I am running cgit to host my git repositories on OpenBSD 6.3 and am trying enable https using Let's Encrypt. The URL of the cgit repositories is a subdomain of my main domain (e.g. git.domain.com). I get the following error below whenever I try to provision a certificate using acme-client. I have specified my hosting provider's nameservers to my domain registrar and have created an A record pointing the "git" subdomain to my VM's IP address. Relevant .conf files and file/directory permissions are below as well.
Any help would be greatly appreciated. Thanks in advance! Samir # acme-client -vAD git.domain.com acme-client: /etc/ssl/private/git.domain.com.key: domain key exists (not creating) acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not creating) acme-client: https://acme-v01.api.letsencrypt.org/directory: directories acme-client: acme-v01.api.letsencrypt.org: DNS: 23.203.116.227 acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: git.domain.com acme-client: /var/www/acme/nWmGUBfLtIJuzuoNGfegToiMezdT6GaFes83Id2yctQ: created acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/-kVwLPlPys451fI4-3TgDBcJRBQmvjO7yzUcifUW0AY/6175217714: challenge acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/-kVwLPlPys451fI4-3TgDBcJRBQmvjO7yzUcifUW0AY/6175217714: status acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/-kVwLPlPys451fI4-3TgDBcJRBQmvjO7yzUcifUW0AY/6175217714: bad response acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid", "error": { "type": "urn:acme:error:unauthorized", "detail": "Invalid response from http://git.domain.com/.well-known/acme-challenge/nWmGUBfLtIJuzuoNGfegToiMezdT6GaFes83Id2yctQ: \"\u003c!DOCTYPE html\u003e\n\u003chtml\u003e\n\u003chead\u003e\n\u003cmeta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"/\u003e\n\u003ctitle\u003e500 Internal Server Er\"", "status": 403 }, "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/-kVwLPlPys451fI4-3TgDBcJRBQmvjO7yzUcifUW0AY/6175217714";, "token": "nWmGUBfLtIJuzuoNGfegToiMezdT6GaFes83Id2yctQ", "keyAuthorization": "nWmGUBfLtIJuzuoNGfegToiMezdT6GaFes83Id2yctQ.cbdgaka6s7Kv6R_a_Rhq_6VMDSKE2D4VdJyddLn65QI", "validationRecord": [ { "url": "http://git.domain.com/.well-known/acme-challenge/nWmGUBfLtIJuzuoNGfegToiMezdT6GaFes83Id2yctQ";, "hostname": "git.domain.com", "port": "80", "addressesResolved": [ "ip.address" ], "addressUsed": "ip.address" } ] }] (1039 bytes) acme-client: bad exit: netproc(21893): 1 /etc/httpd.conf: ext_ip="0.0.0.0" server "localhost" { listen on $ext_ip port 80 # serve the cgit static files directly location "/cgit.*" { root "/cgit" no fastcgi } # cgit CGI root "/cgi-bin/cgit.cgi" fastcgi socket "/run/slowcgi.sock" location "/.well-known/acme-challenge/*" { root { "/acme", strip 2 } } } /etc/acme-client.conf: authority letsencrypt { api url "https://acme-v01.api.letsencrypt.org/directory"; account key "/etc/acme/letsencrypt-privkey.pem" } authority letsencrypt-staging { api url "https://acme-staging.api.letsencrypt.org/directory"; account key "/etc/acme/letsencrypt-staging-privkey.pem" } domain git.domain.com { domain key "/etc/ssl/private/git.domain.com.key" domain certificate "/etc/ssl/git.domain.com.crt" domain full chain certificate "/etc/ssl/git.domain.com.fullchain.pem" sign with letsencrypt } /var/www/conf/cgitrc footer=/conf/cgit.footer # Enable caching of up to 1000 output entries cache-size=1000 cache-root=/cgit/cache # Specify some default clone urls using macro expansion clone-url=git://git.domain.com/$CGIT_REPO_URL # Specify the css url css=/cgit.css # Show owner on index page enable-index-owner=0 # Allow http transport git clone enable-http-clone=0 # Show extra links for each repository on the index page enable-index-links=0 # Enable ASCII art commit history graph on the log pages enable-commit-graph=1 # Show number of affected files per commit on the log pages enable-log-filecount=1 # Show number of added/removed lines per commit on the log pages enable-log-linecount=1 # Sort branches by date branch-sort=age # Add a cgit favicon favicon=/favicon.ico # Enable statistics per week, month and quarter max-stats=quarter # Set the title and heading of the repository index page root-title=HotBSD Code Repositories # Set a subheading for the repository index page root-desc= # Allow download of tar.gz, tar.bz2 and zip-files snapshots=tar.gz ## List of common mimetypes mimetype.gif=image/gif mimetype.html=text/html mimetype.jpg=image/jpeg mimetype.jpeg=image/jpeg mimetype.pdf=application/pdf mimetype.png=image/png mimetype.svg=image/svg+xml ## Search for these files in the root of the default branch of repositories ## for coming up with the about page: readme=:README virtual-root=/ #scan-path=/htdocs/src scan-path=/repos # Disable adhoc downloads of this repo repo.snapshots=0 # Disable line-counts for this repo repo.enable-log-linecount=0 # Restrict the max statistics period for this repo repo.max-stats=month File/directory permissions: # ls -all /etc/acme /etc/ssl /etc/acme: total 16 drwx------ 2 root wheel 512 Aug 3 12:58 . drwxr-xr-x 22 root wheel 1536 Jul 30 01:30 .. -r-------- 1 root wheel 3272 Aug 3 12:58 letsencrypt-privkey.pem /etc/ssl: total 772 drwxr-xr-x 5 root wheel 512 Jul 29 12:51 . drwxr-xr-x 22 root wheel 1536 Jul 30 01:30 .. drwxr-xr-x 3 root wheel 512 Jul 29 12:51 acme -r--r--r-- 1 root bin 349364 Mar 24 20:12 cert.pem -rw-r--r-- 1 root wheel 2703 Mar 24 20:12 ikeca.cnf drwxr-xr-x 2 root wheel 512 Mar 24 20:12 lib -r--r--r-- 1 root bin 745 Mar 24 20:12 openssl.cnf drwx------ 2 root wheel 512 Aug 3 12:58 private -r--r--r-- 1 root bin 1006 Mar 24 20:12 x509v3.cnf # ls -all /var/www total 52 drwxr-xr-x 13 root daemon 512 Jul 19 02:12 . drwxr-xr-x 23 root wheel 512 Mar 24 20:43 .. drwxr-xr-x 2 root daemon 512 Aug 4 11:50 acme drwxr-xr-x 2 root daemon 512 Mar 24 20:12 bin drwx-----T 2 www daemon 512 Mar 24 20:12 cache drwxr-xr-x 2 root daemon 512 Jul 13 19:43 cgi-bin drwxr-xr-x 2 root daemon 512 Jul 13 19:43 cgit drwxr-xr-x 2 root daemon 512 Jul 13 19:50 conf drwxr-xr-x 3 root daemon 512 Mar 24 20:12 htdocs drwxr-xr-x 2 root daemon 512 Aug 1 15:00 logs drwxr-xr-x 4 git git 512 Jul 20 17:30 repos drwxr-xr-x 2 root daemon 512 Jul 13 19:50 run This e-mail, and any attachments are strictly confidential and intended for the addressee(s) only. The content may also contain legal, professional or other privileged information. If you are not the intended recipient, please notify the sender immediately and then delete the e-mail and any attachments. You should not disclose, copy or take any action in reliance on this transmission. You may report the matter by contacting us via our UK Contacts Page<https://www.nationalgrid.com/uk/contact-us/> or our US Contacts Page<https://www.nationalgridus.com/contact-us> (accessed by clicking on the appropriate link) Please ensure you have adequate virus protection before you open or detach any documents from this transmission. National Grid plc and its affiliates do not accept any liability for viruses. An e-mail reply to this address may be subject to monitoring for operational reasons or lawful business practices. For the registered information on the UK operating companies within the National Grid group please use the attached link: https://www.nationalgrid.com/group/about-us/corporate-registrations
