I started having some problems with cert renewal using acme-client after upgrading to 7.3 (not really sure 7.3 has anything to do with the following, however). I've verified that nothing has changed and that httpd is listening correctly, etc.
When I run acme-client and watch for any changes to /var/www/htdocs/example.org/.well-known/acme-client I never see any files being written to that directory (which is likely leading to the 404). Is the client supposed to write a temporary file for remote validation? Does anyone see any issues with the configurations that follow the output which may have any errors? Thanks in advance. # acme-client -v www.example.com acme-client: /etc/ssl/certs/www.example.com.chain.pem: certificate renewable: 29 days left acme-client: https://acme-v02.api.letsencrypt.org/directory: directories acme-client: acme-v02.api.letsencrypt.org: DNS: 172.65.32.248 acme-client: acme-v02.api.letsencrypt.org: DNS: 2606:4700:60:0:f53d:5624:85c7:3a2c acme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728127 acme-client: challenge, token: 2b9DyMVkYZGU3RNgxaywEc0uHLFp2E8RtOrQotGXugk, uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728127/CSJfMg, status: 0 acme-client: /var/www/acme/2b9DyMVkYZGU3RNgxaywEc0uHLFp2E8RtOrQotGXugk: created acme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728137 acme-client: challenge, token: 8WJnGzDwxV_tKSJaV4fsavxB5maBIkaDhozevCWPwH8, uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728137/sCRFpw, status: 0 acme-client: /var/www/acme/8WJnGzDwxV_tKSJaV4fsavxB5maBIkaDhozevCWPwH8: created acme-client: https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728127/CSJfMg: challenge acme-client: https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728137/sCRFpw: challenge acme-client: order.status 0 acme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728127 acme-client: challenge, token: 2b9DyMVkYZGU3RNgxaywEc0uHLFp2E8RtOrQotGXugk, uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728127/CSJfMg, status: -1 acme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728137 acme-client: challenge, token: 8WJnGzDwxV_tKSJaV4fsavxB5maBIkaDhozevCWPwH8, uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728137/sCRFpw, status: -1 acme-client: order.status -1 acme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728127 acme-client: 2600:fee:bee::e:8:0: Invalid response from https://www.example.com/.well-known/acme-challenge/2b9DyMVkYZGU3RNgxaywEc0uHLFp2E8RtOrQotGXugk: 404 acme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728137 acme-client: 2600:fee:bee::e:8:0: Invalid response from https://www.example.com/.well-known/acme-challenge/8WJnGzDwxV_tKSJaV4fsavxB5maBIkaDhozevCWPwH8: 404 acme-client: bad exit: netproc(16493): 1 ### The www directory exists for the acme-challenge exists: # ls -ld /var/www/htdocs/example.com/.well-known/acme-challenge/ drwxr-xr-x 2 username staff 512 Apr 12 08:08 /var/www/htdocs/example.com/.well-known/acme-challenge/ ### Relevant portions of my httpd.conf www_v4="x.y.10.10" www_v6_a="2600:fee:bee::e:8:0" server "www.example.com" { listen on $www_v4 tls port 443 listen on $www_v6_a tls port 443 tls { certificate "/etc/ssl/certs/www.example.com.chain.pem" key "/etc/ssl/private/www.example.com.key.pem" protocols "TLSv1.2,TLSv1.3" } hsts { max-age 31536000 preload subdomains } log style combined log { access "access.log", error "error.log" } root "/htdocs/example.com" directory auto index } server "example.com" { listen on $www_v4 tls port 443 listen on $www_v6_a tls port 443 tls { certificate "/etc/ssl/certs/www.example.com.chain.pem" key "/etc/ssl/private/www.example.com.key.pem" protocols "TLSv1.2,TLSv1.3" } hsts { max-age 31536000 preload subdomains } log style combined log { access "access.log", error "error.log" } root "/htdocs/example.com" directory auto index } server "www.example.com" { listen on $www_v4 port 80 listen on $www_v6_a port 80 location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } block return 301 "https://www.example.com$REQUEST_URI"; } server "example.com" { listen on $www_v4 port 80 listen on $www_v6_a port 80 location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } block return 301 "https://www.example.com$REQUEST_URI"; } ### ACME client config # acme-client.conf authority letsencrypt { api url "https://acme-v02.api.letsencrypt.org/directory"; account key "/etc/acme/letsencrypt-privkey.pem" } authority letsencrypt-staging { api url "https://acme-staging-v02.api.letsencrypt.org/directory"; account key "/etc/acme/letsencrypt-staging-privkey.pem" } domain www.example.com { alternative names { example.com } domain key "/etc/ssl/private/www.example.com.key.pem" domain full chain certificate "/etc/ssl/certs/www.example.com.chain.pem" sign with letsencrypt }
