Try removing all keys in the ssl directory aswell as /etc/acme/letsencrypt-privkey.pem
On August 21, 2018 7:46:24 PM UTC, "Parikh, Samir" <samir.par...@nationalgrid.com> wrote: >I am running cgit to host my git repositories on OpenBSD 6.3 and am >trying enable https using Let's Encrypt. The URL of the cgit >repositories is a subdomain of my main domain (e.g. git.domain.com). I >get the following error below whenever I try to provision a certificate >using acme-client. I have specified my hosting provider's nameservers >to my domain registrar and have created an A record pointing the "git" >subdomain to my VM's IP address. Relevant .conf files and >file/directory permissions are below as well. > >Any help would be greatly appreciated. Thanks in advance! >Samir > ># acme-client -vAD git.domain.com >acme-client: /etc/ssl/private/git.domain.com.key: domain key exists >(not >creating) >acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not >creating) >acme-client: https://acme-v01.api.letsencrypt.org/directory: >directories >acme-client: acme-v01.api.letsencrypt.org: DNS: 23.203.116.227 >acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: >req-auth: git.domain.com >acme-client: /var/www/acme/nWmGUBfLtIJuzuoNGfegToiMezdT6GaFes83Id2yctQ: >created >acme-client: >https://acme-v01.api.letsencrypt.org/acme/challenge/-kVwLPlPys451fI4-3TgDBcJRBQmvjO7yzUcifUW0AY/6175217714: >challenge >acme-client: >https://acme-v01.api.letsencrypt.org/acme/challenge/-kVwLPlPys451fI4-3TgDBcJRBQmvjO7yzUcifUW0AY/6175217714: >status >acme-client: >https://acme-v01.api.letsencrypt.org/acme/challenge/-kVwLPlPys451fI4-3TgDBcJRBQmvjO7yzUcifUW0AY/6175217714: >bad response >acme-client: transfer buffer: [{ "type": "http-01", "status": >"invalid", >"error": { "type": "urn:acme:error:unauthorized", "detail": "Invalid >response from >http://git.domain.com/.well-known/acme-challenge/nWmGUBfLtIJuzuoNGfegToiMezdT6GaFes83Id2yctQ: >\"\u003c!DOCTYPE >html\u003e\n\u003chtml\u003e\n\u003chead\u003e\n\u003cmeta >http-equiv=\"Content-Type\" content=\"text/html; >charset=utf-8\"/\u003e\n\u003ctitle\u003e500 Internal Server Er\"", >"status": 403 }, "uri": >"https://acme-v01.api.letsencrypt.org/acme/challenge/-kVwLPlPys451fI4-3TgDBcJRBQmvjO7yzUcifUW0AY/6175217714";, >"token": "nWmGUBfLtIJuzuoNGfegToiMezdT6GaFes83Id2yctQ", >"keyAuthorization": >"nWmGUBfLtIJuzuoNGfegToiMezdT6GaFes83Id2yctQ.cbdgaka6s7Kv6R_a_Rhq_6VMDSKE2D4VdJyddLn65QI", >"validationRecord": [ { "url": >"http://git.domain.com/.well-known/acme-challenge/nWmGUBfLtIJuzuoNGfegToiMezdT6GaFes83Id2yctQ";, >"hostname": "git.domain.com", "port": "80", "addressesResolved": [ >"ip.address" ], "addressUsed": "ip.address" } ] }] (1039 bytes) >acme-client: bad exit: netproc(21893): 1 > > >/etc/httpd.conf: > >ext_ip="0.0.0.0" >server "localhost" { > listen on $ext_ip port 80 > > # serve the cgit static files directly > location "/cgit.*" { > root "/cgit" > no fastcgi > } > # cgit CGI > root "/cgi-bin/cgit.cgi" > fastcgi socket "/run/slowcgi.sock" > location "/.well-known/acme-challenge/*" { > root { "/acme", strip 2 } > } >} > > >/etc/acme-client.conf: > >authority letsencrypt { > api url "https://acme-v01.api.letsencrypt.org/directory"; > account key "/etc/acme/letsencrypt-privkey.pem" >} > >authority letsencrypt-staging { > api url "https://acme-staging.api.letsencrypt.org/directory"; > account key "/etc/acme/letsencrypt-staging-privkey.pem" >} > >domain git.domain.com { > domain key "/etc/ssl/private/git.domain.com.key" > domain certificate "/etc/ssl/git.domain.com.crt" > domain full chain certificate >"/etc/ssl/git.domain.com.fullchain.pem" > sign with letsencrypt >} > > >/var/www/conf/cgitrc >footer=/conf/cgit.footer > ># Enable caching of up to 1000 output entries >cache-size=1000 > >cache-root=/cgit/cache > ># Specify some default clone urls using macro expansion >clone-url=git://git.domain.com/$CGIT_REPO_URL > ># Specify the css url >css=/cgit.css > ># Show owner on index page >enable-index-owner=0 > ># Allow http transport git clone >enable-http-clone=0 > ># Show extra links for each repository on the index page >enable-index-links=0 > ># Enable ASCII art commit history graph on the log pages >enable-commit-graph=1 > ># Show number of affected files per commit on the log pages >enable-log-filecount=1 > ># Show number of added/removed lines per commit on the log pages >enable-log-linecount=1 > ># Sort branches by date >branch-sort=age > ># Add a cgit favicon >favicon=/favicon.ico > ># Enable statistics per week, month and quarter >max-stats=quarter > ># Set the title and heading of the repository index page >root-title=HotBSD Code Repositories > ># Set a subheading for the repository index page >root-desc= > ># Allow download of tar.gz, tar.bz2 and zip-files >snapshots=tar.gz > >## List of common mimetypes >mimetype.gif=image/gif >mimetype.html=text/html >mimetype.jpg=image/jpeg >mimetype.jpeg=image/jpeg >mimetype.pdf=application/pdf >mimetype.png=image/png >mimetype.svg=image/svg+xml > >## Search for these files in the root of the default branch of >repositories >## for coming up with the about page: >readme=:README > >virtual-root=/ > >#scan-path=/htdocs/src >scan-path=/repos > ># Disable adhoc downloads of this repo >repo.snapshots=0 > ># Disable line-counts for this repo >repo.enable-log-linecount=0 > ># Restrict the max statistics period for this repo >repo.max-stats=month > > >File/directory permissions: ># ls -all /etc/acme /etc/ssl >/etc/acme: >total 16 >drwx------ 2 root wheel 512 Aug 3 12:58 . >drwxr-xr-x 22 root wheel 1536 Jul 30 01:30 .. >-r-------- 1 root wheel 3272 Aug 3 12:58 letsencrypt-privkey.pem > >/etc/ssl: >total 772 >drwxr-xr-x 5 root wheel 512 Jul 29 12:51 . >drwxr-xr-x 22 root wheel 1536 Jul 30 01:30 .. >drwxr-xr-x 3 root wheel 512 Jul 29 12:51 acme >-r--r--r-- 1 root bin 349364 Mar 24 20:12 cert.pem >-rw-r--r-- 1 root wheel 2703 Mar 24 20:12 ikeca.cnf >drwxr-xr-x 2 root wheel 512 Mar 24 20:12 lib >-r--r--r-- 1 root bin 745 Mar 24 20:12 openssl.cnf >drwx------ 2 root wheel 512 Aug 3 12:58 private >-r--r--r-- 1 root bin 1006 Mar 24 20:12 x509v3.cnf > ># ls -all /var/www >total 52 >drwxr-xr-x 13 root daemon 512 Jul 19 02:12 . >drwxr-xr-x 23 root wheel 512 Mar 24 20:43 .. >drwxr-xr-x 2 root daemon 512 Aug 4 11:50 acme >drwxr-xr-x 2 root daemon 512 Mar 24 20:12 bin >drwx-----T 2 www daemon 512 Mar 24 20:12 cache >drwxr-xr-x 2 root daemon 512 Jul 13 19:43 cgi-bin >drwxr-xr-x 2 root daemon 512 Jul 13 19:43 cgit >drwxr-xr-x 2 root daemon 512 Jul 13 19:50 conf >drwxr-xr-x 3 root daemon 512 Mar 24 20:12 htdocs >drwxr-xr-x 2 root daemon 512 Aug 1 15:00 logs >drwxr-xr-x 4 git git 512 Jul 20 17:30 repos >drwxr-xr-x 2 root daemon 512 Jul 13 19:50 run > > > >This e-mail, and any attachments are strictly confidential and intended >for the addressee(s) only. The content may also contain legal, >professional or other privileged information. If you are not the >intended recipient, please notify the sender immediately and then >delete the e-mail and any attachments. You should not disclose, copy or >take any action in reliance on this transmission. > >You may report the matter by contacting us via our UK Contacts >Page<https://www.nationalgrid.com/uk/contact-us/> or our US Contacts >Page<https://www.nationalgridus.com/contact-us> (accessed by clicking >on the appropriate link) > >Please ensure you have adequate virus protection before you open or >detach any documents from this transmission. National Grid plc and its >affiliates do not accept any liability for viruses. An e-mail reply to >this address may be subject to monitoring for operational reasons or >lawful business practices. > >For the registered information on the UK operating companies within the >National Grid group please use the attached link: >https://www.nationalgrid.com/group/about-us/corporate-registrations -- Take Care Sincerely flipchan layerprox dev
