Jordan Geoghegan <jgeoghega...@gmail.com> wrote:
> Hi,
>
> I recently dealt with this issue as well and the solution was quite
> silly. The problem is that acme-client is failing due to the agreement
> url being out of date; there is a new agreement v1.2. acme-client has
> been patched in current I believe to fix this issue and automatically
> update the agreement url. For now, just change your config to list the
> latest agreement url:
> "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf";
>
> Hope this helps,
>
> Jordan
Thank you so much for this prompt replay. I already signed certificate
using certbot as we were hitting deadline. However, this is going to be
very useful going forward with renewals.
Best,
Predrag
>
>
>
>
> On 02/01/18 17:16, Predrag Punosevac wrote:
> > Hi Misc,
> >
> > I have done this half dozen times in the past but I am having helluva
> > time using acme-client to sign certificate for a domain. Any clues?
> > Please see below machine, acme-client.conf and httpd.conf files
> >
> > # uname -a
> > OpenBSD mcba.autonlab.org 6.2 GENERIC.MP#2 amd64
> >
> > # more /etc/acme-client.conf
> >
> > #
> > # $OpenBSD: acme-client.conf,v 1.4 2017/03/22 11:14:14 benno Exp $
> > #
> > authority letsencrypt {
> > agreement url
> > "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf";
> > api url "https://acme-v01.api.letsencrypt.org/directory";
> > account key "/etc/acme/letsencrypt-privkey.pem"
> > }
> >
> > authority letsencrypt-staging {
> > agreement url
> > "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf";
> > api url "https://acme-staging.api.letsencrypt.org/directory";
> > account key "/etc/acme/letsencrypt-staging-privkey.pem"
> > }
> >
> > domain mcba.autonlab.org {
> > # alternative names { secure.mcba.autonlab.org }
> > domain key "/etc/ssl/acme/private/mcba.autonlab.org.key"
> > domain certificate "/etc/ssl/acme/mcba.autonlab.org.crt"
> > domain full chain certificate
> > "/etc/ssl/acme/mcba.autonlab.org.fullchain.pem"
> > sign with letsencrypt
> > }
> >
> >
> >
> > # more /etc/httpd.conf
> >
> > # $OpenBSD: httpd.conf,v 1.17 2017/04/16 08:50:49 ajacoutot Exp $
> >
> > #
> > # Macros
> > #
> > ext_addr="*"
> >
> > #
> > # Global Options
> > #
> > # prefork 3
> >
> > #
> > # Servers
> > #
> >
> > # A name-based "virtual" server on the same address
> > # server "mcba.autonlab.org" {
> > server "mcba.autonlab.org" {
> > listen on $ext_addr port 80
> >
> > location "/.well-known/acme-challenge/*" {
> > root "/acme"
> > root strip 2
> > }
> > # block return 301 "https://$SERVER_NAME$REQUEST_URI";
> > }
> >
> > # An HTTPS server using SSL/TLS
> > # server "mcba.autonlab.org" {
> > # listen on $ext_addr tls port 443
> >
> > # TLS certificate and key files created with acme-client(1)
> > # tls certificate "/etc/ssl/acme/www.autonsys.com.fullchain.pem"
> > # tls key "/etc/ssl/acme/private/www.autonsys.com.key"
> >
> > # Define server-specific log files relative to /logs
> > # log { access "secure-access.log", error "secure-error.log" }
> >
> > # Increase connection limits to extend the lifetime
> > # connection { max requests 500, timeout 3600 }
> >
> > # root "/htdocs/mcba/pub"
> > #}
> >
> >
> > # Include MIME types instead of the built-in ones
> > types {
> > include "/usr/share/misc/mime.types"
> > }
> >
> >
> >
> > # acme-client -vAD mcba.autonlab.org
> > acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not
> > creating)
> > acme-client: /etc/ssl/acme/private/mcba.autonlab.org.key: generated RSA
> > domain key
> > acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
> > acme-client: acme-v01.api.letsencrypt.org: DNS: 23.196.58.251
> > acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth:
> > mcba.autonlab.org
> > acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: bad HTTP:
> > 403
> > acme-client: transfer buffer: [{ "type": "urn:acme:error:unauthorized",
> > "detail": "No registration exists matching provided key", "status": 403
> > }] (120 bytes)
> > acme-client: bad exit: netproc(58513): 1
> >
> >
