On 2018-05-27, Florian Obser <flor...@openbsd.org> wrote:
> On Sat, May 26, 2018 at 09:14:35AM -0700, Scott Vanderbilt wrote:
>> On 5/26/2018 4:54 AM, Stuart Henderson wrote:
>>
>> > aeneas.datagenic.com doesn't respond on port 80. (And if I can't
>> > fetch it, letsencrypt's checkers are also unlikely to be able to).
>> >
>> > Firewall issue?
>>
>> Oh, FFS.
>>
>> Yes. A silly pf rule blocking incoming traffic from outside my LAN that I
>> overlooked when I first considered that idea, but then discarded on account
>> of the error message. Which, to me, at least, does not in any reasonable way
>> point to a connection problem.
>>
>> So, thanks very much for applying the clue stick. And, to whom may I suggest
>> that the misleading error message from acme-client be changed to something
>> actually resembling the problem it has encountered?
>
> The error message is coming from letsencrypt, from your original mail:
>
> acme-client: transfer buffer: [{ "type": "urn:acme:error:unauthorized",
> "detail": "Error creating new cert :: authorizations for these names not
> found or expired: aeneas.datagenic.com", "status": 403 }] (176 bytes)
>
> transfer buffer is the json we got back from letsencrypt. I seem to
> recall that this used to be different and they did tell us that the
acme-client is reporting the error received, I don't think there's a
lot more that it can do in this case.
> connection was refused. Oh but that might be if they are getting an
> icmp port unreachable, I guess you where just dropping the request in
> pf?
>
Yes it was just dropping when I tested (no response rather than a quick
"connection failed").
