Re: acme-client issue with domain w/ alternative name

Wed, 23 Oct 2019 06:10:03 -0700 

Hi Florian,

>> > Today acme-client renewed all but 2 of my domains; the two that have
>> > "alternative names" in the certificates. I cannot get it to renew
>> > those two.  This is on amd64 on 6.6-current, updated today.
>> 
>> I can reproduce this on amd64 current, as well as on 6.6.
>> 
>> Same error and and very similar configuration based on the one in
>> /etc/examples.
>
> you mean renewing fails for you with alternative names or you mean you
> see tls_close: EOF without close notify? I think everybody sees that.
> It started to show up some time ago. I think let's encrypt changed
> something on the server.

Sorry for not being more clear - I was not aware of the EOF without
close warning and had not seen this on the logs before. I thought this
was related to my renewal error.

> In any case, I just force-renewed a cert with alt names and it just
> worked.

I can confirm it works on stock 6.6 as expected (with the EOF warning),
however I still cannot get it to work on a -current amd64 web server.

> please run acme-client with -vv to see what's going on over the
> network if you have renew problems.

Here it is (sensitive parts replaced with <placeholder>):

photon# acme-client -vv <domain>.com
acme-client: acme-client: /etc/ssl/www.<domain>.com.crt: certificate renewable: 
17 days left
acme-client: /etc/ssl/private/www.<domain>.com.key: loaded domain key           
                   
/etc/acme/letsencrypt-privkey.pem: loaded account key                           
                           
acme-client: https://acme-v02.api.letsencrypt.org/directory: directories        
                         
acme-client: acme-v02.api.letsencrypt.org: DNS: 172.65.32.248
acme-client: transfer buffer: [{ "4-vjXo89exY": 
"https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417";,
 "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change";, "meta": { 
"caaIdentities": [ "letsencrypt.org" ], "termsOfService": 
"https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf";, "website": 
"https://letsencrypt.org"; }, "newAccount": 
"https://acme-v02.api.letsencrypt.org/acme/new-acct";, "newNonce": 
"https://acme-v02.api.letsencrypt.org/acme/new-nonce";, "newOrder": 
"https://acme-v02.api.letsencrypt.org/acme/new-order";, "revokeCert": 
"https://acme-v02.api
.letsencrypt.org/acme/revoke-cert" }] (658 bytes)                               
                                         
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: 172.65.32.248: tls_close: EOF without close notify
acme-client: transfer buffer: [{ "key": { "kty": "RSA", "n":"<RSAkey>", "e": 
"AQAB" }, "contact": [], "initialIp": "<ipaddress>","createdAt": 
"2018-09-10T00:42:09Z", "status": "valid" }] (857 bytes)
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: 172.65.32.248: tls_close: EOF without close notify
acme-client: transfer buffer: [{ "status": "pending", "expires": 
"2019-10-30T11:21:09.947891596Z", "identifiers": [ { "type": "dns", "value": 
"<domain>.com" }, { "type": "dns", "value": "mail.<domain>.com" }, { "type": 
"dns", "value": "photon.<domain>.com" }, { "type": "dns", "value": 
"www.<domain>.com" } ], "authorizations": [ 
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/888372032";, 
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/888372034";, 
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/888372035";, 
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/904391026"; ], "finalize": 
"https://acme-v02.api.letsencrypt.org/acme/finalize/41820606/1346625758"; }] 
(757 bytes)
acme-client: dochngreq: 
https://acme-v02.api.letsencrypt.org/acme/authz-v3/888372032
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: 172.65.32.248: tls_close: EOF without close notify
acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": 
"<domain>.com" }, "status": "valid", "expires": "2019-11-28T08:41:55Z", 
"challenges": [ { "type": "http-01", "status": "valid", "url": 
"https://acme-v02.api.letsencrypt.org/acme/chall-v3/888372032/TlKsVA";, "token": 
"v0Hxmbjl_8FtlvG-pvOylQuH_8BUS73WVMMOiXfwtBg", "validationRecord": [ { "url": 
"http://<domain>.com/.well-known/acme-challenge/v0Hxmbjl_8FtlvG-pvOylQuH_8BUS73WVMMOiXfwtBg",
 "hostname": "<domain>.com", "port": "80", "addressesResolved": [ "<ipaddress>" 
], "addressUsed": "<ipaddress>" } ] }, { "type": "dns-01", "status": "pending", 
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/888372032/BC5eNQ";, 
"token": "v0Hxmbjl_8FtlvG-pvOylQuH_8BUS73WVMMOiXfwtBg" }, { "type": 
"tls-alpn-01", "status": "pending", "url": 
"https://acme-v02.api.letsencrypt.org/acme/chall-v3/888372032/MNZeLQ";, "token": 
"v0Hxmbjl_8FtlvG-pvOylQuH_8BUS73WVMMOiXfwtBg" } ] }] (1131 bytes)
acme-client: challenge, token:v0Hxmbjl_8FtlvG-pvOylQuH_8BUS73WVMMOiXfwtBg, 
uri:https://acme-v02.api.letsencrypt.org/acme/chall-v3/888372032/TlKsVA,status: 
2
acme-client: dochngreq: 
https://acme-v02.api.letsencrypt.org/acme/authz-v3/888372034
acme-client: acme-v02.api.letsencrypt.org: cached                               
        
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: 172.65.32.248: tls_close: EOF without close notify
acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": 
"photon.<domain>.com" }, "status": "valid", "expires": "2019-11-28T08:41:55Z", 
"challenges": [ { "type": "http-01", "status": "valid", "url": 
"https://acme-v02.api.letsencrypt.org/acme/chall-v3/888372034/bcLkQg";, "token": 
"5px8fBxbUQ8BPzLpPF4cNPkt08wrV8Gr2lvHtHGboP4", "validationRecord": [ { "url": 
"http://photon.<domain>.com/.well-known/acme-challenge/5px8fBxbUQ8BPzLpPF4cNPkt08wrV8Gr2lvHtHGboP4",
 "hostname": "photon.<domain>.com", "port": "80", "addressesResolved": [ 
"<ipaddress>" ], "addressUsed": "<ipaddress>" } ] }, { "type": "dns-01", 
"status": "pending", "url": 
"https://acme-v02.api.letsencrypt.org/acme/chall-v3/888372034/YhIiyw";, "token": 
"5px8fBxbUQ8BPzLpPF4cNPkt08wrV8Gr2lvHtHGboP4" }, { "type": "tls-alpn-01", 
"status": "pending", "url": 
"https://acme-v02.api.letsencrypt.org/acme/chall-v3/888372034/k3zo0w";, "token": 
"5px8fBxbUQ8BPzLpPF4cNPkt08wrV8Gr2lvHtHGboP4" } ] }] (1152 bytes)
acme-client: challenge, token: 5px8fBxbUQ8BPzLpPF4cNPkt08wrV8Gr2lvHtHGboP4, 
uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/888372034/bcLkQg, 
status: 2
acme-client: dochngreq: 
https://acme-v02.api.letsencrypt.org/acme/authz-v3/888372035
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: 172.65.32.248: tls_close: EOF without close notify
acme-client: transfer buffer: [{ "identifier": { "type": "dns","value": 
"www.<domain>.com" }, "status": "valid", "expires":"2019-11-28T08:41:55Z", 
"challenges": [ { "type": "http-01", "status":"valid", 
"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/888372035/ymTSqQ","token":
 "2nRGi8XjMa5hGaOFLpi4WdpT3wQwnDxxFu5nEgq-VdI","validationRecord": [ { 
"url":"http://www.<domain>.com/.well-known/acme-challenge/2nRGi8XjMa5hGaOFLpi4WdpT3wQwnDxxFu5nEgq-VdI","hostname":
 "www.<domain>.com", "port": "80", "addressesResolved": ["<ipaddress>" ], 
"addressUsed": "<ipaddress>" } ] }, { "type": "dns-01", "status": "pending", 
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/888372035/dwzu_w";, 
"token": "2nRGi8XjMa5hGaOFLpi4WdpT3wQwnDxxFu5nEgq-VdI" }, { "type": 
"tls-alpn-01", "status": "pending", "url": 
"https://acme-v02.api.letsencrypt.org/acme/chall-v3/888372035/5XvR4g";, "token": 
"2nRGi8XjMa5hGaOFLpi4WdpT3wQwnDxxFu5nEgq-VdI" } ] }] (1143 bytes)
acme-client: challenge, token: 2nRGi8XjMa5hGaOFLpi4WdpT3wQwnDxxFu5nEgq-VdI, 
uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/888372035/ymTSqQ, 
status: 2
acme-client: dochngreq: 
https://acme-v02.api.letsencrypt.org/acme/authz-v3/904391026
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: 172.65.32.248: tls_close: EOF without close notify
acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": 
"mail.<domain>.com" }, "status": "pending", "expires": "2019-10-30T11:21:09Z", 
"challenges": [ { "type": "http-01", "status": "pending", "url": 
"https://acme-v02.api.letsencrypt.org/acme/chall-v3/904391026/-CjOUw";, "token": 
"W2VcDuv5jXJPOSIRgJ1qvzWXZW8KAJfSTiHTQfvgELU" }, { "type": "dns-01", "status": 
"pending", "url": 
"https://acme-v02.api.letsencrypt.org/acme/chall-v3/904391026/NahRzw";, "token": 
"W2VcDuv5jXJPOSIRgJ1qvzWXZW8KAJfSTiHTQfvgELU" }, { "type": "tls-alpn-01", 
"status": "pending", "url": 
"https://acme-v02.api.letsencrypt.org/acme/chall-v3/904391026/TlJQ0Q";, "token": 
"W2VcDuv5jXJPOSIRgJ1qvzWXZW8KAJfSTiHTQfvgELU" } ] }] (793 bytes)
acme-client: challenge, token: W2VcDuv5jXJPOSIRgJ1qvzWXZW8KAJfSTiHTQfvgELU, 
uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/904391026/-CjOUw, 
status: 0
acme-client: /var/www/acme/W2VcDuv5jXJPOSIRgJ1qvzWXZW8KAJfSTiHTQfvgELU: created
acme-client: 
https://acme-v02.api.letsencrypt.org/acme/chall-v3/904391026/-CjOUw: challenge
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: 172.65.32.248: tls_close: EOF without close notify
acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", "url": 
"https://acme-v02.api.letsencrypt.org/acme/chall-v3/904391026/-CjOUw";, "token": 
"W2VcDuv5jXJPOSIRgJ1qvzWXZW8KAJfSTiHTQfvgELU" }] (184 bytes)
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: 172.65.32.248: tls_close: EOF without close notify
acme-client: transfer buffer: [{ "status": "invalid", "expires": 
"2019-10-30T11:21:09Z", "identifiers": [ { "type": "dns", "value": 
"<domain>.com" }, { "type": "dns", "value": "mail.<domain>.com" }, { "type": 
"dns", "value": "photon.<domain>.com" }, { "type": "dns", "value": 
"www.<domain>.com" } ], "authorizations": [ 
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/888372032";, 
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/888372034";, 
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/888372035";, 
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/904391026"; ], "finalize": 
"https://acme-v02.api.letsencrypt.org/acme/finalize/41820606/1346625758"; }] 
(747 bytes)
acme-client: order.status -1
acme-client: bad exit: netproc(86194): 1

I verified that a file I put in
http://<domain>.com/.well-known/acme-challenge/ can be downloaded from
the server running httpd.

/etc/acme-client.conf:

#
# $OpenBSD: acme-client.conf,v 1.7 2018/04/13 08:24:38 ajacoutot Exp $
#

authority letsencrypt {
        api url "https://acme-v02.api.letsencrypt.org/directory";
        account key "/etc/acme/letsencrypt-privkey.pem"
}

authority letsencrypt-staging {
        api url "https://acme-staging-v02.api.letsencrypt.org/directory";
        account key "/etc/acme/letsencrypt-staging-privkey.pem"
}

domain <domain>.com {
        alternative names { www.<domain>.com photon.<domain>.com 
mail.<domain>.com }
        domain key "/etc/ssl/private/www.<domain>.com.key"
        domain certificate "/etc/ssl/www.<domain>.com.crt"
        domain full chain certificate "/etc/ssl/www.<domain>.com.fullchain.pem"
        sign with letsencrypt
}

dmesg:

OpenBSD 6.6-current (GENERIC) #370: Tue Oct 22 11:50:58 MDT 2019
   dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 2080227328 (1983MB)
avail mem = 2004627456 (1911MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf68c0 (9 entries)
acpi0 at bios0: ACPI 1.0
acpi0: sleep states S5
acpi0: tables DSDT FACP APIC HPET
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel Xeon Processor (Skylake, IBRS), 2100.28 MHz, 06-55-04
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,AVX512F,RDSEED,ADX,SMAP,CLWB,AVX512CD,IBRS,IBPB,ARAT,XSAVEOPT,XSAVEC,XGETBV1,MELTDOWN
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 
16-way L2 cache
cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 1030MHz
ioapic0 at mainbus0: apid 0 pa 0xfec00000, version 11, 24 pins
acpihpet0 at acpi0: 100000000 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: C1(@1 halt!)
"ACPI0006" at acpi0 not configured
acpipci0 at acpi0 PCI0: _OSC failed
acpicmos0 at acpi0
"PNP0A06" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"QEMU0002" at acpi0 not configured
"ACPI0010" at acpi0 not configured
cpu0: using Skylake AVX MDS workaround
pvbus0 at mainbus0: KVM
pvclock0 at pvbus0
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0 
wired to compatibility, channel 1 wired to compatibility
pciide0: channel 0 disabled (no drives)
atapiscsi0 at pciide0 channel 1 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0: <QEMU, QEMU DVD-ROM, 2.5+> removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
uhci0 at pci0 dev 1 function 2 "Intel 82371SB USB" rev 0x01: apic 0 int 11
piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 0 int 9
iic0 at piixpm0
vga1 at pci0 dev 2 function 0 "Bochs VGA" rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
virtio0 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00
vio0 at virtio0: address 96:00:00:10:0b:d6
virtio0: msix shared
virtio1 at pci0 dev 4 function 0 "Qumranet Virtio SCSI" rev 0x00
vioscsi0 at virtio1: qsize 128
scsibus2 at vioscsi0: 255 targets
sd0 at scsibus2 targ 0 lun 0: <QEMU, QEMU HARDDISK, 2.5+>
sd0: 19532MB, 512 bytes/sector, 40001536 sectors, thin
virtio1: msix shared
virtio2 at pci0 dev 5 function 0 "Qumranet Virtio Memory Balloon" rev 0x00
viomb0 at virtio2
virtio2: apic 0 int 10
virtio3 at pci0 dev 6 function 0 "Qumranet Virtio Console" rev 0x00
virtio3: no matching child driver; not configured
isa0 at pcib0
isadma0 at isa0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
usb0 at uhci0: USB revision 1.0
uhub0 at usb0 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 
addr 1
uhidev0 at uhub0 port 1 configuration 1 interface 0 "QEMU QEMU USB Tablet" rev 
2.00/0.00 addr 2
uhidev0: iclass 3/0
ums0 at uhidev0: 3 buttons, Z dir
wsmouse1 at ums0 mux 0
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
root on sd0a (c1d4c16f99e0d7bd.a) swap on sd0b dump on sd0b
fd0 at fdc0 drive 1: density unknown

Reply via email to