Re: acme-client new cert error

Fri, 25 May 2018 14:25:51 -0700 

I have run into a problem that seems similar to yours. I'm still
debugging it (or rather trying to find the time to do so), but I believe
the problem is that acme-client does not correctly handle the "pending"
status: it is handled as "valid". As a result, the challenge file is
removed before the acme server could verify it.

In my case, disabling the code that removes the challenge file (see diff
below) improves the chance of success. Perhaps that's helpful to you too
as a temporary workaround.

Index: chngproc.c
===================================================================
RCS file: /cvs/src/usr.sbin/acme-client/chngproc.c,v
retrieving revision 1.12
diff -p -u -r1.12 chngproc.c
--- chngproc.c  24 Jan 2017 13:32:55 -0000      1.12
+++ chngproc.c  25 May 2018 21:10:39 -0000
@@ -139,8 +139,10 @@ out:
        if (fd != -1)
                close(fd);
        for (i = 0; i < fsz; i++) {
+#if 0
                if (unlink(fs[i]) == -1 && errno != ENOENT)
                        warn("%s", fs[i]);
+#endif
                free(fs[i]);
        }
        free(fs);

Scott Vanderbilt (2018-05-25 22:10 +0200):
> I'm having difficulty creating a new SSL cert for a virtual host I'm just
> standing up for the first time. I get the following error on successive
> attempts:
> 
> urn:acme:error:unauthorized
> Error creating new cert :: authorizations for these names not found or
> expired: aeneas.datagenic.com
> 
> I've verified it's not a web server access issue, as I am able to
> successfully retrieve a static HTML file from the challenge directory
> 
>    aeneas$ curl
> http://aeneas.datagenic.com/.well-known/acme-challenge/test.html
>    Foo
>    aeneas$
> 
> Complete verbose error message, config file, and dmesg follow.
> 
> Thanks in advance for any assistance you can lend.
> 
> ------------------------------------------------------------------------------------
> 
> aeneas# acme-client -vvAD aeneas.datagenic.com
> acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: domain
> key exists (not creating)
> acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not
> creating)
> acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: loaded
> RSA domain key
> acme-client: /etc/acme/letsencrypt-privkey.pem: loaded RSA account key
> acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
> acme-client: acme-v01.api.letsencrypt.org: DNS: 23.75.196.250
> acme-client: transfer buffer: [{ "key-change":
> "https://acme-v01.api.letsencrypt.org/acme/key-change";, "meta": {
> "caaIdentities": [ "letsencrypt.org" ], "terms-of-service":
> "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf";,
> "website": "https://letsencrypt.org"; }, "new-authz":
> "https://acme-v01.api.letsencrypt.org/acme/new-authz";, "new-cert":
> "https://acme-v01.api.letsencrypt.org/acme/new-cert";, "new-reg":
> "https://acme-v01.api.letsencrypt.org/acme/new-reg";, "revoke-cert":
> "https://acme-v01.api.letsencrypt.org/acme/revoke-cert";, "sw0ePngTU-0": 
> "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417";
> }] (658 bytes)
> acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth:
> aeneas.datagenic.com
> acme-client: acme-v01.api.letsencrypt.org: cached
> acme-client: acme-v01.api.letsencrypt.org: cached
> acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value":
> "aeneas.datagenic.com" }, "status": "pending", "expires":
> "2018-06-01T19:22:23Z", "challenges": [ { "type": "tls-sni-01", "status":
> "pending", "uri": 
> "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114624";,
> "token": "TpW1KNEcns3ebXVxbBwYToVOjsMEzR78MWySuyKvdhI" }, { "type":
> "dns-01", "status": "pending", "uri": 
> "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114625";,
> "token": "Iq66R_OgKJ2VURMLyVxLD8hjnWtLqrjqSYb0L3YRqNU" }, { "type":
> "http-01", "status": "pending", "uri": 
> "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626";,
> "token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co" } ], "combinations":
> [ [ 1 ], [ 0 ], [ 2 ] ] }] (998 bytes)
> acme-client:
> /var/www/htdocs/default/acme/iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co:
> created
> acme-client: 
> https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626:
> challenge
> acme-client: acme-v01.api.letsencrypt.org: cached
> acme-client: acme-v01.api.letsencrypt.org: cached
> acme-client: transfer buffer: [{ "type": "http-01", "status": "pending",
> "uri": 
> "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626";,
> "token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co", "keyAuthorization": 
> "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co.oHnB0_JsMCOWBPKhfVMYsIDZr_T2Wo-Y5z0fh-cmkA4"
> }] (336 bytes)
> acme-client: 
> https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626:
> status
> acme-client: acme-v01.api.letsencrypt.org: cached
> acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: certificate
> acme-client: acme-v01.api.letsencrypt.org: cached
> acme-client: acme-v01.api.letsencrypt.org: cached
> acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: bad HTTP:
> 403
> acme-client: transfer buffer: [{ "type": "urn:acme:error:unauthorized",
> "detail": "Error creating new cert :: authorizations for these names not
> found or expired: aeneas.datagenic.com", "status": 403 }] (176 bytes)
> acme-client: bad exit: netproc(38047): 1
> 
> 
> ---------------------------------------------------------
> aeneas$ cat /etc/acme-client.conf
> #
> # $OpenBSD: acme-client.conf,v 1.7 2018/04/13 08:24:38 ajacoutot Exp $
> #
> authority letsencrypt {
>         api url "https://acme-v01.api.letsencrypt.org/directory";
>         account key "/etc/acme/letsencrypt-privkey.pem"
> }
> 
> authority letsencrypt-staging {
>         api url "https://acme-staging.api.letsencrypt.org/directory";
>         account key "/etc/acme/letsencrypt-staging-privkey.pem"
> }
> 
> domain aeneas.datagenic.com {
> #       alternative names { secure.aeneas.datagenic.com }
>         domain key "/etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem"
>         domain certificate "/etc/ssl/acme/aeneas.datagenic.com/cert.pem"
>         domain chain certificate
> "/etc/ssl/acme/aeneas.datagenic.com/chain.pem"
>         domain full chain certificate
> "/etc/ssl/acme/aeneas.datagenic.com/fullchain.pem"
>         sign with letsencrypt
>         challengedir "/var/www/htdocs/default/acme"
> }
> 
> -------------------------------------------------------------
> aeneas$ dmesg
> 
> OpenBSD 6.3-current (GENERIC.MP) #45: Thu May 24 19:22:57 MDT 2018
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 4186652672 (3992MB)
> avail mem = 4051607552 (3863MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xe92a0 (93 entries)
> bios0: vendor American Megatrends Inc. version "0402" date 07/18/2011
> bios0: ASUSTeK Computer INC. P8H61-M LX
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S1 S3 S4 S5
> acpi0: tables DSDT FACP APIC SSDT MCFG HPET
> acpi0: wakeup devices UAR1(S4) PS2K(S4) PS2M(S4) BR20(S3) EUSB(S4) P0P3(S4)
> P0P4(S4) P0P1(S4) P0P2(S4) PEX0(S4) PEX1(S4) PEX2(S4) PEX3(S4) PEX4(S4)
> PEX5(S4) PEX6(S4) [...]
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Celeron(R) CPU G530 @ 2.40GHz, 2394.90 MHz
> cpu0: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,DEADLINE,XSAVE,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
> cpu0: 256KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
> cpu0: apic clock running at 99MHz
> cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE
> cpu1 at mainbus0: apid 2 (application processor)
> cpu1: Intel(R) Celeron(R) CPU G530 @ 2.40GHz, 2394.57 MHz
> cpu1: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,DEADLINE,XSAVE,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
> cpu1: 256KB 64b/line 8-way L2 cache
> cpu1: smt 0, core 1, package 0
> ioapic0 at mainbus0: apid 0 pa 0xfec00000, version 20, 24 pins
> acpimcfg0 at acpi0 addr 0xe0000000, bus 0-63
> acpihpet0 at acpi0: 14318179 Hz
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpiprt1 at acpi0: bus -1 (P0P3)
> acpiprt2 at acpi0: bus -1 (P0P4)
> acpiprt3 at acpi0: bus 1 (P0P1)
> acpiprt4 at acpi0: bus -1 (P0P2)
> acpiprt5 at acpi0: bus 2 (PEX0)
> acpiprt6 at acpi0: bus 3 (PEX1)
> acpiprt7 at acpi0: bus 4 (PEX2)
> acpiprt8 at acpi0: bus 6 (PEX4)
> acpicpu0 at acpi0: C3(350@104 mwait.3@0x20), C2(500@80 mwait.3@0x10),
> C1(1000@1 halt), PSS
> acpicpu1 at acpi0: C3(350@104 mwait.3@0x20), C2(500@80 mwait.3@0x10),
> C1(1000@1 halt), PSS
> acpicmos0 at acpi0
> "INT3F0D" at acpi0 not configured
> acpibtn0 at acpi0: PWRB
> "PNP0C14" at acpi0 not configured
> acpivideo0 at acpi0: GFX0
> acpivout0 at acpivideo0: DD02
> cpu0: Enhanced SpeedStep 2394 MHz: speeds: 2400, 2300, 2200, 2100, 2000,
> 1900, 1800, 1700, 1600 MHz
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "Intel Core 2G Host" rev 0x09
> ppb0 at pci0 dev 1 function 0 "Intel Core 2G PCIE" rev 0x09: msi
> pci1 at ppb0 bus 1
> inteldrm0 at pci0 dev 2 function 0 "Intel HD Graphics 2000" rev 0x09
> drm0 at inteldrm0
> inteldrm0: msi
> inteldrm0: 1280x1024, 32bpp
> wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
> wsdisplay0: screen 1-5 added (std, vt100 emulation)
> "Intel 6 Series MEI" rev 0x04 at pci0 dev 22 function 0 not configured
> ehci0 at pci0 dev 26 function 0 "Intel 6 Series USB" rev 0x05: apic 0 int 23
> usb0 at ehci0: USB revision 2.0
> uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev
> 2.00/1.00 addr 1
> azalia0 at pci0 dev 27 function 0 "Intel 6 Series HD Audio" rev 0x05: msi
> azalia0: codecs: Realtek/0x0887
> audio0 at azalia0
> ppb1 at pci0 dev 28 function 0 "Intel 6 Series PCIE" rev 0xb5: msi
> pci2 at ppb1 bus 2
> rtwn0 at pci2 dev 0 function 0 "Realtek RTL8192CE" rev 0x01: msi
> rtwn0: MAC/BB RTL8192CE, RF 6052 2T2R, address 14:da:e9:f0:d9:de
> ppb2 at pci0 dev 28 function 1 "Intel 6 Series PCIE" rev 0xb5: msi
> pci3 at ppb2 bus 3
> ppb3 at pci0 dev 28 function 2 "Intel 6 Series PCIE" rev 0xb5: msi
> pci4 at ppb3 bus 4
> re0 at pci4 dev 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E-VL
> (0x2c80), msi, address 14:da:e9:b7:15:30
> rgephy0 at re0 phy 7: RTL8169S/8110S/8211 PHY, rev. 5
> ppb4 at pci0 dev 28 function 3 "Intel 6 Series PCIE" rev 0xb5: msi
> pci5 at ppb4 bus 5
> ppb5 at pci0 dev 28 function 4 "Intel 82801BA Hub-to-PCI" rev 0xb5: msi
> pci6 at ppb5 bus 6
> ppb6 at pci0 dev 28 function 5 "Intel 6 Series PCIE" rev 0xb5: msi
> pci7 at ppb6 bus 7
> ehci1 at pci0 dev 29 function 0 "Intel 6 Series USB" rev 0x05: apic 0 int 23
> usb1 at ehci1: USB revision 2.0
> uhub1 at usb1 configuration 1 interface 0 "Intel EHCI root hub" rev
> 2.00/1.00 addr 1
> pcib0 at pci0 dev 31 function 0 "Intel H61 LPC" rev 0x05
> pciide0 at pci0 dev 31 function 2 "Intel 6 Series SATA" rev 0x05: DMA,
> channel 0 configured to native-PCI, channel 1 configured to native-PCI
> pciide0: using apic 0 int 20 for native-PCI interrupt
> wd0 at pciide0 channel 0 drive 0: <INTEL SSDSC2BW120A4>
> wd0: 16-sector PIO, LBA48, 114473MB, 234441648 sectors
> wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 6
> ichiic0 at pci0 dev 31 function 3 "Intel 6 Series SMBus" rev 0x05: apic 0
> int 18
> iic0 at ichiic0
> spdmem0 at iic0 addr 0x50: 2GB DDR3 SDRAM PC3-10600
> spdmem1 at iic0 addr 0x52: 2GB DDR3 SDRAM PC3-10600
> pciide1 at pci0 dev 31 function 5 "Intel 6 Series SATA" rev 0x05: DMA,
> channel 0 wired to native-PCI, channel 1 wired to native-PCI
> pciide1: using apic 0 int 20 for native-PCI interrupt
> isa0 at pcib0
> isadma0 at isa0
> com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> pckbc0 at isa0 port 0x60/5 irq 1 irq 12
> pckbd0 at pckbc0 (kbd slot)
> wskbd0 at pckbd0: console keyboard, using wsdisplay0
> pms0 at pckbc0 (aux slot)
> wsmouse0 at pms0 mux 0
> pcppi0 at isa0 port 0x61
> spkr0 at pcppi0
> lpt0 at isa0 port 0x378/4 irq 7
> wbsio0 at isa0 port 0x2e/2: NCT6776F rev 0x33
> lm1 at wbsio0 port 0x290/8: NCT6776F
> uhub2 at uhub0 port 1 configuration 1 interface 0 "Intel Rate Matching Hub"
> rev 2.00/0.00 addr 2
> uhub3 at uhub1 port 1 configuration 1 interface 0 "Intel Rate Matching Hub"
> rev 2.00/0.00 addr 2
> vscsi0 at root
> scsibus1 at vscsi0: 256 targets
> softraid0 at root
> scsibus2 at softraid0: 256 targets
> root on wd0a (766cf76462667bec.a) swap on wd0b dump on wd0b

Reply via email to