Re: acme-client new cert error

2018-05-27 Thread justina colmena 
On May 27, 2018 2:21:13 PM AKDT, Stuart Henderson  wrote:
>certbot used to just be called "letsencrypt" and was some kind of joint
>EFF/letsencrypt development, hence the close relationship.

That's fine. If certbot may be used with other CAs, and if letsencrypt is 
willing
to issue certs on request from other clients, and they are O.K. with that,
so much the better. Otherwise we've got something a little bit too
proprietary-ish going on, but in any case, letsencrypt is the default or example
CA for OpenBSD's native acme-client.

Plenty of folks are no doubt a bit concerned about the commercial viability of 
their business model of charging money for "commercial" certs accepted by
major browsers. Maybe it's actually illegal to use a non-commercial cert on a 
.biz domain and I just haven't been made officially aware of that fact.


--
https://www.colmena.biz/~justina/contacto.php

Re: acme-client new cert error

2018-05-27 Thread Stuart Henderson 
On 2018-05-27, Florian Obser  wrote:
> On Sat, May 26, 2018 at 09:14:35AM -0700, Scott Vanderbilt wrote:
>> On 5/26/2018 4:54 AM, Stuart Henderson wrote:
>> 
>> > aeneas.datagenic.com doesn't respond on port 80. (And if I can't
>> > fetch it, letsencrypt's checkers are also unlikely to be able to).
>> > 
>> > Firewall issue?
>> 
>> Oh, FFS.
>> 
>> Yes. A silly pf rule blocking incoming traffic from outside my LAN that I
>> overlooked when I first considered that idea, but then discarded on account
>> of the error message. Which, to me, at least, does not in any reasonable way
>> point to a connection problem.
>> 
>> So, thanks very much for applying the clue stick. And, to whom may I suggest
>> that the misleading error message from acme-client be changed to something
>> actually resembling the problem it has encountered?
>
> The error message is coming from letsencrypt, from your original mail:
>
> acme-client: transfer buffer: [{ "type": "urn:acme:error:unauthorized", 
> "detail": "Error creating new cert :: authorizations for these names not 
> found or expired: aeneas.datagenic.com", "status": 403 }] (176 bytes) 
>
> transfer buffer is the json we got back from letsencrypt. I seem to
> recall that this used to be different and they did tell us that the

acme-client is reporting the error received, I don't think there's a
lot more that it can do in this case.

> connection was refused. Oh but that might be if they are getting an
> icmp port unreachable, I guess you where just dropping the request in
> pf?
>

Yes it was just dropping when I tested (no response rather than a quick
"connection failed").

Re: acme-client new cert error

2018-05-27 Thread Stuart Henderson 
On 2018-05-26, justina colmena  wrote:
> On Sat, 26 May 2018 09:14:35 -0700
> Scott Vanderbilt  wrote:
>
>> On 5/26/2018 4:54 AM, Stuart Henderson wrote:
>> 
>> > aeneas.datagenic.com doesn't respond on port 80. (And if I can't
>> > fetch it, letsencrypt's checkers are also unlikely to be able to).
>> > 
>> > Firewall issue?  
>> 
>> Oh, FFS.
>> 
>> Yes. A silly pf rule blocking incoming traffic from outside my LAN
>> that I overlooked when I first considered that idea, but then
>> discarded on account of the error message. Which, to me, at least,
>> does not in any reasonable way point to a connection problem.
>> 
>> So, thanks very much for applying the clue stick. And, to whom may I 
>> suggest that the misleading error message from acme-client be changed
>> to something actually resembling the problem it has encountered?
>> 
>
> I had a little trouble with acme-client and was discussing it over here
>
> https://community.letsencrypt.org/t/acme-client-on-openbsd-6-3/61785
>
> My solution involved putting in a CAA ("Certificate Authority
> Authorization") record for the domain for which I was requesting the
> certficate.

That's a dnssec-related problem. Setting a CAA for letsencrypt should
make no difference to a validation via letsencrypt (all that would
be expected to do is prevent *other* CAs from issuing). But in this
case it seems it was working around some broken dnssec handling.

> Of course letsencrypt is supportive of open standards and
> working with other clients, etc., but they do seem to have their own
> client, "certbot", which is available in ports and packages on OpenBSD.
>
>  * https://letsencrypt.org/
>  * https://certbot.eff.org/
>
> Yes, it would be unreasonable to expect too much support from the
> "certbot" folks on OpenBSD's acme-client, because they aren't the ones
> who are responsible for developing acme-client, although is a little
> curious to me that "certbot" has such a close relationship with
> "letsencrypt".

certbot used to just be called "letsencrypt" and was some kind of joint
EFF/letsencrypt development, hence the close relationship.

Re: acme-client new cert error

2018-05-27 Thread Florian Obser 
On Sat, May 26, 2018 at 09:14:35AM -0700, Scott Vanderbilt wrote:
> On 5/26/2018 4:54 AM, Stuart Henderson wrote:
> 
> > aeneas.datagenic.com doesn't respond on port 80. (And if I can't
> > fetch it, letsencrypt's checkers are also unlikely to be able to).
> > 
> > Firewall issue?
> 
> Oh, FFS.
> 
> Yes. A silly pf rule blocking incoming traffic from outside my LAN that I
> overlooked when I first considered that idea, but then discarded on account
> of the error message. Which, to me, at least, does not in any reasonable way
> point to a connection problem.
> 
> So, thanks very much for applying the clue stick. And, to whom may I suggest
> that the misleading error message from acme-client be changed to something
> actually resembling the problem it has encountered?

The error message is coming from letsencrypt, from your original mail:

acme-client: transfer buffer: [{ "type": "urn:acme:error:unauthorized", 
"detail": "Error creating new cert :: authorizations for these names not found 
or expired: aeneas.datagenic.com", "status": 403 }] (176 bytes) 

transfer buffer is the json we got back from letsencrypt. I seem to
recall that this used to be different and they did tell us that the
connection was refused. Oh but that might be if they are getting an
icmp port unreachable, I guess you where just dropping the request in
pf?

-- 
I'm not entirely sure you are real.

Re: acme-client new cert error

2018-05-26 Thread justina colmena 
On Sat, 26 May 2018 09:14:35 -0700
Scott Vanderbilt  wrote:

> On 5/26/2018 4:54 AM, Stuart Henderson wrote:
> 
> > aeneas.datagenic.com doesn't respond on port 80. (And if I can't
> > fetch it, letsencrypt's checkers are also unlikely to be able to).
> > 
> > Firewall issue?  
> 
> Oh, FFS.
> 
> Yes. A silly pf rule blocking incoming traffic from outside my LAN
> that I overlooked when I first considered that idea, but then
> discarded on account of the error message. Which, to me, at least,
> does not in any reasonable way point to a connection problem.
> 
> So, thanks very much for applying the clue stick. And, to whom may I 
> suggest that the misleading error message from acme-client be changed
> to something actually resembling the problem it has encountered?
> 

I had a little trouble with acme-client and was discussing it over here

https://community.letsencrypt.org/t/acme-client-on-openbsd-6-3/61785

My solution involved putting in a CAA ("Certificate Authority
Authorization") record for the domain for which I was requesting the
certficate. Of course letsencrypt is supportive of open standards and
working with other clients, etc., but they do seem to have their own
client, "certbot", which is available in ports and packages on OpenBSD.

 * https://letsencrypt.org/
 * https://certbot.eff.org/

Yes, it would be unreasonable to expect too much support from the
"certbot" folks on OpenBSD's acme-client, because they aren't the ones
who are responsible for developing acme-client, although is a little
curious to me that "certbot" has such a close relationship with
"letsencrypt".

[justina@blanco ~]$ dig amarillo.colmena.biz caa

; <<>> DiG 9.11.3-RedHat-9.11.3-6.fc28 <<>> amarillo.colmena.biz caa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55341
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;amarillo.colmena.biz.IN  CAA

;; ANSWER SECTION:
amarillo.colmena.biz.  38362  IN  CAA  0 issue "letsencrypt.org"
amarillo.colmena.biz.  38362  IN  CAA  0 issuewild ";"

;; Query time: 570 msec
;; SERVER: 192.168.44.1#53(192.168.44.1)
;; WHEN: Sat May 26 18:25:19 GMT 2018
;; MSG SIZE  rcvd: 107

[justina@blanco ~]$

Re: acme-client new cert error

2018-05-26 Thread Scott Vanderbilt 

On 5/26/2018 4:54 AM, Stuart Henderson wrote:


aeneas.datagenic.com doesn't respond on port 80. (And if I can't
fetch it, letsencrypt's checkers are also unlikely to be able to).

Firewall issue?


Oh, FFS.

Yes. A silly pf rule blocking incoming traffic from outside my LAN that 
I overlooked when I first considered that idea, but then discarded on 
account of the error message. Which, to me, at least, does not in any 
reasonable way point to a connection problem.


So, thanks very much for applying the clue stick. And, to whom may I 
suggest that the misleading error message from acme-client be changed to 
something actually resembling the problem it has encountered?

Re: acme-client new cert error

2018-05-26 Thread Stuart Henderson 
On 2018-05-25, Scott Vanderbilt  wrote:
> I'm having difficulty creating a new SSL cert for a virtual host I'm 
> just standing up for the first time. I get the following error on 
> successive attempts:
>
> urn:acme:error:unauthorized
> Error creating new cert :: authorizations for these names not found or 
> expired: aeneas.datagenic.com
>
> I've verified it's not a web server access issue, as I am able to 
> successfully retrieve a static HTML file from the challenge directory
>
>     aeneas$ curl 
> http://aeneas.datagenic.com/.well-known/acme-challenge/test.html
>     Foo
>     aeneas$

I'm not able to successfully retrieve one from that address,
aeneas.datagenic.com doesn't respond on port 80. (And if I can't
fetch it, letsencrypt's checkers are also unlikely to be able to).

Firewall issue?

Re: acme-client new cert error

2018-05-25 Thread Bryan Harris 
Ah okay. In my different situation I did

mv /etc/ssl/cert /tmp

Then ran command again.

I will try -D next time instead.

V/r,
Bryan 



> On May 25, 2018, at 5:51 PM, Scott Vanderbilt  wrote:
> 
>> On 5/25/2018 2:41 PM, Bryan Harris wrote:
>> Did you already have a cert for datagenic.com but which didn’t include the 
>> new name?
>> I think the -A argument only makes a new cert when old one doesn’t exist. 
>> Otherwise tries to use found cert and failed because old cert doesn’t have 
>> new name. At least that’s my understanding.
>> Or maybe I misunderstood the error message.
>> V/r,
>> Bryan
> 
> Thanks for chipping in.
> 
> Regrettably, I get the same error with -D flag only (i.e., no -A).
> 
> 
>>> On May 25, 2018, at 4:10 PM, Scott Vanderbilt  wrote:
>>> 
>>> I'm having difficulty creating a new SSL cert for a virtual host I'm just 
>>> standing up for the first time. I get the following error on successive 
>>> attempts:
>>> 
>>> urn:acme:error:unauthorized
>>> Error creating new cert :: authorizations for these names not found or 
>>> expired: aeneas.datagenic.com
>>> 
>>> I've verified it's not a web server access issue, as I am able to 
>>> successfully retrieve a static HTML file from the challenge directory
>>> 
>>>aeneas$ curl 
>>> http://aeneas.datagenic.com/.well-known/acme-challenge/test.html
>>>Foo
>>>aeneas$
>>> 
>>> Complete verbose error message, config file, and dmesg follow.
>>> 
>>> Thanks in advance for any assistance you can lend.
>>> 
>>> 
>>> 
>>> aeneas# acme-client -vvAD aeneas.datagenic.com
>>> acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: domain 
>>> key exists (not creating)
>>> acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not 
>>> creating)
>>> acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: loaded 
>>> RSA domain key
>>> acme-client: /etc/acme/letsencrypt-privkey.pem: loaded RSA account key
>>> acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
>>> acme-client: acme-v01.api.letsencrypt.org: DNS: 23.75.196.250
>>> acme-client: transfer buffer: [{ "key-change": 
>>> "https://acme-v01.api.letsencrypt.org/acme/key-change;, "meta": { 
>>> "caaIdentities": [ "letsencrypt.org" ], "terms-of-service": 
>>> "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf;, 
>>> "website": "https://letsencrypt.org; }, "new-authz": 
>>> "https://acme-v01.api.letsencrypt.org/acme/new-authz;, "new-cert": 
>>> "https://acme-v01.api.letsencrypt.org/acme/new-cert;, "new-reg": 
>>> "https://acme-v01.api.letsencrypt.org/acme/new-reg;, "revoke-cert": 
>>> "https://acme-v01.api.letsencrypt.org/acme/revoke-cert;, "sw0ePngTU-0": 
>>> "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417;
>>>  }] (658 bytes)
>>> acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: 
>>> aeneas.datagenic.com
>>> acme-client: acme-v01.api.letsencrypt.org: cached
>>> acme-client: acme-v01.api.letsencrypt.org: cached
>>> acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": 
>>> "aeneas.datagenic.com" }, "status": "pending", "expires": 
>>> "2018-06-01T19:22:23Z", "challenges": [ { "type": "tls-sni-01", "status": 
>>> "pending", "uri": 
>>> "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114624;,
>>>  "token": "TpW1KNEcns3ebXVxbBwYToVOjsMEzR78MWySuyKvdhI" }, { "type": 
>>> "dns-01", "status": "pending", "uri": 
>>> "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114625;,
>>>  "token": "Iq66R_OgKJ2VURMLyVxLD8hjnWtLqrjqSYb0L3YRqNU" }, { "type": 
>>> "http-01", "status": "pending", "uri": 
>>> "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;,
>>>  "token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co" } ], 
>>> "combinations": [ [ 1 ], [ 0 ], [ 2 ] ] }] (998 bytes)
>>> acme-client: 
>>> /var/www/htdocs/default/acme/iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co: 
>>> created
>>> acme-client: 
>>> https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626:
>>>  challenge
>>> acme-client: acme-v01.api.letsencrypt.org: cached
>>> acme-client: acme-v01.api.letsencrypt.org: cached
>>> acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", 
>>> "uri": 
>>> "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;,
>>>  "token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co", 
>>> "keyAuthorization": 
>>> "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co.oHnB0_JsMCOWBPKhfVMYsIDZr_T2Wo-Y5z0fh-cmkA4"
>>>  }] (336 bytes)
>>> acme-client: 
>>> https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626:
>>>  status
>>>

Re: acme-client new cert error

2018-05-25 Thread Scott Vanderbilt 

On 5/25/2018 2:41 PM, Bryan Harris wrote:

Did you already have a cert for datagenic.com but which didn’t include the new 
name?

I think the -A argument only makes a new cert when old one doesn’t exist. 
Otherwise tries to use found cert and failed because old cert doesn’t have new 
name. At least that’s my understanding.

Or maybe I misunderstood the error message.

V/r,
Bryan


Thanks for chipping in.

Regrettably, I get the same error with -D flag only (i.e., no -A).



On May 25, 2018, at 4:10 PM, Scott Vanderbilt  wrote:

I'm having difficulty creating a new SSL cert for a virtual host I'm just 
standing up for the first time. I get the following error on successive 
attempts:

urn:acme:error:unauthorized
Error creating new cert :: authorizations for these names not found or expired: 
aeneas.datagenic.com

I've verified it's not a web server access issue, as I am able to successfully 
retrieve a static HTML file from the challenge directory

aeneas$ curl 
http://aeneas.datagenic.com/.well-known/acme-challenge/test.html
Foo
aeneas$

Complete verbose error message, config file, and dmesg follow.

Thanks in advance for any assistance you can lend.



aeneas# acme-client -vvAD aeneas.datagenic.com
acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: domain key 
exists (not creating)
acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not 
creating)
acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: loaded RSA 
domain key
acme-client: /etc/acme/letsencrypt-privkey.pem: loaded RSA account key
acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
acme-client: acme-v01.api.letsencrypt.org: DNS: 23.75.196.250
acme-client: transfer buffer: [{ "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change;, "meta": { "caaIdentities": [ "letsencrypt.org" ], "terms-of-service": 
"https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf;, "website": "https://letsencrypt.org; }, "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz;, "new-cert": 
"https://acme-v01.api.letsencrypt.org/acme/new-cert;, "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg;, "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert;, "sw0ePngTU-0": 
"https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417; }] (658 bytes)
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: 
aeneas.datagenic.com
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": "aeneas.datagenic.com" }, "status": "pending", "expires": "2018-06-01T19:22:23Z", "challenges": [ { "type": "tls-sni-01", "status": "pending", "uri": 
"https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114624;, "token": "TpW1KNEcns3ebXVxbBwYToVOjsMEzR78MWySuyKvdhI" }, { "type": "dns-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114625;, 
"token": "Iq66R_OgKJ2VURMLyVxLD8hjnWtLqrjqSYb0L3YRqNU" }, { "type": "http-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;, "token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co" } ], "combinations": [ [ 1 ], [ 0 ], [ 2 ] ] }] 
(998 bytes)
acme-client: 
/var/www/htdocs/default/acme/iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co: 
created
acme-client: 
https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626:
 challenge
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", "uri": 
"https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;, "token": 
"iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co", "keyAuthorization": 
"iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co.oHnB0_JsMCOWBPKhfVMYsIDZr_T2Wo-Y5z0fh-cmkA4" }] (336 bytes)
acme-client: 
https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626:
 status
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: certificate
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: bad HTTP: 403
acme-client: transfer buffer: [{ "type": "urn:acme:error:unauthorized", "detail": "Error 
creating new cert :: authorizations for these names not found or expired: aeneas.datagenic.com", "status": 403 }] 
(176 bytes)
acme-client: bad exit: netproc(38047): 1

Re: acme-client new cert error

2018-05-25 Thread Bryan Harris 
Did you already have a cert for datagenic.com but which didn’t include the new 
name?

I think the -A argument only makes a new cert when old one doesn’t exist. 
Otherwise tries to use found cert and failed because old cert doesn’t have new 
name. At least that’s my understanding. 

Or maybe I misunderstood the error message.

V/r,
Bryan

> On May 25, 2018, at 4:10 PM, Scott Vanderbilt  wrote:
> 
> I'm having difficulty creating a new SSL cert for a virtual host I'm just 
> standing up for the first time. I get the following error on successive 
> attempts:
> 
> urn:acme:error:unauthorized
> Error creating new cert :: authorizations for these names not found or 
> expired: aeneas.datagenic.com
> 
> I've verified it's not a web server access issue, as I am able to 
> successfully retrieve a static HTML file from the challenge directory
> 
>aeneas$ curl 
> http://aeneas.datagenic.com/.well-known/acme-challenge/test.html
>Foo
>aeneas$
> 
> Complete verbose error message, config file, and dmesg follow.
> 
> Thanks in advance for any assistance you can lend.
> 
> 
> 
> aeneas# acme-client -vvAD aeneas.datagenic.com
> acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: domain 
> key exists (not creating)
> acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not 
> creating)
> acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: loaded 
> RSA domain key
> acme-client: /etc/acme/letsencrypt-privkey.pem: loaded RSA account key
> acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
> acme-client: acme-v01.api.letsencrypt.org: DNS: 23.75.196.250
> acme-client: transfer buffer: [{ "key-change": 
> "https://acme-v01.api.letsencrypt.org/acme/key-change;, "meta": { 
> "caaIdentities": [ "letsencrypt.org" ], "terms-of-service": 
> "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf;, 
> "website": "https://letsencrypt.org; }, "new-authz": 
> "https://acme-v01.api.letsencrypt.org/acme/new-authz;, "new-cert": 
> "https://acme-v01.api.letsencrypt.org/acme/new-cert;, "new-reg": 
> "https://acme-v01.api.letsencrypt.org/acme/new-reg;, "revoke-cert": 
> "https://acme-v01.api.letsencrypt.org/acme/revoke-cert;, "sw0ePngTU-0": 
> "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417;
>  }] (658 bytes)
> acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: 
> aeneas.datagenic.com
> acme-client: acme-v01.api.letsencrypt.org: cached
> acme-client: acme-v01.api.letsencrypt.org: cached
> acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": 
> "aeneas.datagenic.com" }, "status": "pending", "expires": 
> "2018-06-01T19:22:23Z", "challenges": [ { "type": "tls-sni-01", "status": 
> "pending", "uri": 
> "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114624;,
>  "token": "TpW1KNEcns3ebXVxbBwYToVOjsMEzR78MWySuyKvdhI" }, { "type": 
> "dns-01", "status": "pending", "uri": 
> "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114625;,
>  "token": "Iq66R_OgKJ2VURMLyVxLD8hjnWtLqrjqSYb0L3YRqNU" }, { "type": 
> "http-01", "status": "pending", "uri": 
> "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;,
>  "token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co" } ], "combinations": 
> [ [ 1 ], [ 0 ], [ 2 ] ] }] (998 bytes)
> acme-client: 
> /var/www/htdocs/default/acme/iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co: 
> created
> acme-client: 
> https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626:
>  challenge
> acme-client: acme-v01.api.letsencrypt.org: cached
> acme-client: acme-v01.api.letsencrypt.org: cached
> acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", 
> "uri": 
> "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;,
>  "token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co", "keyAuthorization": 
> "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co.oHnB0_JsMCOWBPKhfVMYsIDZr_T2Wo-Y5z0fh-cmkA4"
>  }] (336 bytes)
> acme-client: 
> https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626:
>  status
> acme-client: acme-v01.api.letsencrypt.org: cached
> acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: certificate
> acme-client: acme-v01.api.letsencrypt.org: cached
> acme-client: acme-v01.api.letsencrypt.org: cached
> acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: bad HTTP: 403
> acme-client: transfer buffer: [{ "type": "urn:acme:error:unauthorized", 
> "detail": "Error creating new cert :: authorizations for these names not 
> found or expired: aeneas.datagenic.com", "status": 403 }] (176 bytes)
> acme-client: bad

Re: acme-client new cert error

2018-05-25 Thread Scott Vanderbilt 

On 5/25/2018 2:20 PM, Fred wrote:

On 05/25/18 21:10, Scott Vanderbilt wrote:
I'm having difficulty creating a new SSL cert for a virtual host I'm 
just standing up for the first time. I get the following error on 
successive attempts:


urn:acme:error:unauthorized
Error creating new cert :: authorizations for these names not found or 
expired: aeneas.datagenic.com


I've verified it's not a web server access issue, as I am able to 
successfully retrieve a static HTML file from the challenge directory


    aeneas$ curl 
http://aeneas.datagenic.com/.well-known/acme-challenge/test.html

    Foo
    aeneas$

Complete verbose error message, config file, and dmesg follow.

Thanks in advance for any assistance you can lend.

 



aeneas# acme-client -vvAD aeneas.datagenic.com
acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: 
domain key exists (not creating)
acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists 
(not creating)
acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: 
loaded RSA domain key

acme-client: /etc/acme/letsencrypt-privkey.pem: loaded RSA account key
acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
acme-client: acme-v01.api.letsencrypt.org: DNS: 23.75.196.250
acme-client: transfer buffer: [{ "key-change": 
"https://acme-v01.api.letsencrypt.org/acme/key-change;, "meta": { 
"caaIdentities": [ "letsencrypt.org" ], "terms-of-service": 
"https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf;, 
"website": "https://letsencrypt.org; }, "new-authz": 
"https://acme-v01.api.letsencrypt.org/acme/new-authz;, "new-cert": 
"https://acme-v01.api.letsencrypt.org/acme/new-cert;, "new-reg": 
"https://acme-v01.api.letsencrypt.org/acme/new-reg;, "revoke-cert": 
"https://acme-v01.api.letsencrypt.org/acme/revoke-cert;, 
"sw0ePngTU-0": 
"https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417; 
}] (658 bytes)
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: 
req-auth: aeneas.datagenic.com

acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: transfer buffer: [{ "identifier": { "type": "dns", 
"value": "aeneas.datagenic.com" }, "status": "pending", "expires": 
"2018-06-01T19:22:23Z", "challenges": [ { "type": "tls-sni-01", 
"status": "pending", "uri": 
"https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114624;, 
"token": "TpW1KNEcns3ebXVxbBwYToVOjsMEzR78MWySuyKvdhI" }, { "type": 
"dns-01", "status": "pending", "uri": 
"https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114625;, 
"token": "Iq66R_OgKJ2VURMLyVxLD8hjnWtLqrjqSYb0L3YRqNU" }, { "type": 
"http-01", "status": "pending", "uri": 
"https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;, 
"token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co" } ], 
"combinations": [ [ 1 ], [ 0 ], [ 2 ] ] }] (998 bytes)
acme-client: 
/var/www/htdocs/default/acme/iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co: 
created
acme-client: 
https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626: 
challenge

acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: transfer buffer: [{ "type": "http-01", "status": 
"pending", "uri": 
"https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;, 
"token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co", 
"keyAuthorization": 
"iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co.oHnB0_JsMCOWBPKhfVMYsIDZr_T2Wo-Y5z0fh-cmkA4" 
}] (336 bytes)
acme-client: 
https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626: 
status

acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: 
certificate

acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: bad 
HTTP: 403
acme-client: transfer buffer: [{ "type": 
"urn:acme:error:unauthorized", "detail": "Error creating new cert :: 
authorizations for these names not found or expired: 
aeneas.datagenic.com", "status": 403 }] (176 bytes)

acme-client: bad exit: netproc(38047): 1


-
aeneas$ cat /etc/acme-client.conf
#
# $OpenBSD: acme-client.conf,v 1.7 2018/04/13 08:24:38 ajacoutot Exp $
#
authority letsencrypt {
 api url "https://acme-v01.api.letsencrypt.org/directory;
 account key "/etc/acme/letsencrypt-privkey.pem"
}

authority letsencrypt-staging {
 api url "https://acme-staging.api.letsencrypt.org/directory;
 account key

Re: acme-client new cert error

2018-05-25 Thread Tim van der Molen 
I have run into a problem that seems similar to yours. I'm still
debugging it (or rather trying to find the time to do so), but I believe
the problem is that acme-client does not correctly handle the "pending"
status: it is handled as "valid". As a result, the challenge file is
removed before the acme server could verify it.

In my case, disabling the code that removes the challenge file (see diff
below) improves the chance of success. Perhaps that's helpful to you too
as a temporary workaround.

Index: chngproc.c
===
RCS file: /cvs/src/usr.sbin/acme-client/chngproc.c,v
retrieving revision 1.12
diff -p -u -r1.12 chngproc.c
--- chngproc.c  24 Jan 2017 13:32:55 -  1.12
+++ chngproc.c  25 May 2018 21:10:39 -
@@ -139,8 +139,10 @@ out:
if (fd != -1)
close(fd);
for (i = 0; i < fsz; i++) {
+#if 0
if (unlink(fs[i]) == -1 && errno != ENOENT)
warn("%s", fs[i]);
+#endif
free(fs[i]);
}
free(fs);

Scott Vanderbilt (2018-05-25 22:10 +0200):
> I'm having difficulty creating a new SSL cert for a virtual host I'm just
> standing up for the first time. I get the following error on successive
> attempts:
> 
> urn:acme:error:unauthorized
> Error creating new cert :: authorizations for these names not found or
> expired: aeneas.datagenic.com
> 
> I've verified it's not a web server access issue, as I am able to
> successfully retrieve a static HTML file from the challenge directory
> 
>    aeneas$ curl
> http://aeneas.datagenic.com/.well-known/acme-challenge/test.html
>    Foo
>    aeneas$
> 
> Complete verbose error message, config file, and dmesg follow.
> 
> Thanks in advance for any assistance you can lend.
> 
> 
> 
> aeneas# acme-client -vvAD aeneas.datagenic.com
> acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: domain
> key exists (not creating)
> acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not
> creating)
> acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: loaded
> RSA domain key
> acme-client: /etc/acme/letsencrypt-privkey.pem: loaded RSA account key
> acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
> acme-client: acme-v01.api.letsencrypt.org: DNS: 23.75.196.250
> acme-client: transfer buffer: [{ "key-change":
> "https://acme-v01.api.letsencrypt.org/acme/key-change;, "meta": {
> "caaIdentities": [ "letsencrypt.org" ], "terms-of-service":
> "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf;,
> "website": "https://letsencrypt.org; }, "new-authz":
> "https://acme-v01.api.letsencrypt.org/acme/new-authz;, "new-cert":
> "https://acme-v01.api.letsencrypt.org/acme/new-cert;, "new-reg":
> "https://acme-v01.api.letsencrypt.org/acme/new-reg;, "revoke-cert":
> "https://acme-v01.api.letsencrypt.org/acme/revoke-cert;, "sw0ePngTU-0": 
> "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417;
> }] (658 bytes)
> acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth:
> aeneas.datagenic.com
> acme-client: acme-v01.api.letsencrypt.org: cached
> acme-client: acme-v01.api.letsencrypt.org: cached
> acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value":
> "aeneas.datagenic.com" }, "status": "pending", "expires":
> "2018-06-01T19:22:23Z", "challenges": [ { "type": "tls-sni-01", "status":
> "pending", "uri": 
> "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114624;,
> "token": "TpW1KNEcns3ebXVxbBwYToVOjsMEzR78MWySuyKvdhI" }, { "type":
> "dns-01", "status": "pending", "uri": 
> "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114625;,
> "token": "Iq66R_OgKJ2VURMLyVxLD8hjnWtLqrjqSYb0L3YRqNU" }, { "type":
> "http-01", "status": "pending", "uri": 
> "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;,
> "token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co" } ], "combinations":
> [ [ 1 ], [ 0 ], [ 2 ] ] }] (998 bytes)
> acme-client:
> /var/www/htdocs/default/acme/iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co:
> created
> acme-client: 
> https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626:
> challenge
> acme-client: acme-v01.api.letsencrypt.org: cached
> acme-client: acme-v01.api.letsencrypt.org: cached
> acme-client: transfer buffer: [{ "type": "http-01", "status": "pending",
> "uri": 
> "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;,
> "token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co", "keyAuthorization": 
> "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co.oHnB0_JsMCOWBPKhfVMYsIDZr_T2Wo-Y5z0fh-cmkA4"
> }] (336 bytes)
> acme-client: 
>

Re: acme-client new cert error

2018-05-25 Thread Fred 

On 05/25/18 21:10, Scott Vanderbilt wrote:
I'm having difficulty creating a new SSL cert for a virtual host I'm 
just standing up for the first time. I get the following error on 
successive attempts:


urn:acme:error:unauthorized
Error creating new cert :: authorizations for these names not found or 
expired: aeneas.datagenic.com


I've verified it's not a web server access issue, as I am able to 
successfully retrieve a static HTML file from the challenge directory


    aeneas$ curl 
http://aeneas.datagenic.com/.well-known/acme-challenge/test.html

    Foo
    aeneas$

Complete verbose error message, config file, and dmesg follow.

Thanks in advance for any assistance you can lend.

 



aeneas# acme-client -vvAD aeneas.datagenic.com
acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: 
domain key exists (not creating)
acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not 
creating)
acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: 
loaded RSA domain key

acme-client: /etc/acme/letsencrypt-privkey.pem: loaded RSA account key
acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
acme-client: acme-v01.api.letsencrypt.org: DNS: 23.75.196.250
acme-client: transfer buffer: [{ "key-change": 
"https://acme-v01.api.letsencrypt.org/acme/key-change;, "meta": { 
"caaIdentities": [ "letsencrypt.org" ], "terms-of-service": 
"https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf;, 
"website": "https://letsencrypt.org; }, "new-authz": 
"https://acme-v01.api.letsencrypt.org/acme/new-authz;, "new-cert": 
"https://acme-v01.api.letsencrypt.org/acme/new-cert;, "new-reg": 
"https://acme-v01.api.letsencrypt.org/acme/new-reg;, "revoke-cert": 
"https://acme-v01.api.letsencrypt.org/acme/revoke-cert;, "sw0ePngTU-0": 
"https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417; 
}] (658 bytes)
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: 
req-auth: aeneas.datagenic.com

acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": 
"aeneas.datagenic.com" }, "status": "pending", "expires": 
"2018-06-01T19:22:23Z", "challenges": [ { "type": "tls-sni-01", 
"status": "pending", "uri": 
"https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114624;, 
"token": "TpW1KNEcns3ebXVxbBwYToVOjsMEzR78MWySuyKvdhI" }, { "type": 
"dns-01", "status": "pending", "uri": 
"https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114625;, 
"token": "Iq66R_OgKJ2VURMLyVxLD8hjnWtLqrjqSYb0L3YRqNU" }, { "type": 
"http-01", "status": "pending", "uri": 
"https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;, 
"token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co" } ], 
"combinations": [ [ 1 ], [ 0 ], [ 2 ] ] }] (998 bytes)
acme-client: 
/var/www/htdocs/default/acme/iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co: created 

acme-client: 
https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626: 
challenge

acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", 
"uri": 
"https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;, 
"token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co", 
"keyAuthorization": 
"iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co.oHnB0_JsMCOWBPKhfVMYsIDZr_T2Wo-Y5z0fh-cmkA4" 
}] (336 bytes)
acme-client: 
https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626: 
status

acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: 
certificate

acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: bad 
HTTP: 403
acme-client: transfer buffer: [{ "type": "urn:acme:error:unauthorized", 
"detail": "Error creating new cert :: authorizations for these names not 
found or expired: aeneas.datagenic.com", "status": 403 }] (176 bytes)

acme-client: bad exit: netproc(38047): 1


-
aeneas$ cat /etc/acme-client.conf
#
# $OpenBSD: acme-client.conf,v 1.7 2018/04/13 08:24:38 ajacoutot Exp $
#
authority letsencrypt {
     api url "https://acme-v01.api.letsencrypt.org/directory;
     account key "/etc/acme/letsencrypt-privkey.pem"
}

authority letsencrypt-staging {
     api url "https://acme-staging.api.letsencrypt.org/directory;
     account key "/etc/acme/letsencrypt-staging-privkey.pem"
}

domain

acme-client new cert error

2018-05-25 Thread Scott Vanderbilt 
I'm having difficulty creating a new SSL cert for a virtual host I'm 
just standing up for the first time. I get the following error on 
successive attempts:


urn:acme:error:unauthorized
Error creating new cert :: authorizations for these names not found or 
expired: aeneas.datagenic.com


I've verified it's not a web server access issue, as I am able to 
successfully retrieve a static HTML file from the challenge directory


   aeneas$ curl 
http://aeneas.datagenic.com/.well-known/acme-challenge/test.html

   Foo
   aeneas$

Complete verbose error message, config file, and dmesg follow.

Thanks in advance for any assistance you can lend.



aeneas# acme-client -vvAD aeneas.datagenic.com
acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: 
domain key exists (not creating)
acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not 
creating)
acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: 
loaded RSA domain key

acme-client: /etc/acme/letsencrypt-privkey.pem: loaded RSA account key
acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
acme-client: acme-v01.api.letsencrypt.org: DNS: 23.75.196.250
acme-client: transfer buffer: [{ "key-change": 
"https://acme-v01.api.letsencrypt.org/acme/key-change;, "meta": { 
"caaIdentities": [ "letsencrypt.org" ], "terms-of-service": 
"https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf;, 
"website": "https://letsencrypt.org; }, "new-authz": 
"https://acme-v01.api.letsencrypt.org/acme/new-authz;, "new-cert": 
"https://acme-v01.api.letsencrypt.org/acme/new-cert;, "new-reg": 
"https://acme-v01.api.letsencrypt.org/acme/new-reg;, "revoke-cert": 
"https://acme-v01.api.letsencrypt.org/acme/revoke-cert;, "sw0ePngTU-0": 
"https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417; 
}] (658 bytes)
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: 
req-auth: aeneas.datagenic.com

acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": 
"aeneas.datagenic.com" }, "status": "pending", "expires": 
"2018-06-01T19:22:23Z", "challenges": [ { "type": "tls-sni-01", 
"status": "pending", "uri": 
"https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114624;, 
"token": "TpW1KNEcns3ebXVxbBwYToVOjsMEzR78MWySuyKvdhI" }, { "type": 
"dns-01", "status": "pending", "uri": 
"https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114625;, 
"token": "Iq66R_OgKJ2VURMLyVxLD8hjnWtLqrjqSYb0L3YRqNU" }, { "type": 
"http-01", "status": "pending", "uri": 
"https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;, 
"token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co" } ], 
"combinations": [ [ 1 ], [ 0 ], [ 2 ] ] }] (998 bytes)
acme-client: 
/var/www/htdocs/default/acme/iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co: 
created
acme-client: 
https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626: 
challenge

acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", 
"uri": 
"https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;, 
"token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co", 
"keyAuthorization": 
"iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co.oHnB0_JsMCOWBPKhfVMYsIDZr_T2Wo-Y5z0fh-cmkA4" 
}] (336 bytes)
acme-client: 
https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626: 
status

acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: certificate
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: bad 
HTTP: 403
acme-client: transfer buffer: [{ "type": "urn:acme:error:unauthorized", 
"detail": "Error creating new cert :: authorizations for these names not 
found or expired: aeneas.datagenic.com", "status": 403 }] (176 bytes)

acme-client: bad exit: netproc(38047): 1


-
aeneas$ cat /etc/acme-client.conf
#
# $OpenBSD: acme-client.conf,v 1.7 2018/04/13 08:24:38 ajacoutot Exp $
#
authority letsencrypt {
    api url "https://acme-v01.api.letsencrypt.org/directory;
    account key "/etc/acme/letsencrypt-privkey.pem"
}

authority letsencrypt-staging {
    api url "https://acme-staging.api.letsencrypt.org/directory;
    account key "/etc/acme/letsencrypt-staging-privkey.pem"
}

domain aeneas.datagenic.com {
#   alternative names {