acme-client: name resolution error when specifying a port in the api url

Sun, 04 Jun 2023 06:44:25 -0700 

Hi!

(sorry for the second attempt of this message - our domain was not configured 
properly for mailing lists (dmarc reject) and I think the first attempt 
probably wasn't processed properly)

I am using step-ca to host my own acme provisioner (which is already working - 
an existing proxmox cluster can request and get x509 TLS certificates just 
fine), and as next step I wanted to use acme-client on OpenBSD servers, since 
it's deployed within the default installation. So I added it to 
/etc/acme-client.conf
```
[...]
    api url "https://use.some.domain.com:8443/acme/acme/directory";
[...]
```

But, when I run acme-client to actually get a certificate it terminates with 
the following error:
```
acme-client:https://use.some.domain.com:8443/acme/acme/directory: directories
acme-client: use.some.domain.com:8443: parse error: non-recoverable failure in 
name resolution
acme-client:https://use.some.domain.com:8443/acme/acme/directory: bad comm
acme-client: bad exit: netproc(21203): 1
acme-client: bad exit: dnsproc(35017): 1
```

I think the acme-client's interpretation of the host-name is wrong since it's 
trying to resolve the hostname including the used tcp port as well.

What I've tried so far:
Using a relayd configuration to forward port 443 to 8443 (this was not 
correctly working - just to prove a point) and changed the api url within the 
acme-client.conf to get rid of the port definition:
```
[...]
    api url "https://use.some.domain.com/acme/acme/directory";
[...]
```

When having the relayd setup waiting for connections and using acme-client I 
got the following error (which makes me even more confident that there is a 
problem in acme-client's handling of the hostname):
```
acme-client: 10.42.120.12: tls_write: handshake failed: unexpected EOF
acme-client: 10.42.120.12: tls_read: handshake failed: unexpected EOF
```

I don't want to setup relayd to handle my TLS properly on port 443, since I am 
totally fine having the step-ca service handling it over port 8443.

I am currently running OpenBSD 7.3, with default setup/configuration - nothing 
special.

How would one navigate this issue?

Thank you in advance and best regards
Ronald

BEGIN:VCARD
VERSION:4.0
N:Heggenberger;Ronald;;;
FN:Ronald Heggenberger
EMAIL;PREF=1:ronald.heggenber...@docoscope.com
END:VCARD

Reply via email to