0gCJFBvVlSBRp877_PVmTYLGNYmZDXC9eH2E_I0GE/1485696367: bad response acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid", "error": { "type": "urn:acme:error:unauthorized", "detail": "Invalid response from http://test.obsd4a.net/.well-known/acme-challenge/L-pjGy6umVejj6q78_P_gW7rbhyJrV0AuLhjfsqI3aU: \"\u003chtml\u003e\r\n\u003chead\u003e\u003ctitle\u003e404 Not Found\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody bgcolor=\"white\"\u003e\r\n\u003ccenter\u003e\u003ch1\u003e404 Not Found\u003c/h1\u003e\u003c/center\u003e\r\n\u003chr\u003e\u003ccenter\u003e\"", "status": 403 }, "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/hf0gCJFBvVlSBRp877_PVmTYLGNYmZDXC9eH2E_I0GE/1485696367";, "token": "L-pjGy6umVejj6q78_P_gW7rbhyJrV0AuLhjfsqI3aU", "keyAuthorization": "L-pjGy6umVejj6q78_P_gW7rbhyJrV0AuLhjfsqI3aU.btIkQ8owertOE1LvXr1mezl9i5h6KptZrzIehfgwdcg", "validationRecord": [ { "url": "http://test.obsd4a.net/.well-known/acme-challenge/L-pjGy6umVejj6q78_P_gW7rbhyJrV0AuLhjfsqI3aU";, "hostname": "test.obsd4a.net", "port": "80", "addressesResolved": [ "213.246.39.160" ], "addressUsed": "213.246.39.160", "addressesTried": [] } ] }] (1149 bytes) acme-client: bad exit: netproc(32816): 1 I try with this nginx config: location ^~ /.well-known/acme-challenge { #alias /var/www/acme; #try_files $uri =404; allow all; default_type "text/plain"; proxy_redirect off; root /var/www/acme; } or this: location ^~ /.well-known/acme-challenge { alias /usr/local/www/acme; try_files $uri =404; } But, same result, bad status. FIY, i can obtain certs - in mode test - with cerbot ;) (and first setting location). -- ~ " Fully Basic System Distinguish Life! " ~ " Libre as a BSD " +=<<< Stephane HUC as PengouinBSD or CIOTBSD b...@stephane-huc.net signature.asc Description: OpenPGP digital signature