acme-client: /var/www/acme/2b9DyMVkYZGU3RNgxaywEc0uHLFp2E8RtOrQotGXugk: created
probably some typo in your conf file On Wed, Apr 12, 2023 at 9:38 AM <rea...@catastrophe.net> wrote: > > I started having some problems with cert renewal using acme-client after > upgrading to 7.3 (not really sure 7.3 has anything to do with the following, > however). I've verified that nothing has changed and that httpd is listening > correctly, etc. > > When I run acme-client and watch for any changes to > /var/www/htdocs/example.org/.well-known/acme-client I never see any files > being written to that directory (which is likely leading to the 404). Is > the client supposed to write a temporary file for remote validation? > > Does anyone see any issues with the configurations that follow the output > which may have any errors? > > Thanks in advance. > > > # acme-client -v www.example.com > acme-client: /etc/ssl/certs/www.example.com.chain.pem: certificate renewable: > 29 days left > acme-client: https://acme-v02.api.letsencrypt.org/directory: directories > acme-client: acme-v02.api.letsencrypt.org: DNS: 172.65.32.248 > acme-client: acme-v02.api.letsencrypt.org: DNS: > 2606:4700:60:0:f53d:5624:85c7:3a2c > acme-client: dochngreq: > https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728127 > acme-client: challenge, token: 2b9DyMVkYZGU3RNgxaywEc0uHLFp2E8RtOrQotGXugk, > uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728127/CSJfMg, > status: 0 > acme-client: /var/www/acme/2b9DyMVkYZGU3RNgxaywEc0uHLFp2E8RtOrQotGXugk: > created > acme-client: dochngreq: > https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728137 > acme-client: challenge, token: 8WJnGzDwxV_tKSJaV4fsavxB5maBIkaDhozevCWPwH8, > uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728137/sCRFpw, > status: 0 > acme-client: /var/www/acme/8WJnGzDwxV_tKSJaV4fsavxB5maBIkaDhozevCWPwH8: > created > acme-client: > https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728127/CSJfMg: > challenge > acme-client: > https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728137/sCRFpw: > challenge > acme-client: order.status 0 > acme-client: dochngreq: > https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728127 > acme-client: challenge, token: 2b9DyMVkYZGU3RNgxaywEc0uHLFp2E8RtOrQotGXugk, > uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728127/CSJfMg, > status: -1 > acme-client: dochngreq: > https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728137 > acme-client: challenge, token: 8WJnGzDwxV_tKSJaV4fsavxB5maBIkaDhozevCWPwH8, > uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728137/sCRFpw, > status: -1 > acme-client: order.status -1 > acme-client: dochngreq: > https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728127 > acme-client: 2600:fee:bee::e:8:0: Invalid response from > https://www.example.com/.well-known/acme-challenge/2b9DyMVkYZGU3RNgxaywEc0uHLFp2E8RtOrQotGXugk: > 404 > acme-client: dochngreq: > https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728137 > acme-client: 2600:fee:bee::e:8:0: Invalid response from > https://www.example.com/.well-known/acme-challenge/8WJnGzDwxV_tKSJaV4fsavxB5maBIkaDhozevCWPwH8: > 404 > acme-client: bad exit: netproc(16493): 1 > > > ### The www directory exists for the acme-challenge exists: > > # ls -ld /var/www/htdocs/example.com/.well-known/acme-challenge/ > drwxr-xr-x 2 username staff 512 Apr 12 08:08 > /var/www/htdocs/example.com/.well-known/acme-challenge/ > > > ### Relevant portions of my httpd.conf > > www_v4="x.y.10.10" > www_v6_a="2600:fee:bee::e:8:0" > > server "www.example.com" { > listen on $www_v4 tls port 443 > listen on $www_v6_a tls port 443 > tls { > certificate "/etc/ssl/certs/www.example.com.chain.pem" > key "/etc/ssl/private/www.example.com.key.pem" > protocols "TLSv1.2,TLSv1.3" > } > hsts { > max-age 31536000 > preload > subdomains > } > log style combined > log { access "access.log", error "error.log" } > root "/htdocs/example.com" > directory auto index > } > > server "example.com" { > listen on $www_v4 tls port 443 > listen on $www_v6_a tls port 443 > tls { > certificate "/etc/ssl/certs/www.example.com.chain.pem" > key "/etc/ssl/private/www.example.com.key.pem" > protocols "TLSv1.2,TLSv1.3" > } > hsts { > max-age 31536000 > preload > subdomains > } > log style combined > log { access "access.log", error "error.log" } > root "/htdocs/example.com" > directory auto index > } > > server "www.example.com" { > listen on $www_v4 port 80 > listen on $www_v6_a port 80 > location "/.well-known/acme-challenge/*" { > root "/acme" > request strip 2 > } > block return 301 "https://www.example.com$REQUEST_URI"; > } > > server "example.com" { > listen on $www_v4 port 80 > listen on $www_v6_a port 80 > location "/.well-known/acme-challenge/*" { > root "/acme" > request strip 2 > } > block return 301 "https://www.example.com$REQUEST_URI"; > } > > > ### ACME client config > > # acme-client.conf > authority letsencrypt { > api url "https://acme-v02.api.letsencrypt.org/directory"; > account key "/etc/acme/letsencrypt-privkey.pem" > } > > authority letsencrypt-staging { > api url "https://acme-staging-v02.api.letsencrypt.org/directory"; > account key "/etc/acme/letsencrypt-staging-privkey.pem" > } > > domain www.example.com { > alternative names { example.com } > domain key "/etc/ssl/private/www.example.com.key.pem" > domain full chain certificate "/etc/ssl/certs/www.example.com.chain.pem" > sign with letsencrypt > } > -- -- --------------------------------------------------------------------------------------------------------------------- Knowing is not enough; we must apply. Willing is not enough; we must do
