Lindner, Thomas 1. (Nokia - DE/Nuremberg)([email protected]) on 2019.01.22 18:56:06 +0000: > Hello, > > I run OpenBSD 6.4 and recently noted that renewals with acme-client fail: > # acme-client -vv lists.dl6tom.de = > = > = > =20 > acme-client: /etc/acme/letsencrypt-privkey.pem: loaded RSA account key = > = > = > =20 > acme-client: /etc/ssl/lists.dl6tom.de.crt: certificate renewable: -42 days = > left = > = > =20 > acme-client: /etc/ssl/private/lists.dl6tom.de.key: loaded RSA domain key = > = > = > =20 > acme-client: https://acme-v01.api.letsencrypt.org/directory: directories = > = > = > =20 > acme-client: acme-v01.api.letsencrypt.org: DNS: 104.111.246.175 = > = > = > =20 > acme-client: transfer buffer: [{ "0wdNjYxn8kA": "https://community.letsencr= > ypt.org/t/adding-random-entries-to-the-directory/33417", "key-change": "htt= > ps://acme-v01.api.letsencrypt.org/acme/key-change", "meta": { "caaIdentitie= > s": [ "letse > ncrypt.org" ], "terms-of-service": "https://letsencrypt.org/documents/LE-SA= > -v1.2-November-15-2017.pdf", "website": "https://letsencrypt.org"; }, "new-a= > uthz": "https://acme-v01.api.letsencrypt.org/acme/new-authz";, "new-cert": "= > https://acme > -v01.api.letsencrypt.org/acme/new-cert", "new-reg": "https://acme-v01.api.l= > etsencrypt.org/acme/new-reg", "revoke-cert": "https://acme-v01.api.letsencr= > ypt.org/acme/revoke-cert" }] (658 bytes) = > =20 > acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth:= > lists.dl6tom.de = > = > =20 > acme-client: acme-v01.api.letsencrypt.org: cached = > = > = > =20 > acme-client: acme-v01.api.letsencrypt.org: cached = > = > = > =20 > acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": "l= > ists.dl6tom.de" }, "status": "pending", "expires": "2019-01-29T18:19:20Z", = > "challenges": [ { "type": "tls-alpn-01", "status": "pending", "uri": "https= > ://acme-v01. > api.letsencrypt.org/acme/challenge/IibpqF0ckn28LYY5bfA-_qbAlYsWq-DJcQlAw0SW= > CE0/11749882442", "token": "v8oZc_-YhBHNLCaALLEBZ03hEl--KM63pMdqixg_9Io" },= > { "type": "http-01", "status": "pending", "uri": "https://acme-v01.api.let= > sencrypt.org > /acme/challenge/IibpqF0ckn28LYY5bfA-_qbAlYsWq-DJcQlAw0SWCE0/11749882443", "= > token": "yW3-6mo2IK-ZASKPB6lV6rPq1qbvfP1NdUE9AV0xRTs" }, { "type": "tls-sni= > -01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acm= > e/challenge/ > IibpqF0ckn28LYY5bfA-_qbAlYsWq-DJcQlAw0SWCE0/11749882444", "token": "yfhU9kY= > Zg5wHaRlxLmg6m_DWgzzEdwUnztXAKBmhE6w" }, { "type": "dns-01", "status": "pen= > ding", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/IibpqF0c= > kn28LYY5bfA- > _qbAlYsWq-DJcQlAw0SWCE0/11749882445", "token": "iDBP2CeNpp0r5NCWTbpKUoiBOSZ= > z8cJN8HphHRVXULk" } ], "combinations": [ [ 2 ], [ 0 ], [ 1 ], [ 3 ] ] }] (1= > 271 bytes) = > =20 > acme-client: /var/www/acme/yW3-6mo2IK-ZASKPB6lV6rPq1qbvfP1NdUE9AV0xRTs: cre= > ated = > = > =20 > acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/IibpqF0ckn= > 28LYY5bfA-_qbAlYsWq-DJcQlAw0SWCE0/11749882443: challenge = > = > =20 > acme-client: acme-v01.api.letsencrypt.org: cached = > = > = > =20 > acme-client: acme-v01.api.letsencrypt.org: cached = > = > = > =20 > acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", "u= > ri": "https://acme-v01.api.letsencrypt.org/acme/challenge/IibpqF0ckn28LYY5b= > fA-_qbAlYsWq-DJcQlAw0SWCE0/11749882443", "token": "yW3-6mo2IK-ZASKPB6lV6rPq= > 1qbvfP1NdUE9 > AV0xRTs", "keyAuthorization": "yW3-6mo2IK-ZASKPB6lV6rPq1qbvfP1NdUE9AV0xRTs.= > YJLLEKdoM4e4WocQ9C9xvXqa6dAO4zUn6hdCgEgIfBs" }] (337 bytes) = > = > =20 > acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/IibpqF0ckn= > 28LYY5bfA-_qbAlYsWq-DJcQlAw0SWCE0/11749882443: status = > = > =20 > acme-client: acme-v01.api.letsencrypt.org: cached = > = > = > =20 > acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: certificat= > e = > = > =20 > acme-client: acme-v01.api.letsencrypt.org: cached = > = > = > =20 > acme-client: acme-v01.api.letsencrypt.org: cached = > = > = > =20 > acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: bad HTTP: = > 403 = > = > =20 > acme-client: transfer buffer: [{ "type": "urn:acme:error:unauthorized", "de= > tail": "Error creating new cert :: authorizations for these names not found= > or expired: lists.dl6tom.de", "status": 403 }] (171 bytes) = > =20 > acme-client: bad exit: netproc(61794): 1 > > The access.log shows a 404. I searched and found a post on this list, indic= > ating that acme-client handles "status: pending" incorrectly, so I fetched =
Do you have a link? > the source, removed the unlink of the token and recompiled acme-client. Now= > , access.log shows a 200, but renewal still fails: Please show dmesg, webserver configuration, and log entries. This should probably go to bugs@, please send your replies there. /B
