On Sat, 26 May 2018 09:14:35 -0700 Scott Vanderbilt <li...@datagenic.com> wrote:
> On 5/26/2018 4:54 AM, Stuart Henderson wrote: > > > aeneas.datagenic.com doesn't respond on port 80. (And if I can't > > fetch it, letsencrypt's checkers are also unlikely to be able to). > > > > Firewall issue? > > Oh, FFS. > > Yes. A silly pf rule blocking incoming traffic from outside my LAN > that I overlooked when I first considered that idea, but then > discarded on account of the error message. Which, to me, at least, > does not in any reasonable way point to a connection problem. > > So, thanks very much for applying the clue stick. And, to whom may I > suggest that the misleading error message from acme-client be changed > to something actually resembling the problem it has encountered? > I had a little trouble with acme-client and was discussing it over here https://community.letsencrypt.org/t/acme-client-on-openbsd-6-3/61785 My solution involved putting in a CAA ("Certificate Authority Authorization") record for the domain for which I was requesting the certficate. Of course letsencrypt is supportive of open standards and working with other clients, etc., but they do seem to have their own client, "certbot", which is available in ports and packages on OpenBSD. * https://letsencrypt.org/ * https://certbot.eff.org/ Yes, it would be unreasonable to expect too much support from the "certbot" folks on OpenBSD's acme-client, because they aren't the ones who are responsible for developing acme-client, although is a little curious to me that "certbot" has such a close relationship with "letsencrypt". [justina@blanco ~]$ dig amarillo.colmena.biz caa ; <<>> DiG 9.11.3-RedHat-9.11.3-6.fc28 <<>> amarillo.colmena.biz caa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55341 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;amarillo.colmena.biz. IN CAA ;; ANSWER SECTION: amarillo.colmena.biz. 38362 IN CAA 0 issue "letsencrypt.org" amarillo.colmena.biz. 38362 IN CAA 0 issuewild ";" ;; Query time: 570 msec ;; SERVER: 192.168.44.1#53(192.168.44.1) ;; WHEN: Sat May 26 18:25:19 GMT 2018 ;; MSG SIZE rcvd: 107 [justina@blanco ~]$
