On 2018-05-26, justina colmena <just...@colmena.biz> wrote: > On Sat, 26 May 2018 09:14:35 -0700 > Scott Vanderbilt <li...@datagenic.com> wrote: > >> On 5/26/2018 4:54 AM, Stuart Henderson wrote: >> >> > aeneas.datagenic.com doesn't respond on port 80. (And if I can't >> > fetch it, letsencrypt's checkers are also unlikely to be able to). >> > >> > Firewall issue? >> >> Oh, FFS. >> >> Yes. A silly pf rule blocking incoming traffic from outside my LAN >> that I overlooked when I first considered that idea, but then >> discarded on account of the error message. Which, to me, at least, >> does not in any reasonable way point to a connection problem. >> >> So, thanks very much for applying the clue stick. And, to whom may I >> suggest that the misleading error message from acme-client be changed >> to something actually resembling the problem it has encountered? >> > > I had a little trouble with acme-client and was discussing it over here > > https://community.letsencrypt.org/t/acme-client-on-openbsd-6-3/61785 > > My solution involved putting in a CAA ("Certificate Authority > Authorization") record for the domain for which I was requesting the > certficate.
That's a dnssec-related problem. Setting a CAA for letsencrypt should make no difference to a validation via letsencrypt (all that would be expected to do is prevent *other* CAs from issuing). But in this case it seems it was working around some broken dnssec handling. > Of course letsencrypt is supportive of open standards and > working with other clients, etc., but they do seem to have their own > client, "certbot", which is available in ports and packages on OpenBSD. > > * https://letsencrypt.org/ > * https://certbot.eff.org/ > > Yes, it would be unreasonable to expect too much support from the > "certbot" folks on OpenBSD's acme-client, because they aren't the ones > who are responsible for developing acme-client, although is a little > curious to me that "certbot" has such a close relationship with > "letsencrypt". certbot used to just be called "letsencrypt" and was some kind of joint EFF/letsencrypt development, hence the close relationship.