Re: acme-client new cert error
On May 27, 2018 2:21:13 PM AKDT, Stuart Hendersonwrote: >certbot used to just be called "letsencrypt" and was some kind of joint >EFF/letsencrypt development, hence the close relationship. That's fine. If certbot may be used with other CAs, and if letsencrypt is willing to issue certs on request from other clients, and they are O.K. with that, so much the better. Otherwise we've got something a little bit too proprietary-ish going on, but in any case, letsencrypt is the default or example CA for OpenBSD's native acme-client. Plenty of folks are no doubt a bit concerned about the commercial viability of their business model of charging money for "commercial" certs accepted by major browsers. Maybe it's actually illegal to use a non-commercial cert on a .biz domain and I just haven't been made officially aware of that fact. -- https://www.colmena.biz/~justina/contacto.php
Re: acme-client new cert error
On 2018-05-27, Florian Obserwrote: > On Sat, May 26, 2018 at 09:14:35AM -0700, Scott Vanderbilt wrote: >> On 5/26/2018 4:54 AM, Stuart Henderson wrote: >> >> > aeneas.datagenic.com doesn't respond on port 80. (And if I can't >> > fetch it, letsencrypt's checkers are also unlikely to be able to). >> > >> > Firewall issue? >> >> Oh, FFS. >> >> Yes. A silly pf rule blocking incoming traffic from outside my LAN that I >> overlooked when I first considered that idea, but then discarded on account >> of the error message. Which, to me, at least, does not in any reasonable way >> point to a connection problem. >> >> So, thanks very much for applying the clue stick. And, to whom may I suggest >> that the misleading error message from acme-client be changed to something >> actually resembling the problem it has encountered? > > The error message is coming from letsencrypt, from your original mail: > > acme-client: transfer buffer: [{ "type": "urn:acme:error:unauthorized", > "detail": "Error creating new cert :: authorizations for these names not > found or expired: aeneas.datagenic.com", "status": 403 }] (176 bytes) > > transfer buffer is the json we got back from letsencrypt. I seem to > recall that this used to be different and they did tell us that the acme-client is reporting the error received, I don't think there's a lot more that it can do in this case. > connection was refused. Oh but that might be if they are getting an > icmp port unreachable, I guess you where just dropping the request in > pf? > Yes it was just dropping when I tested (no response rather than a quick "connection failed").
Re: acme-client new cert error
On 2018-05-26, justina colmenawrote: > On Sat, 26 May 2018 09:14:35 -0700 > Scott Vanderbilt wrote: > >> On 5/26/2018 4:54 AM, Stuart Henderson wrote: >> >> > aeneas.datagenic.com doesn't respond on port 80. (And if I can't >> > fetch it, letsencrypt's checkers are also unlikely to be able to). >> > >> > Firewall issue? >> >> Oh, FFS. >> >> Yes. A silly pf rule blocking incoming traffic from outside my LAN >> that I overlooked when I first considered that idea, but then >> discarded on account of the error message. Which, to me, at least, >> does not in any reasonable way point to a connection problem. >> >> So, thanks very much for applying the clue stick. And, to whom may I >> suggest that the misleading error message from acme-client be changed >> to something actually resembling the problem it has encountered? >> > > I had a little trouble with acme-client and was discussing it over here > > https://community.letsencrypt.org/t/acme-client-on-openbsd-6-3/61785 > > My solution involved putting in a CAA ("Certificate Authority > Authorization") record for the domain for which I was requesting the > certficate. That's a dnssec-related problem. Setting a CAA for letsencrypt should make no difference to a validation via letsencrypt (all that would be expected to do is prevent *other* CAs from issuing). But in this case it seems it was working around some broken dnssec handling. > Of course letsencrypt is supportive of open standards and > working with other clients, etc., but they do seem to have their own > client, "certbot", which is available in ports and packages on OpenBSD. > > * https://letsencrypt.org/ > * https://certbot.eff.org/ > > Yes, it would be unreasonable to expect too much support from the > "certbot" folks on OpenBSD's acme-client, because they aren't the ones > who are responsible for developing acme-client, although is a little > curious to me that "certbot" has such a close relationship with > "letsencrypt". certbot used to just be called "letsencrypt" and was some kind of joint EFF/letsencrypt development, hence the close relationship.
Re: acme-client new cert error
On Sat, May 26, 2018 at 09:14:35AM -0700, Scott Vanderbilt wrote: > On 5/26/2018 4:54 AM, Stuart Henderson wrote: > > > aeneas.datagenic.com doesn't respond on port 80. (And if I can't > > fetch it, letsencrypt's checkers are also unlikely to be able to). > > > > Firewall issue? > > Oh, FFS. > > Yes. A silly pf rule blocking incoming traffic from outside my LAN that I > overlooked when I first considered that idea, but then discarded on account > of the error message. Which, to me, at least, does not in any reasonable way > point to a connection problem. > > So, thanks very much for applying the clue stick. And, to whom may I suggest > that the misleading error message from acme-client be changed to something > actually resembling the problem it has encountered? The error message is coming from letsencrypt, from your original mail: acme-client: transfer buffer: [{ "type": "urn:acme:error:unauthorized", "detail": "Error creating new cert :: authorizations for these names not found or expired: aeneas.datagenic.com", "status": 403 }] (176 bytes) transfer buffer is the json we got back from letsencrypt. I seem to recall that this used to be different and they did tell us that the connection was refused. Oh but that might be if they are getting an icmp port unreachable, I guess you where just dropping the request in pf? -- I'm not entirely sure you are real.
Re: acme-client new cert error
On Sat, 26 May 2018 09:14:35 -0700 Scott Vanderbiltwrote: > On 5/26/2018 4:54 AM, Stuart Henderson wrote: > > > aeneas.datagenic.com doesn't respond on port 80. (And if I can't > > fetch it, letsencrypt's checkers are also unlikely to be able to). > > > > Firewall issue? > > Oh, FFS. > > Yes. A silly pf rule blocking incoming traffic from outside my LAN > that I overlooked when I first considered that idea, but then > discarded on account of the error message. Which, to me, at least, > does not in any reasonable way point to a connection problem. > > So, thanks very much for applying the clue stick. And, to whom may I > suggest that the misleading error message from acme-client be changed > to something actually resembling the problem it has encountered? > I had a little trouble with acme-client and was discussing it over here https://community.letsencrypt.org/t/acme-client-on-openbsd-6-3/61785 My solution involved putting in a CAA ("Certificate Authority Authorization") record for the domain for which I was requesting the certficate. Of course letsencrypt is supportive of open standards and working with other clients, etc., but they do seem to have their own client, "certbot", which is available in ports and packages on OpenBSD. * https://letsencrypt.org/ * https://certbot.eff.org/ Yes, it would be unreasonable to expect too much support from the "certbot" folks on OpenBSD's acme-client, because they aren't the ones who are responsible for developing acme-client, although is a little curious to me that "certbot" has such a close relationship with "letsencrypt". [justina@blanco ~]$ dig amarillo.colmena.biz caa ; <<>> DiG 9.11.3-RedHat-9.11.3-6.fc28 <<>> amarillo.colmena.biz caa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55341 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;amarillo.colmena.biz.IN CAA ;; ANSWER SECTION: amarillo.colmena.biz. 38362 IN CAA 0 issue "letsencrypt.org" amarillo.colmena.biz. 38362 IN CAA 0 issuewild ";" ;; Query time: 570 msec ;; SERVER: 192.168.44.1#53(192.168.44.1) ;; WHEN: Sat May 26 18:25:19 GMT 2018 ;; MSG SIZE rcvd: 107 [justina@blanco ~]$
Re: acme-client new cert error
On 5/26/2018 4:54 AM, Stuart Henderson wrote: aeneas.datagenic.com doesn't respond on port 80. (And if I can't fetch it, letsencrypt's checkers are also unlikely to be able to). Firewall issue? Oh, FFS. Yes. A silly pf rule blocking incoming traffic from outside my LAN that I overlooked when I first considered that idea, but then discarded on account of the error message. Which, to me, at least, does not in any reasonable way point to a connection problem. So, thanks very much for applying the clue stick. And, to whom may I suggest that the misleading error message from acme-client be changed to something actually resembling the problem it has encountered?
Re: acme-client new cert error
On 2018-05-25, Scott Vanderbiltwrote: > I'm having difficulty creating a new SSL cert for a virtual host I'm > just standing up for the first time. I get the following error on > successive attempts: > > urn:acme:error:unauthorized > Error creating new cert :: authorizations for these names not found or > expired: aeneas.datagenic.com > > I've verified it's not a web server access issue, as I am able to > successfully retrieve a static HTML file from the challenge directory > > aeneas$ curl > http://aeneas.datagenic.com/.well-known/acme-challenge/test.html > Foo > aeneas$ I'm not able to successfully retrieve one from that address, aeneas.datagenic.com doesn't respond on port 80. (And if I can't fetch it, letsencrypt's checkers are also unlikely to be able to). Firewall issue?
Re: acme-client new cert error
Ah okay. In my different situation I did mv /etc/ssl/cert /tmp Then ran command again. I will try -D next time instead. V/r, Bryan > On May 25, 2018, at 5:51 PM, Scott Vanderbiltwrote: > >> On 5/25/2018 2:41 PM, Bryan Harris wrote: >> Did you already have a cert for datagenic.com but which didn’t include the >> new name? >> I think the -A argument only makes a new cert when old one doesn’t exist. >> Otherwise tries to use found cert and failed because old cert doesn’t have >> new name. At least that’s my understanding. >> Or maybe I misunderstood the error message. >> V/r, >> Bryan > > Thanks for chipping in. > > Regrettably, I get the same error with -D flag only (i.e., no -A). > > >>> On May 25, 2018, at 4:10 PM, Scott Vanderbilt wrote: >>> >>> I'm having difficulty creating a new SSL cert for a virtual host I'm just >>> standing up for the first time. I get the following error on successive >>> attempts: >>> >>> urn:acme:error:unauthorized >>> Error creating new cert :: authorizations for these names not found or >>> expired: aeneas.datagenic.com >>> >>> I've verified it's not a web server access issue, as I am able to >>> successfully retrieve a static HTML file from the challenge directory >>> >>>aeneas$ curl >>> http://aeneas.datagenic.com/.well-known/acme-challenge/test.html >>>Foo >>>aeneas$ >>> >>> Complete verbose error message, config file, and dmesg follow. >>> >>> Thanks in advance for any assistance you can lend. >>> >>> >>> >>> aeneas# acme-client -vvAD aeneas.datagenic.com >>> acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: domain >>> key exists (not creating) >>> acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not >>> creating) >>> acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: loaded >>> RSA domain key >>> acme-client: /etc/acme/letsencrypt-privkey.pem: loaded RSA account key >>> acme-client: https://acme-v01.api.letsencrypt.org/directory: directories >>> acme-client: acme-v01.api.letsencrypt.org: DNS: 23.75.196.250 >>> acme-client: transfer buffer: [{ "key-change": >>> "https://acme-v01.api.letsencrypt.org/acme/key-change;, "meta": { >>> "caaIdentities": [ "letsencrypt.org" ], "terms-of-service": >>> "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf;, >>> "website": "https://letsencrypt.org; }, "new-authz": >>> "https://acme-v01.api.letsencrypt.org/acme/new-authz;, "new-cert": >>> "https://acme-v01.api.letsencrypt.org/acme/new-cert;, "new-reg": >>> "https://acme-v01.api.letsencrypt.org/acme/new-reg;, "revoke-cert": >>> "https://acme-v01.api.letsencrypt.org/acme/revoke-cert;, "sw0ePngTU-0": >>> "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417; >>> }] (658 bytes) >>> acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: >>> aeneas.datagenic.com >>> acme-client: acme-v01.api.letsencrypt.org: cached >>> acme-client: acme-v01.api.letsencrypt.org: cached >>> acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": >>> "aeneas.datagenic.com" }, "status": "pending", "expires": >>> "2018-06-01T19:22:23Z", "challenges": [ { "type": "tls-sni-01", "status": >>> "pending", "uri": >>> "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114624;, >>> "token": "TpW1KNEcns3ebXVxbBwYToVOjsMEzR78MWySuyKvdhI" }, { "type": >>> "dns-01", "status": "pending", "uri": >>> "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114625;, >>> "token": "Iq66R_OgKJ2VURMLyVxLD8hjnWtLqrjqSYb0L3YRqNU" }, { "type": >>> "http-01", "status": "pending", "uri": >>> "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;, >>> "token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co" } ], >>> "combinations": [ [ 1 ], [ 0 ], [ 2 ] ] }] (998 bytes) >>> acme-client: >>> /var/www/htdocs/default/acme/iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co: >>> created >>> acme-client: >>> https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626: >>> challenge >>> acme-client: acme-v01.api.letsencrypt.org: cached >>> acme-client: acme-v01.api.letsencrypt.org: cached >>> acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", >>> "uri": >>> "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;, >>> "token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co", >>> "keyAuthorization": >>> "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co.oHnB0_JsMCOWBPKhfVMYsIDZr_T2Wo-Y5z0fh-cmkA4" >>> }] (336 bytes) >>> acme-client: >>> https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626: >>> status >>>
Re: acme-client new cert error
On 5/25/2018 2:41 PM, Bryan Harris wrote: Did you already have a cert for datagenic.com but which didn’t include the new name? I think the -A argument only makes a new cert when old one doesn’t exist. Otherwise tries to use found cert and failed because old cert doesn’t have new name. At least that’s my understanding. Or maybe I misunderstood the error message. V/r, Bryan Thanks for chipping in. Regrettably, I get the same error with -D flag only (i.e., no -A). On May 25, 2018, at 4:10 PM, Scott Vanderbiltwrote: I'm having difficulty creating a new SSL cert for a virtual host I'm just standing up for the first time. I get the following error on successive attempts: urn:acme:error:unauthorized Error creating new cert :: authorizations for these names not found or expired: aeneas.datagenic.com I've verified it's not a web server access issue, as I am able to successfully retrieve a static HTML file from the challenge directory aeneas$ curl http://aeneas.datagenic.com/.well-known/acme-challenge/test.html Foo aeneas$ Complete verbose error message, config file, and dmesg follow. Thanks in advance for any assistance you can lend. aeneas# acme-client -vvAD aeneas.datagenic.com acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: domain key exists (not creating) acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not creating) acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: loaded RSA domain key acme-client: /etc/acme/letsencrypt-privkey.pem: loaded RSA account key acme-client: https://acme-v01.api.letsencrypt.org/directory: directories acme-client: acme-v01.api.letsencrypt.org: DNS: 23.75.196.250 acme-client: transfer buffer: [{ "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change;, "meta": { "caaIdentities": [ "letsencrypt.org" ], "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf;, "website": "https://letsencrypt.org; }, "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz;, "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert;, "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg;, "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert;, "sw0ePngTU-0": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417; }] (658 bytes) acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: aeneas.datagenic.com acme-client: acme-v01.api.letsencrypt.org: cached acme-client: acme-v01.api.letsencrypt.org: cached acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": "aeneas.datagenic.com" }, "status": "pending", "expires": "2018-06-01T19:22:23Z", "challenges": [ { "type": "tls-sni-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114624;, "token": "TpW1KNEcns3ebXVxbBwYToVOjsMEzR78MWySuyKvdhI" }, { "type": "dns-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114625;, "token": "Iq66R_OgKJ2VURMLyVxLD8hjnWtLqrjqSYb0L3YRqNU" }, { "type": "http-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;, "token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co" } ], "combinations": [ [ 1 ], [ 0 ], [ 2 ] ] }] (998 bytes) acme-client: /var/www/htdocs/default/acme/iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co: created acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626: challenge acme-client: acme-v01.api.letsencrypt.org: cached acme-client: acme-v01.api.letsencrypt.org: cached acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;, "token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co", "keyAuthorization": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co.oHnB0_JsMCOWBPKhfVMYsIDZr_T2Wo-Y5z0fh-cmkA4" }] (336 bytes) acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626: status acme-client: acme-v01.api.letsencrypt.org: cached acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: certificate acme-client: acme-v01.api.letsencrypt.org: cached acme-client: acme-v01.api.letsencrypt.org: cached acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: bad HTTP: 403 acme-client: transfer buffer: [{ "type": "urn:acme:error:unauthorized", "detail": "Error creating new cert :: authorizations for these names not found or expired: aeneas.datagenic.com", "status": 403 }] (176 bytes) acme-client: bad exit: netproc(38047): 1
Re: acme-client new cert error
Did you already have a cert for datagenic.com but which didn’t include the new name? I think the -A argument only makes a new cert when old one doesn’t exist. Otherwise tries to use found cert and failed because old cert doesn’t have new name. At least that’s my understanding. Or maybe I misunderstood the error message. V/r, Bryan > On May 25, 2018, at 4:10 PM, Scott Vanderbiltwrote: > > I'm having difficulty creating a new SSL cert for a virtual host I'm just > standing up for the first time. I get the following error on successive > attempts: > > urn:acme:error:unauthorized > Error creating new cert :: authorizations for these names not found or > expired: aeneas.datagenic.com > > I've verified it's not a web server access issue, as I am able to > successfully retrieve a static HTML file from the challenge directory > >aeneas$ curl > http://aeneas.datagenic.com/.well-known/acme-challenge/test.html >Foo >aeneas$ > > Complete verbose error message, config file, and dmesg follow. > > Thanks in advance for any assistance you can lend. > > > > aeneas# acme-client -vvAD aeneas.datagenic.com > acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: domain > key exists (not creating) > acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not > creating) > acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: loaded > RSA domain key > acme-client: /etc/acme/letsencrypt-privkey.pem: loaded RSA account key > acme-client: https://acme-v01.api.letsencrypt.org/directory: directories > acme-client: acme-v01.api.letsencrypt.org: DNS: 23.75.196.250 > acme-client: transfer buffer: [{ "key-change": > "https://acme-v01.api.letsencrypt.org/acme/key-change;, "meta": { > "caaIdentities": [ "letsencrypt.org" ], "terms-of-service": > "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf;, > "website": "https://letsencrypt.org; }, "new-authz": > "https://acme-v01.api.letsencrypt.org/acme/new-authz;, "new-cert": > "https://acme-v01.api.letsencrypt.org/acme/new-cert;, "new-reg": > "https://acme-v01.api.letsencrypt.org/acme/new-reg;, "revoke-cert": > "https://acme-v01.api.letsencrypt.org/acme/revoke-cert;, "sw0ePngTU-0": > "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417; > }] (658 bytes) > acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: > aeneas.datagenic.com > acme-client: acme-v01.api.letsencrypt.org: cached > acme-client: acme-v01.api.letsencrypt.org: cached > acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": > "aeneas.datagenic.com" }, "status": "pending", "expires": > "2018-06-01T19:22:23Z", "challenges": [ { "type": "tls-sni-01", "status": > "pending", "uri": > "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114624;, > "token": "TpW1KNEcns3ebXVxbBwYToVOjsMEzR78MWySuyKvdhI" }, { "type": > "dns-01", "status": "pending", "uri": > "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114625;, > "token": "Iq66R_OgKJ2VURMLyVxLD8hjnWtLqrjqSYb0L3YRqNU" }, { "type": > "http-01", "status": "pending", "uri": > "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;, > "token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co" } ], "combinations": > [ [ 1 ], [ 0 ], [ 2 ] ] }] (998 bytes) > acme-client: > /var/www/htdocs/default/acme/iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co: > created > acme-client: > https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626: > challenge > acme-client: acme-v01.api.letsencrypt.org: cached > acme-client: acme-v01.api.letsencrypt.org: cached > acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", > "uri": > "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;, > "token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co", "keyAuthorization": > "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co.oHnB0_JsMCOWBPKhfVMYsIDZr_T2Wo-Y5z0fh-cmkA4" > }] (336 bytes) > acme-client: > https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626: > status > acme-client: acme-v01.api.letsencrypt.org: cached > acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: certificate > acme-client: acme-v01.api.letsencrypt.org: cached > acme-client: acme-v01.api.letsencrypt.org: cached > acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: bad HTTP: 403 > acme-client: transfer buffer: [{ "type": "urn:acme:error:unauthorized", > "detail": "Error creating new cert :: authorizations for these names not > found or expired: aeneas.datagenic.com", "status": 403 }] (176 bytes) > acme-client: bad
Re: acme-client new cert error
On 5/25/2018 2:20 PM, Fred wrote: On 05/25/18 21:10, Scott Vanderbilt wrote: I'm having difficulty creating a new SSL cert for a virtual host I'm just standing up for the first time. I get the following error on successive attempts: urn:acme:error:unauthorized Error creating new cert :: authorizations for these names not found or expired: aeneas.datagenic.com I've verified it's not a web server access issue, as I am able to successfully retrieve a static HTML file from the challenge directory aeneas$ curl http://aeneas.datagenic.com/.well-known/acme-challenge/test.html Foo aeneas$ Complete verbose error message, config file, and dmesg follow. Thanks in advance for any assistance you can lend. aeneas# acme-client -vvAD aeneas.datagenic.com acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: domain key exists (not creating) acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not creating) acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: loaded RSA domain key acme-client: /etc/acme/letsencrypt-privkey.pem: loaded RSA account key acme-client: https://acme-v01.api.letsencrypt.org/directory: directories acme-client: acme-v01.api.letsencrypt.org: DNS: 23.75.196.250 acme-client: transfer buffer: [{ "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change;, "meta": { "caaIdentities": [ "letsencrypt.org" ], "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf;, "website": "https://letsencrypt.org; }, "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz;, "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert;, "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg;, "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert;, "sw0ePngTU-0": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417; }] (658 bytes) acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: aeneas.datagenic.com acme-client: acme-v01.api.letsencrypt.org: cached acme-client: acme-v01.api.letsencrypt.org: cached acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": "aeneas.datagenic.com" }, "status": "pending", "expires": "2018-06-01T19:22:23Z", "challenges": [ { "type": "tls-sni-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114624;, "token": "TpW1KNEcns3ebXVxbBwYToVOjsMEzR78MWySuyKvdhI" }, { "type": "dns-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114625;, "token": "Iq66R_OgKJ2VURMLyVxLD8hjnWtLqrjqSYb0L3YRqNU" }, { "type": "http-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;, "token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co" } ], "combinations": [ [ 1 ], [ 0 ], [ 2 ] ] }] (998 bytes) acme-client: /var/www/htdocs/default/acme/iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co: created acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626: challenge acme-client: acme-v01.api.letsencrypt.org: cached acme-client: acme-v01.api.letsencrypt.org: cached acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;, "token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co", "keyAuthorization": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co.oHnB0_JsMCOWBPKhfVMYsIDZr_T2Wo-Y5z0fh-cmkA4" }] (336 bytes) acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626: status acme-client: acme-v01.api.letsencrypt.org: cached acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: certificate acme-client: acme-v01.api.letsencrypt.org: cached acme-client: acme-v01.api.letsencrypt.org: cached acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: bad HTTP: 403 acme-client: transfer buffer: [{ "type": "urn:acme:error:unauthorized", "detail": "Error creating new cert :: authorizations for these names not found or expired: aeneas.datagenic.com", "status": 403 }] (176 bytes) acme-client: bad exit: netproc(38047): 1 - aeneas$ cat /etc/acme-client.conf # # $OpenBSD: acme-client.conf,v 1.7 2018/04/13 08:24:38 ajacoutot Exp $ # authority letsencrypt { api url "https://acme-v01.api.letsencrypt.org/directory; account key "/etc/acme/letsencrypt-privkey.pem" } authority letsencrypt-staging { api url "https://acme-staging.api.letsencrypt.org/directory; account key
Re: acme-client new cert error
I have run into a problem that seems similar to yours. I'm still debugging it (or rather trying to find the time to do so), but I believe the problem is that acme-client does not correctly handle the "pending" status: it is handled as "valid". As a result, the challenge file is removed before the acme server could verify it. In my case, disabling the code that removes the challenge file (see diff below) improves the chance of success. Perhaps that's helpful to you too as a temporary workaround. Index: chngproc.c === RCS file: /cvs/src/usr.sbin/acme-client/chngproc.c,v retrieving revision 1.12 diff -p -u -r1.12 chngproc.c --- chngproc.c 24 Jan 2017 13:32:55 - 1.12 +++ chngproc.c 25 May 2018 21:10:39 - @@ -139,8 +139,10 @@ out: if (fd != -1) close(fd); for (i = 0; i < fsz; i++) { +#if 0 if (unlink(fs[i]) == -1 && errno != ENOENT) warn("%s", fs[i]); +#endif free(fs[i]); } free(fs); Scott Vanderbilt (2018-05-25 22:10 +0200): > I'm having difficulty creating a new SSL cert for a virtual host I'm just > standing up for the first time. I get the following error on successive > attempts: > > urn:acme:error:unauthorized > Error creating new cert :: authorizations for these names not found or > expired: aeneas.datagenic.com > > I've verified it's not a web server access issue, as I am able to > successfully retrieve a static HTML file from the challenge directory > > aeneas$ curl > http://aeneas.datagenic.com/.well-known/acme-challenge/test.html > Foo > aeneas$ > > Complete verbose error message, config file, and dmesg follow. > > Thanks in advance for any assistance you can lend. > > > > aeneas# acme-client -vvAD aeneas.datagenic.com > acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: domain > key exists (not creating) > acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not > creating) > acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: loaded > RSA domain key > acme-client: /etc/acme/letsencrypt-privkey.pem: loaded RSA account key > acme-client: https://acme-v01.api.letsencrypt.org/directory: directories > acme-client: acme-v01.api.letsencrypt.org: DNS: 23.75.196.250 > acme-client: transfer buffer: [{ "key-change": > "https://acme-v01.api.letsencrypt.org/acme/key-change;, "meta": { > "caaIdentities": [ "letsencrypt.org" ], "terms-of-service": > "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf;, > "website": "https://letsencrypt.org; }, "new-authz": > "https://acme-v01.api.letsencrypt.org/acme/new-authz;, "new-cert": > "https://acme-v01.api.letsencrypt.org/acme/new-cert;, "new-reg": > "https://acme-v01.api.letsencrypt.org/acme/new-reg;, "revoke-cert": > "https://acme-v01.api.letsencrypt.org/acme/revoke-cert;, "sw0ePngTU-0": > "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417; > }] (658 bytes) > acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: > aeneas.datagenic.com > acme-client: acme-v01.api.letsencrypt.org: cached > acme-client: acme-v01.api.letsencrypt.org: cached > acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": > "aeneas.datagenic.com" }, "status": "pending", "expires": > "2018-06-01T19:22:23Z", "challenges": [ { "type": "tls-sni-01", "status": > "pending", "uri": > "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114624;, > "token": "TpW1KNEcns3ebXVxbBwYToVOjsMEzR78MWySuyKvdhI" }, { "type": > "dns-01", "status": "pending", "uri": > "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114625;, > "token": "Iq66R_OgKJ2VURMLyVxLD8hjnWtLqrjqSYb0L3YRqNU" }, { "type": > "http-01", "status": "pending", "uri": > "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;, > "token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co" } ], "combinations": > [ [ 1 ], [ 0 ], [ 2 ] ] }] (998 bytes) > acme-client: > /var/www/htdocs/default/acme/iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co: > created > acme-client: > https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626: > challenge > acme-client: acme-v01.api.letsencrypt.org: cached > acme-client: acme-v01.api.letsencrypt.org: cached > acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", > "uri": > "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;, > "token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co", "keyAuthorization": > "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co.oHnB0_JsMCOWBPKhfVMYsIDZr_T2Wo-Y5z0fh-cmkA4" > }] (336 bytes) > acme-client: >
Re: acme-client new cert error
On 05/25/18 21:10, Scott Vanderbilt wrote: I'm having difficulty creating a new SSL cert for a virtual host I'm just standing up for the first time. I get the following error on successive attempts: urn:acme:error:unauthorized Error creating new cert :: authorizations for these names not found or expired: aeneas.datagenic.com I've verified it's not a web server access issue, as I am able to successfully retrieve a static HTML file from the challenge directory aeneas$ curl http://aeneas.datagenic.com/.well-known/acme-challenge/test.html Foo aeneas$ Complete verbose error message, config file, and dmesg follow. Thanks in advance for any assistance you can lend. aeneas# acme-client -vvAD aeneas.datagenic.com acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: domain key exists (not creating) acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not creating) acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: loaded RSA domain key acme-client: /etc/acme/letsencrypt-privkey.pem: loaded RSA account key acme-client: https://acme-v01.api.letsencrypt.org/directory: directories acme-client: acme-v01.api.letsencrypt.org: DNS: 23.75.196.250 acme-client: transfer buffer: [{ "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change;, "meta": { "caaIdentities": [ "letsencrypt.org" ], "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf;, "website": "https://letsencrypt.org; }, "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz;, "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert;, "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg;, "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert;, "sw0ePngTU-0": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417; }] (658 bytes) acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: aeneas.datagenic.com acme-client: acme-v01.api.letsencrypt.org: cached acme-client: acme-v01.api.letsencrypt.org: cached acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": "aeneas.datagenic.com" }, "status": "pending", "expires": "2018-06-01T19:22:23Z", "challenges": [ { "type": "tls-sni-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114624;, "token": "TpW1KNEcns3ebXVxbBwYToVOjsMEzR78MWySuyKvdhI" }, { "type": "dns-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114625;, "token": "Iq66R_OgKJ2VURMLyVxLD8hjnWtLqrjqSYb0L3YRqNU" }, { "type": "http-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;, "token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co" } ], "combinations": [ [ 1 ], [ 0 ], [ 2 ] ] }] (998 bytes) acme-client: /var/www/htdocs/default/acme/iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co: created acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626: challenge acme-client: acme-v01.api.letsencrypt.org: cached acme-client: acme-v01.api.letsencrypt.org: cached acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;, "token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co", "keyAuthorization": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co.oHnB0_JsMCOWBPKhfVMYsIDZr_T2Wo-Y5z0fh-cmkA4" }] (336 bytes) acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626: status acme-client: acme-v01.api.letsencrypt.org: cached acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: certificate acme-client: acme-v01.api.letsencrypt.org: cached acme-client: acme-v01.api.letsencrypt.org: cached acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: bad HTTP: 403 acme-client: transfer buffer: [{ "type": "urn:acme:error:unauthorized", "detail": "Error creating new cert :: authorizations for these names not found or expired: aeneas.datagenic.com", "status": 403 }] (176 bytes) acme-client: bad exit: netproc(38047): 1 - aeneas$ cat /etc/acme-client.conf # # $OpenBSD: acme-client.conf,v 1.7 2018/04/13 08:24:38 ajacoutot Exp $ # authority letsencrypt { api url "https://acme-v01.api.letsencrypt.org/directory; account key "/etc/acme/letsencrypt-privkey.pem" } authority letsencrypt-staging { api url "https://acme-staging.api.letsencrypt.org/directory; account key "/etc/acme/letsencrypt-staging-privkey.pem" } domain
acme-client new cert error
I'm having difficulty creating a new SSL cert for a virtual host I'm just standing up for the first time. I get the following error on successive attempts: urn:acme:error:unauthorized Error creating new cert :: authorizations for these names not found or expired: aeneas.datagenic.com I've verified it's not a web server access issue, as I am able to successfully retrieve a static HTML file from the challenge directory aeneas$ curl http://aeneas.datagenic.com/.well-known/acme-challenge/test.html Foo aeneas$ Complete verbose error message, config file, and dmesg follow. Thanks in advance for any assistance you can lend. aeneas# acme-client -vvAD aeneas.datagenic.com acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: domain key exists (not creating) acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not creating) acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: loaded RSA domain key acme-client: /etc/acme/letsencrypt-privkey.pem: loaded RSA account key acme-client: https://acme-v01.api.letsencrypt.org/directory: directories acme-client: acme-v01.api.letsencrypt.org: DNS: 23.75.196.250 acme-client: transfer buffer: [{ "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change;, "meta": { "caaIdentities": [ "letsencrypt.org" ], "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf;, "website": "https://letsencrypt.org; }, "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz;, "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert;, "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg;, "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert;, "sw0ePngTU-0": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417; }] (658 bytes) acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: aeneas.datagenic.com acme-client: acme-v01.api.letsencrypt.org: cached acme-client: acme-v01.api.letsencrypt.org: cached acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": "aeneas.datagenic.com" }, "status": "pending", "expires": "2018-06-01T19:22:23Z", "challenges": [ { "type": "tls-sni-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114624;, "token": "TpW1KNEcns3ebXVxbBwYToVOjsMEzR78MWySuyKvdhI" }, { "type": "dns-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114625;, "token": "Iq66R_OgKJ2VURMLyVxLD8hjnWtLqrjqSYb0L3YRqNU" }, { "type": "http-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;, "token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co" } ], "combinations": [ [ 1 ], [ 0 ], [ 2 ] ] }] (998 bytes) acme-client: /var/www/htdocs/default/acme/iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co: created acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626: challenge acme-client: acme-v01.api.letsencrypt.org: cached acme-client: acme-v01.api.letsencrypt.org: cached acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626;, "token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co", "keyAuthorization": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co.oHnB0_JsMCOWBPKhfVMYsIDZr_T2Wo-Y5z0fh-cmkA4" }] (336 bytes) acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626: status acme-client: acme-v01.api.letsencrypt.org: cached acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: certificate acme-client: acme-v01.api.letsencrypt.org: cached acme-client: acme-v01.api.letsencrypt.org: cached acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: bad HTTP: 403 acme-client: transfer buffer: [{ "type": "urn:acme:error:unauthorized", "detail": "Error creating new cert :: authorizations for these names not found or expired: aeneas.datagenic.com", "status": 403 }] (176 bytes) acme-client: bad exit: netproc(38047): 1 - aeneas$ cat /etc/acme-client.conf # # $OpenBSD: acme-client.conf,v 1.7 2018/04/13 08:24:38 ajacoutot Exp $ # authority letsencrypt { api url "https://acme-v01.api.letsencrypt.org/directory; account key "/etc/acme/letsencrypt-privkey.pem" } authority letsencrypt-staging { api url "https://acme-staging.api.letsencrypt.org/directory; account key "/etc/acme/letsencrypt-staging-privkey.pem" } domain aeneas.datagenic.com { # alternative names {