I started seeing an error where acme-client is not able to renew
Lets Encrypt certificates. I've tried on several different servers
but they all display the same error: "Error getting validation data"
Is anyone else seeing the same behavior?
Here are my configurations; these have been working for a couple years
now. Thanks in advance for any assistance.
$ uname -a
OpenBSD www-server 7.5 GENERIC#79 amd64
acme-client configuration
-------------------------
authority letsencrypt {
api url "https://acme-v02.api.letsencrypt.org/directory";
account key "/etc/acme/letsencrypt-privkey.pem"
}
authority letsencrypt-staging {
api url "https://acme-staging-v02.api.letsencrypt.org/directory";
account key "/etc/acme/letsencrypt-staging-privkey.pem"
}
domain www-server.example.com {
domain key "/etc/ssl/private/www-server.example.com.key.pem"
domain full chain certificate "/etc/ssl/certs/www-server.example.com.chain.pem"
sign with letsencrypt
}
httpd configuration
-------------------
server "www-server.example.com" {
listen on * tls port 443
tls {
certificate "/etc/ssl/certs/www-server.example.com.chain.pem"
key "/etc/ssl/private/www-server.example.com.key.pem"
protocols "TLSv1.3,TLSv1.2"
}
hsts {
max-age 31536000
preload
subdomains
}
log style combined
log { access "access.log", error "error.log" }
directory auto index
root "/htdocs/www"
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
}
server "www-server.example.com" {
listen on * port 80
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
block return 301 "https://www-server.example.com$REQUEST_URI";
}
directory permissions for acme-client verification
--------------------------------------------------
# find /var/www/htdocs/www/.well-known/ -ls
51875 4 drwxr-xr-x 3 w3admin staff 512 Mar 16 2022
/var/www/htdocs/www/.well-known/
51876 4 drwxr-xr-x 2 w3admin staff 512 Mar 16 2022
/var/www/htdocs/www/.well-known/acme-challenge
output of running the client manually
-------------------------------------
# acme-client -v www-server.example.com
acme-client: /etc/ssl/certs/www-server.example.com.chain.pem: certificate
renewable: 29 days left
acme-client: https://acme-v02.api.letsencrypt.org/directory: directories
acme-client: acme-v02.api.letsencrypt.org: DNS: 172.65.32.248
acme-client: acme-v02.api.letsencrypt.org: DNS:
2606:4700:60:0:f53d:5624:85c7:3a2c
acme-client: dochngreq:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/338785251177
acme-client: challenge, token: iG6ptUbu8wblA1NcB36yC7PRi1-h-lXoMx4MAOn0CoE,
uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/338785251177/Efb4Qg,
status: 0
acme-client: /var/www/acme/iG6ptUbu8wblA1NcB36yC7PRi1-h-lXoMx4MAOn0CoE: created
acme-client:
https://acme-v02.api.letsencrypt.org/acme/chall-v3/338785251177/Efb4Qg:
challenge
acme-client: order.status 0
acme-client: dochngreq:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/338785251177
acme-client: challenge, token: iG6ptUbu8wblA1NcB36yC7PRi1-h-lXoMx4MAOn0CoE,
uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/338785251177/Efb4Qg,
status: -1
acme-client: order.status -1
acme-client: dochngreq:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/338785251177
acme-client: 203.0.113.51: Fetching
https://www-server.example.com/.well-known/acme-challenge/iG6ptUbu8wblA1NcB36yC7PRi1-h-lXoMx4MAOn0CoE:
Error getting validation data
acme-client: bad exit: netproc(20490): 1
