Re: acme-client issue with domain w/ alternative name

Florian Obser Tue, 22 Oct 2019 10:53:44 -0700

On Tue, Oct 22, 2019 at 09:56:57AM +0100, Daniel Winters wrote:
> Good morning,
> 
> > Today acme-client renewed all but 2 of my domains; the two that have
> > "alternative names" in the certificates. I cannot get it to renew
> > those two.  This is on amd64 on 6.6-current, updated today.
> 
> I can reproduce this on amd64 current, as well as on 6.6.
> 
> Same error and and very similar configuration based on the one in
> /etc/examples.


you mean renewing fails for you with alternative names or you mean you
see tls_close: EOF without close notify? I think everybody sees that.
It started to show up some time ago. I think let's encrypt changed
something on the server.

In any case, I just force-renewed a cert with alt names and it just
worked.

please run acme-client with -vv to see what's going on over the
network if you have renew problems.

> 
> Daniel
> 
> 
> > My acme-config.conf is the latest example version, with the v2 URLs
> > and with example.com replaced by my domains.
> >
> > #
> > # $OpenBSD: acme-client.conf,v 1.2 2019/06/07 08:08:30 florian Exp $
> > #
> > authority letsencrypt {
> >     api url "https://acme-v02.api.letsencrypt.org/directory";
> >     account key "/etc/acme/letsencrypt-privkey.pem"
> > }
> >
> > authority letsencrypt-staging {
> >     api url "https://acme-staging-v02.api.letsencrypt.org/directory";
> >     account key "/etc/acme/letsencrypt-staging-privkey.pem"
> > }
> >
> > domain androidcookbook.com {
> >             alternative names { androidcookbook.net }
> >             domain key "/etc/ssl/private/androidcookbook.com.key"
> >             domain certificate "/etc/ssl/androidcookbook.com.crt"
> >             domain full chain certificate 
> > "/etc/ssl/androidcookbook.com.fullchain.pem"
> >             sign with letsencrypt
> > }
> > domain annabot.org {
> >             domain key "/etc/ssl/private/annabot.org.key"
> >             domain certificate "/etc/ssl/annabot.org.crt"
> >             domain full chain certificate 
> > "/etc/ssl/annabot.org.fullchain.pem"
> >             sign with letsencrypt
> > }
> > ...
> >
> > The first domain fails, the second one succeeded.
> >
> > $ doas acme-client androidcookbook.com
> > acme-client: 172.65.32.248: tls_close: EOF without close notify
> > acme-client: 172.65.32.248: tls_close: EOF without close notify
> > acme-client: 172.65.32.248: tls_close: EOF without close notify
> > acme-client: 172.65.32.248: tls_close: EOF without close notify
> > acme-client: 172.65.32.248: tls_close: EOF without close notify
> > acme-client: 172.65.32.248: tls_close: EOF without close notify
> > acme-client: 172.65.32.248: tls_close: EOF without close notify
> > $ echo $?
> > 1
> > $
> >
> > IDK what those EOF w/o notify are caused by, but the domains that worked
> > also gave a similar bunch of that message.
> >
> > Running with -v does not give any useful info except it ends with -1:
> >
> > $ doas acme-client -v -F androidcookbook.com
> > acme-client: /etc/ssl/androidcookbook.com.crt: certificate renewable: 29 
> > days left
> > acme-client: https://acme-v02.api.letsencrypt.org/directory: directories
> > acme-client: acme-v02.api.letsencrypt.org: DNS: 172.65.32.248
> > acme-client: 172.65.32.248: tls_close: EOF without close notify
> > acme-client: 172.65.32.248: tls_close: EOF without close notify
> > acme-client: dochngreq: 
> > https://acme-v02.api.letsencrypt.org/acme/authz-v3/882690343
> > acme-client: 172.65.32.248: tls_close: EOF without close notify
> > acme-client: challenge, token: 22zE2mRAquYtRmY0lMxiCVfYXcTLEUEm78rRa6Nt0So, 
> > uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/882690343/im5q-Q, 
> > status: 0
> > acme-client: /var/www/acme/22zE2mRAquYtRmY0lMxiCVfYXcTLEUEm78rRa6Nt0So: 
> > created
> > acme-client: 
> > https://acme-v02.api.letsencrypt.org/acme/chall-v3/882690343/im5q-Q: 
> > challenge
> > acme-client: 172.65.32.248: tls_close: EOF without close notify
> > acme-client: dochngreq: 
> > https://acme-v02.api.letsencrypt.org/acme/authz-v3/882690357
> > acme-client: 172.65.32.248: tls_close: EOF without close notify
> > acme-client: challenge, token: XQm6jdVi6yzlFJHP8ucI8d3AenQFl81KqfC4tNlaDsU, 
> > uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/882690357/7cuNOw, 
> > status: 0
> > acme-client: /var/www/acme/XQm6jdVi6yzlFJHP8ucI8d3AenQFl81KqfC4tNlaDsU: 
> > created
> > acme-client: 
> > https://acme-v02.api.letsencrypt.org/acme/chall-v3/882690357/7cuNOw: 
> > challenge
> > acme-client: 172.65.32.248: tls_close: EOF without close notify
> > acme-client: 172.65.32.248: tls_close: EOF without close notify
> > acme-client: order.status -1
> > acme-client: bad exit: netproc(82984): 1
> > $
> >
> >
> > Any thoughts or more info? Thx.
> 

-- 
I'm not entirely sure you are real.

Re: acme-client issue with domain w/ alternative name

Reply via email to