Re: [OpenBSD 6.1] acme-client + nginx

Thu, 06 Jul 2017 03:04:08 -0700 

On 2017-07-06, Stephane HUC "PengouinBSD" <b...@stephane-huc.net> wrote:
> This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
> --rkBdQXDqolEAWWU60OD3iD4CWuma05dgb
> From: "Stephane HUC \"PengouinBSD\"" <b...@stephane-huc.net>
> Reply-To: b...@stephane-huc.net
> To: misc@openbsd.org
> Message-ID: <629618fb-cc48-f929-d285-46f9d08e8...@stephane-huc.net>
> Subject: [OpenBSD 6.1] acme-client + nginx
> Content-Language: fr-xx-classique+reforme1990
> Content-Type: text/plain; charset=utf-8
> Content-Transfer-Encoding: quoted-printable
>
> Hi, I attempt to use acme-client on server OpenBSD 6.1, with nginx runing.
>
> But it fail with a bad response.

...

> acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid",
> "error": { "type": "urn:acme:error:unauthorized", "detail": "Invalid
> response from
> http://test.obsd4a.net/.well-known/acme-challenge/L-pjGy6umVejj6q78_P_gW7rb=
> hyJrV0AuLhjfsqI3aU:
> \"\u003chtml\u003e\r\n\u003chead\u003e\u003ctitle\u003e404 Not
> Found\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody

...

LE fetches from http://test.obsd4a.net/.well-known/acme-challenge/(filename)
but gets 404 Not Found.

> I try with this nginx config:
>
> location ^~ /.well-known/acme-challenge {
>                 #alias /var/www/acme;
>                 #try_files $uri =3D404;
>                 allow all;
>                 default_type "text/plain";
>                 proxy_redirect off;
>                 root /var/www/acme;
>         }

With "root" it will look in /var/www/acme/.well-known/acme-challenge.
Either adjust acme-client config to place the files there, or adjust nginx
config to serve files from the actual location.

Test by writing a file to the directory acme-client uses and make sure you
can fetch it yourself. Only reattempt acme-client when this works, they have a
rate-limit for bad auths and will blacklist you for a while if you exceed it.

> or this:
>
> location ^~ /.well-known/acme-challenge {
>    alias /usr/local/www/acme;
>       try_files $uri =3D404;
> }

/usr/local/www seems unlikely on OpenBSD.

I just have

        location /.well-known/acme-challenge { root /var/www/letsencrypt/; }

and

        challengedir "/var/www/letsencrypt/.well-known/acme-challenge"
 
but there are several ways you can configure this. (e.g. you might want
to use a different directory layout if you have anything else that uses
the RFC5785 .well-known URIs). It doesn't matter what you use as long as
letsencrypt can fetch the file that acme-client wrote.

Reply via email to