Hi,
I recently dealt with this issue as well and the solution was quite
silly. The problem is that acme-client is failing due to the agreement
url being out of date; there is a new agreement v1.2. acme-client has
been patched in current I believe to fix this issue and automatically
update the agreement url. For now, just change your config to list the
latest agreement url:
"https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf";
Hope this helps,
Jordan
On 02/01/18 17:16, Predrag Punosevac wrote:
Hi Misc,
I have done this half dozen times in the past but I am having helluva
time using acme-client to sign certificate for a domain. Any clues?
Please see below machine, acme-client.conf and httpd.conf files
# uname -a
OpenBSD mcba.autonlab.org 6.2 GENERIC.MP#2 amd64
# more /etc/acme-client.conf
#
# $OpenBSD: acme-client.conf,v 1.4 2017/03/22 11:14:14 benno Exp $
#
authority letsencrypt {
agreement url
"https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf";
api url "https://acme-v01.api.letsencrypt.org/directory";
account key "/etc/acme/letsencrypt-privkey.pem"
}
authority letsencrypt-staging {
agreement url
"https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf";
api url "https://acme-staging.api.letsencrypt.org/directory";
account key "/etc/acme/letsencrypt-staging-privkey.pem"
}
domain mcba.autonlab.org {
# alternative names { secure.mcba.autonlab.org }
domain key "/etc/ssl/acme/private/mcba.autonlab.org.key"
domain certificate "/etc/ssl/acme/mcba.autonlab.org.crt"
domain full chain certificate
"/etc/ssl/acme/mcba.autonlab.org.fullchain.pem"
sign with letsencrypt
}
# more /etc/httpd.conf
# $OpenBSD: httpd.conf,v 1.17 2017/04/16 08:50:49 ajacoutot Exp $
#
# Macros
#
ext_addr="*"
#
# Global Options
#
# prefork 3
#
# Servers
#
# A name-based "virtual" server on the same address
# server "mcba.autonlab.org" {
server "mcba.autonlab.org" {
listen on $ext_addr port 80
location "/.well-known/acme-challenge/*" {
root "/acme"
root strip 2
}
# block return 301 "https://$SERVER_NAME$REQUEST_URI";
}
# An HTTPS server using SSL/TLS
# server "mcba.autonlab.org" {
# listen on $ext_addr tls port 443
# TLS certificate and key files created with acme-client(1)
# tls certificate "/etc/ssl/acme/www.autonsys.com.fullchain.pem"
# tls key "/etc/ssl/acme/private/www.autonsys.com.key"
# Define server-specific log files relative to /logs
# log { access "secure-access.log", error "secure-error.log" }
# Increase connection limits to extend the lifetime
# connection { max requests 500, timeout 3600 }
# root "/htdocs/mcba/pub"
#}
# Include MIME types instead of the built-in ones
types {
include "/usr/share/misc/mime.types"
}
# acme-client -vAD mcba.autonlab.org
acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not
creating)
acme-client: /etc/ssl/acme/private/mcba.autonlab.org.key: generated RSA domain
key
acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
acme-client: acme-v01.api.letsencrypt.org: DNS: 23.196.58.251
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth:
mcba.autonlab.org
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: bad HTTP: 403
acme-client: transfer buffer: [{ "type": "urn:acme:error:unauthorized",
"detail": "No registration exists matching provided key", "status": 403
}] (120 bytes)
acme-client: bad exit: netproc(58513): 1
