For the archives: With the help of Florian and Ian we managed to find the error in the setup: One of the alternative names in acme-client.conf had no A record in DNS anymore (it was removed a few days prior).
acme-client will fail in such a case and return "status": "invalid" in the output of acme-client -vv. After removing the entry from acme-client.conf everything works as expected (with the "EOF without close" warning which is unrelated). Thanks to everybody who helped! Daniel >>> > Today acme-client renewed all but 2 of my domains; the two that have >>> > "alternative names" in the certificates. I cannot get it to renew >>> > those two. This is on amd64 on 6.6-current, updated today. >>> >>> I can reproduce this on amd64 current, as well as on 6.6. >>> >>> Same error and and very similar configuration based on the one in >>> /etc/examples. >> >> you mean renewing fails for you with alternative names or you mean you >> see tls_close: EOF without close notify? I think everybody sees that. >> It started to show up some time ago. I think let's encrypt changed >> something on the server. > > Sorry for not being more clear - I was not aware of the EOF without > close warning and had not seen this on the logs before. I thought this > was related to my renewal error. > >> In any case, I just force-renewed a cert with alt names and it just >> worked. > > I can confirm it works on stock 6.6 as expected (with the EOF warning), > however I still cannot get it to work on a -current amd64 web server. > >> please run acme-client with -vv to see what's going on over the >> network if you have renew problems. > > Here it is (sensitive parts replaced with <placeholder>): > > photon# acme-client -vv <domain>.com > acme-client: acme-client: /etc/ssl/www.<domain>.com.crt: certificate > renewable: 17 days left > acme-client: /etc/ssl/private/www.<domain>.com.key: loaded domain key > /etc/acme/letsencrypt-privkey.pem: loaded account key > acme-client: https://acme-v02.api.letsencrypt.org/directory: directories > acme-client: acme-v02.api.letsencrypt.org: DNS: 172.65.32.248 > acme-client: transfer buffer: [{ "4-vjXo89exY": > "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417";, > "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change";, "meta": > { "caaIdentities": [ "letsencrypt.org" ], "termsOfService": > "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf";, > "website": "https://letsencrypt.org"; }, "newAccount": > "https://acme-v02.api.letsencrypt.org/acme/new-acct";, "newNonce": > "https://acme-v02.api.letsencrypt.org/acme/new-nonce";, "newOrder": > "https://acme-v02.api.letsencrypt.org/acme/new-order";, "revokeCert": > "https://acme-v02.api > .letsencrypt.org/acme/revoke-cert" }] (658 bytes) > acme-client: acme-v02.api.letsencrypt.org: cached > acme-client: acme-v02.api.letsencrypt.org: cached > acme-client: 172.65.32.248: tls_close: EOF without close notify > acme-client: transfer buffer: [{ "key": { "kty": "RSA", "n":"<RSAkey>", "e": > "AQAB" }, "contact": [], "initialIp": "<ipaddress>","createdAt": > "2018-09-10T00:42:09Z", "status": "valid" }] (857 bytes) > acme-client: acme-v02.api.letsencrypt.org: cached > acme-client: acme-v02.api.letsencrypt.org: cached > acme-client: 172.65.32.248: tls_close: EOF without close notify > acme-client: transfer buffer: [{ "status": "pending", "expires": > "2019-10-30T11:21:09.947891596Z", "identifiers": [ { "type": "dns", "value": > "<domain>.com" }, { "type": "dns", "value": "mail.<domain>.com" }, { "type": > "dns", "value": "photon.<domain>.com" }, { "type": "dns", "value": > "www.<domain>.com" } ], "authorizations": [ > "https://acme-v02.api.letsencrypt.org/acme/authz-v3/888372032";, > "https://acme-v02.api.letsencrypt.org/acme/authz-v3/888372034";, > "https://acme-v02.api.letsencrypt.org/acme/authz-v3/888372035";, > "https://acme-v02.api.letsencrypt.org/acme/authz-v3/904391026"; ], "finalize": > "https://acme-v02.api.letsencrypt.org/acme/finalize/41820606/1346625758"; }] > (757 bytes) > acme-client: dochngreq: > https://acme-v02.api.letsencrypt.org/acme/authz-v3/888372032 > acme-client: acme-v02.api.letsencrypt.org: cached > acme-client: acme-v02.api.letsencrypt.org: cached > acme-client: 172.65.32.248: tls_close: EOF without close notify > acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": > "<domain>.com" }, "status": "valid", "expires": "2019-11-28T08:41:55Z", > "challenges": [ { "type": "http-01", "status": "valid", "url": > "https://acme-v02.api.letsencrypt.org/acme/chall-v3/888372032/TlKsVA";, > "token": "v0Hxmbjl_8FtlvG-pvOylQuH_8BUS73WVMMOiXfwtBg", "validationRecord": [ > { "url": > "http://<domain>.com/.well-known/acme-challenge/v0Hxmbjl_8FtlvG-pvOylQuH_8BUS73WVMMOiXfwtBg", > "hostname": "<domain>.com", "port": "80", "addressesResolved": [ > "<ipaddress>" ], "addressUsed": "<ipaddress>" } ] }, { "type": "dns-01", > "status": "pending", "url": > "https://acme-v02.api.letsencrypt.org/acme/chall-v3/888372032/BC5eNQ";, > "token": "v0Hxmbjl_8FtlvG-pvOylQuH_8BUS73WVMMOiXfwtBg" }, { "type": > "tls-alpn-01", "status": "pending", "url": > "https://acme-v02.api.letsencrypt.org/acme/chall-v3/888372032/MNZeLQ";, > "token": "v0Hxmbjl_8FtlvG-pvOylQuH_8BUS73WVMMOiXfwtBg" } ] }] (1131 bytes) > acme-client: challenge, token:v0Hxmbjl_8FtlvG-pvOylQuH_8BUS73WVMMOiXfwtBg, > uri:https://acme-v02.api.letsencrypt.org/acme/chall-v3/888372032/TlKsVA,status: > 2 > acme-client: dochngreq: > https://acme-v02.api.letsencrypt.org/acme/authz-v3/888372034 > acme-client: acme-v02.api.letsencrypt.org: cached > acme-client: acme-v02.api.letsencrypt.org: cached > acme-client: 172.65.32.248: tls_close: EOF without close notify > acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": > "photon.<domain>.com" }, "status": "valid", "expires": > "2019-11-28T08:41:55Z", "challenges": [ { "type": "http-01", "status": > "valid", "url": > "https://acme-v02.api.letsencrypt.org/acme/chall-v3/888372034/bcLkQg";, > "token": "5px8fBxbUQ8BPzLpPF4cNPkt08wrV8Gr2lvHtHGboP4", "validationRecord": [ > { "url": > "http://photon.<domain>.com/.well-known/acme-challenge/5px8fBxbUQ8BPzLpPF4cNPkt08wrV8Gr2lvHtHGboP4", > "hostname": "photon.<domain>.com", "port": "80", "addressesResolved": [ > "<ipaddress>" ], "addressUsed": "<ipaddress>" } ] }, { "type": "dns-01", > "status": "pending", "url": > "https://acme-v02.api.letsencrypt.org/acme/chall-v3/888372034/YhIiyw";, > "token": "5px8fBxbUQ8BPzLpPF4cNPkt08wrV8Gr2lvHtHGboP4" }, { "type": > "tls-alpn-01", "status": "pending", "url": > "https://acme-v02.api.letsencrypt.org/acme/chall-v3/888372034/k3zo0w";, > "token": "5px8fBxbUQ8BPzLpPF4cNPkt08wrV8Gr2lvHtHGboP4" } ] }] (1152 bytes) > acme-client: challenge, token: 5px8fBxbUQ8BPzLpPF4cNPkt08wrV8Gr2lvHtHGboP4, > uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/888372034/bcLkQg, > status: 2 > acme-client: dochngreq: > https://acme-v02.api.letsencrypt.org/acme/authz-v3/888372035 > acme-client: acme-v02.api.letsencrypt.org: cached > acme-client: acme-v02.api.letsencrypt.org: cached > acme-client: 172.65.32.248: tls_close: EOF without close notify > acme-client: transfer buffer: [{ "identifier": { "type": "dns","value": > "www.<domain>.com" }, "status": "valid", "expires":"2019-11-28T08:41:55Z", > "challenges": [ { "type": "http-01", "status":"valid", > "url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/888372035/ymTSqQ","token": > "2nRGi8XjMa5hGaOFLpi4WdpT3wQwnDxxFu5nEgq-VdI","validationRecord": [ { > "url":"http://www.<domain>.com/.well-known/acme-challenge/2nRGi8XjMa5hGaOFLpi4WdpT3wQwnDxxFu5nEgq-VdI","hostname": > "www.<domain>.com", "port": "80", "addressesResolved": ["<ipaddress>" ], > "addressUsed": "<ipaddress>" } ] }, { "type": "dns-01", "status": "pending", > "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/888372035/dwzu_w";, > "token": "2nRGi8XjMa5hGaOFLpi4WdpT3wQwnDxxFu5nEgq-VdI" }, { "type": > "tls-alpn-01", "status": "pending", "url": > "https://acme-v02.api.letsencrypt.org/acme/chall-v3/888372035/5XvR4g";, > "token": "2nRGi8XjMa5hGaOFLpi4WdpT3wQwnDxxFu5nEgq-VdI" } ] }] (1143 bytes) > acme-client: challenge, token: 2nRGi8XjMa5hGaOFLpi4WdpT3wQwnDxxFu5nEgq-VdI, > uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/888372035/ymTSqQ, > status: 2 > acme-client: dochngreq: > https://acme-v02.api.letsencrypt.org/acme/authz-v3/904391026 > acme-client: acme-v02.api.letsencrypt.org: cached > acme-client: acme-v02.api.letsencrypt.org: cached > acme-client: 172.65.32.248: tls_close: EOF without close notify > acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": > "mail.<domain>.com" }, "status": "pending", "expires": > "2019-10-30T11:21:09Z", "challenges": [ { "type": "http-01", "status": > "pending", "url": > "https://acme-v02.api.letsencrypt.org/acme/chall-v3/904391026/-CjOUw";, > "token": "W2VcDuv5jXJPOSIRgJ1qvzWXZW8KAJfSTiHTQfvgELU" }, { "type": "dns-01", > "status": "pending", "url": > "https://acme-v02.api.letsencrypt.org/acme/chall-v3/904391026/NahRzw";, > "token": "W2VcDuv5jXJPOSIRgJ1qvzWXZW8KAJfSTiHTQfvgELU" }, { "type": > "tls-alpn-01", "status": "pending", "url": > "https://acme-v02.api.letsencrypt.org/acme/chall-v3/904391026/TlJQ0Q";, > "token": "W2VcDuv5jXJPOSIRgJ1qvzWXZW8KAJfSTiHTQfvgELU" } ] }] (793 bytes) > acme-client: challenge, token: W2VcDuv5jXJPOSIRgJ1qvzWXZW8KAJfSTiHTQfvgELU, > uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/904391026/-CjOUw, > status: 0 > acme-client: /var/www/acme/W2VcDuv5jXJPOSIRgJ1qvzWXZW8KAJfSTiHTQfvgELU: > created > acme-client: > https://acme-v02.api.letsencrypt.org/acme/chall-v3/904391026/-CjOUw: challenge > acme-client: acme-v02.api.letsencrypt.org: cached > acme-client: acme-v02.api.letsencrypt.org: cached > acme-client: 172.65.32.248: tls_close: EOF without close notify > acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", > "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/904391026/-CjOUw";, > "token": "W2VcDuv5jXJPOSIRgJ1qvzWXZW8KAJfSTiHTQfvgELU" }] (184 bytes) > acme-client: acme-v02.api.letsencrypt.org: cached > acme-client: acme-v02.api.letsencrypt.org: cached > acme-client: 172.65.32.248: tls_close: EOF without close notify > acme-client: transfer buffer: [{ "status": "invalid", "expires": > "2019-10-30T11:21:09Z", "identifiers": [ { "type": "dns", "value": > "<domain>.com" }, { "type": "dns", "value": "mail.<domain>.com" }, { "type": > "dns", "value": "photon.<domain>.com" }, { "type": "dns", "value": > "www.<domain>.com" } ], "authorizations": [ > "https://acme-v02.api.letsencrypt.org/acme/authz-v3/888372032";, > "https://acme-v02.api.letsencrypt.org/acme/authz-v3/888372034";, > "https://acme-v02.api.letsencrypt.org/acme/authz-v3/888372035";, > "https://acme-v02.api.letsencrypt.org/acme/authz-v3/904391026"; ], "finalize": > "https://acme-v02.api.letsencrypt.org/acme/finalize/41820606/1346625758"; }] > (747 bytes) > acme-client: order.status -1 > acme-client: bad exit: netproc(86194): 1 > > I verified that a file I put in > http://<domain>.com/.well-known/acme-challenge/ can be downloaded from > the server running httpd. > > /etc/acme-client.conf: > > # > # $OpenBSD: acme-client.conf,v 1.7 2018/04/13 08:24:38 ajacoutot Exp $ > # > > authority letsencrypt { > api url "https://acme-v02.api.letsencrypt.org/directory"; > account key "/etc/acme/letsencrypt-privkey.pem" > } > > authority letsencrypt-staging { > api url "https://acme-staging-v02.api.letsencrypt.org/directory"; > account key "/etc/acme/letsencrypt-staging-privkey.pem" > } > > domain <domain>.com { > alternative names { www.<domain>.com photon.<domain>.com > mail.<domain>.com } > domain key "/etc/ssl/private/www.<domain>.com.key" > domain certificate "/etc/ssl/www.<domain>.com.crt" > domain full chain certificate > "/etc/ssl/www.<domain>.com.fullchain.pem" > sign with letsencrypt > } > > dmesg: > > OpenBSD 6.6-current (GENERIC) #370: Tue Oct 22 11:50:58 MDT 2019 > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC > real mem = 2080227328 (1983MB) > avail mem = 2004627456 (1911MB) > mpath0 at root > scsibus0 at mpath0: 256 targets > mainbus0 at root > bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf68c0 (9 entries) > acpi0 at bios0: ACPI 1.0 > acpi0: sleep states S5 > acpi0: tables DSDT FACP APIC HPET > acpi0: wakeup devices > acpitimer0 at acpi0: 3579545 Hz, 24 bits > acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat > cpu0 at mainbus0: apid 0 (boot processor) > cpu0: Intel Xeon Processor (Skylake, IBRS), 2100.28 MHz, 06-55-04 > cpu0: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,AVX512F,RDSEED,ADX,SMAP,CLWB,AVX512CD,IBRS,IBPB,ARAT,XSAVEOPT,XSAVEC,XGETBV1,MELTDOWN > cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB > 64b/line 16-way L2 cache > cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped > cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped > cpu0: smt 0, core 0, package 0 > mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges > cpu0: apic clock running at 1030MHz > ioapic0 at mainbus0: apid 0 pa 0xfec00000, version 11, 24 pins > acpihpet0 at acpi0: 100000000 Hz > acpiprt0 at acpi0: bus 0 (PCI0) > acpicpu0 at acpi0: C1(@1 halt!) > "ACPI0006" at acpi0 not configured > acpipci0 at acpi0 PCI0: _OSC failed > acpicmos0 at acpi0 > "PNP0A06" at acpi0 not configured > "PNP0A06" at acpi0 not configured > "PNP0A06" at acpi0 not configured > "QEMU0002" at acpi0 not configured > "ACPI0010" at acpi0 not configured > cpu0: using Skylake AVX MDS workaround > pvbus0 at mainbus0: KVM > pvclock0 at pvbus0 > pci0 at mainbus0 bus 0 > pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02 > pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00 > pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0 > wired to compatibility, channel 1 wired to compatibility > pciide0: channel 0 disabled (no drives) > atapiscsi0 at pciide0 channel 1 drive 0 > scsibus1 at atapiscsi0: 2 targets > cd0 at scsibus1 targ 0 lun 0: <QEMU, QEMU DVD-ROM, 2.5+> removable > cd0(pciide0:1:0): using PIO mode 4, DMA mode 2 > uhci0 at pci0 dev 1 function 2 "Intel 82371SB USB" rev 0x01: apic 0 int 11 > piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 0 int 9 > iic0 at piixpm0 > vga1 at pci0 dev 2 function 0 "Bochs VGA" rev 0x02 > wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) > wsdisplay0: screen 1-5 added (80x25, vt100 emulation) > virtio0 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00 > vio0 at virtio0: address 96:00:00:10:0b:d6 > virtio0: msix shared > virtio1 at pci0 dev 4 function 0 "Qumranet Virtio SCSI" rev 0x00 > vioscsi0 at virtio1: qsize 128 > scsibus2 at vioscsi0: 255 targets > sd0 at scsibus2 targ 0 lun 0: <QEMU, QEMU HARDDISK, 2.5+> > sd0: 19532MB, 512 bytes/sector, 40001536 sectors, thin > virtio1: msix shared > virtio2 at pci0 dev 5 function 0 "Qumranet Virtio Memory Balloon" rev 0x00 > viomb0 at virtio2 > virtio2: apic 0 int 10 > virtio3 at pci0 dev 6 function 0 "Qumranet Virtio Console" rev 0x00 > virtio3: no matching child driver; not configured > isa0 at pcib0 > isadma0 at isa0 > fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 > com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo > pckbc0 at isa0 port 0x60/5 irq 1 irq 12 > pckbd0 at pckbc0 (kbd slot) > wskbd0 at pckbd0: console keyboard, using wsdisplay0 > pms0 at pckbc0 (aux slot) > wsmouse0 at pms0 mux 0 > pcppi0 at isa0 port 0x61 > spkr0 at pcppi0 > usb0 at uhci0: USB revision 1.0 > uhub0 at usb0 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 > addr 1 > uhidev0 at uhub0 port 1 configuration 1 interface 0 "QEMU QEMU USB Tablet" > rev 2.00/0.00 addr 2 > uhidev0: iclass 3/0 > ums0 at uhidev0: 3 buttons, Z dir > wsmouse1 at ums0 mux 0 > vscsi0 at root > scsibus3 at vscsi0: 256 targets > softraid0 at root > scsibus4 at softraid0: 256 targets > root on sd0a (c1d4c16f99e0d7bd.a) swap on sd0b dump on sd0b > fd0 at fdc0 drive 1: density unknown
