Re: acme-client challenges

Mon, 30 Dec 2024 21:11:35 -0800 

updating with a little more info on most-recent error.

On Mon, 30 Dec 2024 22:54:52 -0500, Amelia A Lewis wrote:
[snip]
> lessee, delete an 'acme-' ...
> 
> $ doas acme-client -vv simmonpatch.com 
> acme-client: /etc/acme/letsencrypt-staging-privkey.pem: loaded account 
> key
> acme-client: /etc/ssl/private/leo-simmonpatch.com.key: loaded domain key
> acme-client: https://staging.api.letsencrypt.org/directory: directories
> acme-client: staging.api.letsencrypt.org: DNS: 172.65.46.172
> acme-client: 172.65.46.172: tls_write: name 
> `staging.api.letsencrypt.org' not present in server certificate
> acme-client: 172.65.46.172: tls_read: name 
> `staging.api.letsencrypt.org' not present in server certificate
> acme-client: https://staging.api.letsencrypt.org/directory: bad comm
> acme-client: bad exit: netproc(18286): 1
> 
[snip some more; i talk too much]
> 
> Thanks for the quick reply and pointers! Have you any idea what the 
> tls_write tls_read errors are? They're not triggering off pretend pear 
> x1 and bogus broccoli x2 are they?

Call stack for the tls_read/tls_write bit:

netproc.c/nreq() -> http.c/http_get() -> http.c/http_alloc() \
    -> http.c/dotlsread() -> http.c/tls_read()
    -> http.c/dotlswrite() -> http.c/tls_write()

There are three calls of http_get() in netproc, one directly in nreq() 
(most likely?, line 203), and two more in sreq(), which isn't called by 
nreq() directly, but is called ten times by various dosomething() 
functions, and it's too late for me to continue tracing (prolly easier 
to instrument, but reading (somebody else's) code does make it easier 
to sleep).

I'm not familiar enough with certificate contents and the protocol's 
expectations of contents to decipher which server is supposed to have 
staging.api in it and doesn't. Prolly the one delivered by staging.api 
to identify itself? which seems ... weird. One would expect a server 
providing certificate chains to remember to add its own link to its own 
cert chain. Very absent minded to forget such a thing, like getting all 
dressed up to go out for dinner, only to realize on arrival that one is 
not wearing shoes. Not impossible, but rather unexpected. And with that 
horribly strained analogy, I'm out for the night.

Amy!
Amelia A. Lewis                    amyzing {at} talsever.com
Love?
A joke, that.  Love was the problem, not the solution.  Being hit by a
car was better than love.
            -- Steven Brust, PJF, "Cowboy Feng's Space Bar and Grille"

Reply via email to