acme-client: name resolution error when specifying a port in the api url

Ronald Heggenberger Thu, 01 Jun 2023 23:35:24 -0700

Hi!

I am using step-ca to host my own acme provisioner (which is already working - 
existing proxmox servers can request and get x509 TLS certificates), and as 
next step I wanted to use acme-client on OpenBSD servers, since it's deployed 
within the default installation. So I added it to /etc/acme-client.conf
```
[...]
    api url "https://use.some.domain.com:8443/acme/acme/directory 
<https://use.some.domain.com:8443/acme/acme/directory>"
[...]
```


But, when I run acme-client to actually get a certificate it terminates with 
the following error:
```
acme-client: https://use.some.domain.com:8443/acme/acme/directory: 
<https://use.some.domain.com:8443/acme/acme/directory:> directories
acme-client: use.some.domain.com:8443 <http://use.some.domain.com:8443/>: parse 
error: non-recoverable failure in name resolution
acme-client: https://use.some.domain.com:8443/acme/acme/directory: 
<https://use.some.domain.com:8443/acme/acme/directory:> bad comm
acme-client: bad exit: netproc(21203): 1
acme-client: bad exit: dnsproc(35017): 1
```

I think the acme-client's interpretation of the host-name is wrong since it's 
trying to resolve the hostname including the used tcp port as well.

What I've tried so far:
Using a relayd configuration to forward port 443 to 8443 (this was not 
correctly working - just to prove a point) and changed the api url within the 
acme-client.conf to get rid of the port definition:
```
[...]
    api url "https://use.some.domain.com/acme/acme/directory 
<https://use.some.domain.com/acme/acme/directory>"
[...]
```

When having the relayd setup waiting for connections and using acme-client I 
got the following error (which makes me even more confident that there is a 
problem in acme-client's handling of the hostname):
```
acme-client: 10.42.120.12: tls_write: handshake failed: unexpected EOF
acme-client: 10.42.120.12: tls_read: handshake failed: unexpected EOF
```

I don't want to setup relayd properly to handle my TLS etc properly, since I am 
totally fine having the step-ca service handling it over port 8443.

I am currently running OpenBSD 7.3, with default setup/configuration - nothing 
special.

Thank you in advance and best regards
Ronald

acme-client: name resolution error when specifying a port in the api url

Reply via email to