Hello,
I run OpenBSD 6.4 and recently noted that renewals with acme-client fail:
# acme-client -vv lists.dl6tom.de =
=
=
=20
acme-client: /etc/acme/letsencrypt-privkey.pem: loaded RSA account key =
=
=
=20
acme-client: /etc/ssl/lists.dl6tom.de.crt: certificate renewable: -42 days =
left =
=
=20
acme-client: /etc/ssl/private/lists.dl6tom.de.key: loaded RSA domain key =
=
=
=20
acme-client: https://acme-v01.api.letsencrypt.org/directory: directories =
=
=
=20
acme-client: acme-v01.api.letsencrypt.org: DNS: 104.111.246.175 =
=
=
=20
acme-client: transfer buffer: [{ "0wdNjYxn8kA": "https://community.letsencr=
ypt.org/t/adding-random-entries-to-the-directory/33417", "key-change": "htt=
ps://acme-v01.api.letsencrypt.org/acme/key-change", "meta": { "caaIdentitie=
s": [ "letse
ncrypt.org" ], "terms-of-service": "https://letsencrypt.org/documents/LE-SA=
-v1.2-November-15-2017.pdf", "website": "https://letsencrypt.org"; }, "new-a=
uthz": "https://acme-v01.api.letsencrypt.org/acme/new-authz";, "new-cert": "=
https://acme
-v01.api.letsencrypt.org/acme/new-cert", "new-reg": "https://acme-v01.api.l=
etsencrypt.org/acme/new-reg", "revoke-cert": "https://acme-v01.api.letsencr=
ypt.org/acme/revoke-cert" }] (658 bytes) =
=20
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth:=
lists.dl6tom.de =
=
=20
acme-client: acme-v01.api.letsencrypt.org: cached =
=
=
=20
acme-client: acme-v01.api.letsencrypt.org: cached =
=
=
=20
acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": "l=
ists.dl6tom.de" }, "status": "pending", "expires": "2019-01-29T18:19:20Z", =
"challenges": [ { "type": "tls-alpn-01", "status": "pending", "uri": "https=
://acme-v01.
api.letsencrypt.org/acme/challenge/IibpqF0ckn28LYY5bfA-_qbAlYsWq-DJcQlAw0SW=
CE0/11749882442", "token": "v8oZc_-YhBHNLCaALLEBZ03hEl--KM63pMdqixg_9Io" },=
{ "type": "http-01", "status": "pending", "uri": "https://acme-v01.api.let=
sencrypt.org
/acme/challenge/IibpqF0ckn28LYY5bfA-_qbAlYsWq-DJcQlAw0SWCE0/11749882443", "=
token": "yW3-6mo2IK-ZASKPB6lV6rPq1qbvfP1NdUE9AV0xRTs" }, { "type": "tls-sni=
-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acm=
e/challenge/
IibpqF0ckn28LYY5bfA-_qbAlYsWq-DJcQlAw0SWCE0/11749882444", "token": "yfhU9kY=
Zg5wHaRlxLmg6m_DWgzzEdwUnztXAKBmhE6w" }, { "type": "dns-01", "status": "pen=
ding", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/IibpqF0c=
kn28LYY5bfA-
_qbAlYsWq-DJcQlAw0SWCE0/11749882445", "token": "iDBP2CeNpp0r5NCWTbpKUoiBOSZ=
z8cJN8HphHRVXULk" } ], "combinations": [ [ 2 ], [ 0 ], [ 1 ], [ 3 ] ] }] (1=
271 bytes) =
=20
acme-client: /var/www/acme/yW3-6mo2IK-ZASKPB6lV6rPq1qbvfP1NdUE9AV0xRTs: cre=
ated =
=
=20
acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/IibpqF0ckn=
28LYY5bfA-_qbAlYsWq-DJcQlAw0SWCE0/11749882443: challenge =
=
=20
acme-client: acme-v01.api.letsencrypt.org: cached =
=
=
=20
acme-client: acme-v01.api.letsencrypt.org: cached =
=
=
=20
acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", "u=
ri": "https://acme-v01.api.letsencrypt.org/acme/challenge/IibpqF0ckn28LYY5b=
fA-_qbAlYsWq-DJcQlAw0SWCE0/11749882443", "token": "yW3-6mo2IK-ZASKPB6lV6rPq=
1qbvfP1NdUE9
AV0xRTs", "keyAuthorization": "yW3-6mo2IK-ZASKPB6lV6rPq1qbvfP1NdUE9AV0xRTs.=
YJLLEKdoM4e4WocQ9C9xvXqa6dAO4zUn6hdCgEgIfBs" }] (337 bytes) =
=
=20
acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/IibpqF0ckn=
28LYY5bfA-_qbAlYsWq-DJcQlAw0SWCE0/11749882443: status =
=
=20
acme-client: acme-v01.api.letsencrypt.org: cached =
=
=
=20
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: certificat=
e =
=
=20
acme-client: acme-v01.api.letsencrypt.org: cached =
=
=
=20
acme-client: acme-v01.api.letsencrypt.org: cached =
=
=
=20
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: bad HTTP: =
403 =
=
=20
acme-client: transfer buffer: [{ "type": "urn:acme:error:unauthorized", "de=
tail": "Error creating new cert :: authorizations for these names not found=
or expired: lists.dl6tom.de", "status": 403 }] (171 bytes) =
=20
acme-client: bad exit: netproc(61794): 1
The access.log shows a 404. I searched and found a post on this list, indic=
ating that acme-client handles "status: pending" incorrectly, so I fetched =
the source, removed the unlink of the token and recompiled acme-client. Now=
, access.log shows a 200, but renewal still fails:
# acme-client -vv lists.dl6tom.de
acme-client: /etc/acme/letsencrypt-privkey.pem: loaded RSA account key
acme-client: /etc/ssl/lists.dl6tom.de.crt: certificate renewable: -42 days =
left
acme-client: /etc/ssl/private/lists.dl6tom.de.key: loaded RSA domain key
acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
acme-client: acme-v01.api.letsencrypt.org: DNS: 104.111.246.175
acme-client: transfer buffer: [{ "K7_kgkaQbu0": "https://community.letsencr=
ypt.org/t/adding-random-entries-to-the-directory/33417", "key-change": "htt=
ps://acme-v01.api.letsencrypt.org/acme/key-change", "meta": { "caaIdentitie=
s": [ "letsencrypt.org" ], "terms-of-service": "https://letsencrypt.org/doc=
uments/LE-SA-v1.2-November-15-2017.pdf", "website": "https://letsencrypt.or=
g" }, "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz";, "=
new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert";, "new-reg":=
"https://acme-v01.api.letsencrypt.org/acme/new-reg";, "revoke-cert": "https=
://acme-v01.api.letsencrypt.org/acme/revoke-cert" }] (658 bytes) =
=20
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth:=
lists.dl6tom.de
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": "l=
ists.dl6tom.de" }, "status": "pending", "expires": "2019-01-29T18:21:10Z", =
"challenges": [ { "type": "tls-sni-01", "status": "pending", "uri": "https:=
//acme-v01.api.letsencrypt.org/acme/challenge/x1Rh_VhMUuYxk_v22zHe32fL2zh7s=
RNh2LSKFNwkqxA/11749932856", "token": "pedbWPKfQ3SS_6EB1nZUz8vMOjLXyVsq_W7a=
ALRaVbE" }, { "type": "http-01", "status": "pending", "uri": "https://acme-=
v01.api.letsencrypt.org/acme/challenge/x1Rh_VhMUuYxk_v22zHe32fL2zh7sRNh2LSK=
FNwkqxA/11749932858", "token": "FF1lMKPyjmEeEURPWUyLwBe8ZRj3ozkdUGkyfOmGT5s=
" }, { "type": "dns-01", "status": "pending", "uri": "https://acme-v01.api.=
letsencrypt.org/acme/challenge/x1Rh_VhMUuYxk_v22zHe32fL2zh7sRNh2LSKFNwkqxA/=
11749932860", "token": "Fc-aeqzccqH82AKNN2vJ3KY6u_jBV0yzXEpVd3yFuCo" }, { "=
type": "tls-alpn-01", "status": "pending", "uri": "https://acme-v01.api.let=
sencrypt.org/acme/challenge/x1Rh_VhMUuYxk_v22zHe32fL2zh7sRNh2LSKFNwkqxA/117=
49932862", "token": "NuPrsMpxl05_qBBWjog2_ogK1w-VptNsECjwSatGfAE" } ], "com=
binations": [ [ 2 ], [ 1 ], [ 0 ], [ 3 ] ] }] (1271 bytes) =
=20
acme-client: /var/www/acme/FF1lMKPyjmEeEURPWUyLwBe8ZRj3ozkdUGkyfOmGT5s: cre=
ated
acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/x1Rh_VhMUu=
Yxk_v22zHe32fL2zh7sRNh2LSKFNwkqxA/11749932858: challenge =
=
=20
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", "u=
ri": "https://acme-v01.api.letsencrypt.org/acme/challenge/x1Rh_VhMUuYxk_v22=
zHe32fL2zh7sRNh2LSKFNwkqxA/11749932858", "token": "FF1lMKPyjmEeEURPWUyLwBe8=
ZRj3ozkdUGkyfOmGT5s", "keyAuthorization": "FF1lMKPyjmEeEURPWUyLwBe8ZRj3ozkd=
UGkyfOmGT5s.YJLLEKdoM4e4WocQ9C9xvXqa6dAO4zUn6hdCgEgIfBs" }] (337 bytes) =
=
=20
acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/x1Rh_VhMUu=
Yxk_v22zHe32fL2zh7sRNh2LSKFNwkqxA/11749932858: status =
=
=20
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: certificat=
e
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: acme-v01.api.letsencrypt.org: cached
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: bad HTTP: =
403
acme-client: transfer buffer: [{ "type": "urn:acme:error:unauthorized", "de=
tail": "Error creating new cert :: authorizations for these names not found=
or expired: lists.dl6tom.de", "status": 403 }] (171 bytes) =
=20
acme-client: bad exit: netproc(64946): 1
The token in /var/www/acme seems fine as far as I am able to judge:
# cat /var/www/acme/FF1lMKPyjmEeEURPWUyLwBe8ZRj3ozkdUGkyfOmGT5s
FF1lMKPyjmEeEURPWUyLwBe8ZRj3ozkdUGkyfOmGT5s.YJLLEKdoM4e4WocQ9C9xvXqa6dAO4zU=
n6hdCgEgIfBs
Kind regards
Thomas Lindner
