Thursday, July 06, 2017

Re: [OpenBSD 6.1] acme-client + nginx

On 2017-07-06, Stephane HUC "PengouinBSD" <bsd@stephane-huc.net> wrote:
> This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
> --rkBdQXDqolEAWWU60OD3iD4CWuma05dgb
> From: "Stephane HUC \"PengouinBSD\"" <bsd@stephane-huc.net>
> Reply-To: bsd@stephane-huc.net
> To: misc@openbsd.org
> Message-ID: <629618fb-cc48-f929-d285-46f9d08e8f3d@stephane-huc.net>
> Subject: [OpenBSD 6.1] acme-client + nginx
> Content-Language: fr-xx-classique+reforme1990
> Content-Type: text/plain; charset=utf-8
> Content-Transfer-Encoding: quoted-printable
>
> Hi, I attempt to use acme-client on server OpenBSD 6.1, with nginx runing.
>
> But it fail with a bad response.

...

> acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid",
> "error": { "type": "urn:acme:error:unauthorized", "detail": "Invalid
> response from
> http://test.obsd4a.net/.well-known/acme-challenge/L-pjGy6umVejj6q78_P_gW7rb=
> hyJrV0AuLhjfsqI3aU:
> \"\u003chtml\u003e\r\n\u003chead\u003e\u003ctitle\u003e404 Not
> Found\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody

...

LE fetches from http://test.obsd4a.net/.well-known/acme-challenge/(filename)
but gets 404 Not Found.

> I try with this nginx config:
>
> location ^~ /.well-known/acme-challenge {
> #alias /var/www/acme;
> #try_files $uri =3D404;
> allow all;
> default_type "text/plain";
> proxy_redirect off;
> root /var/www/acme;
> }

With "root" it will look in /var/www/acme/.well-known/acme-challenge.
Either adjust acme-client config to place the files there, or adjust nginx
config to serve files from the actual location.

Test by writing a file to the directory acme-client uses and make sure you
can fetch it yourself. Only reattempt acme-client when this works, they have a
rate-limit for bad auths and will blacklist you for a while if you exceed it.

> or this:
>
> location ^~ /.well-known/acme-challenge {
> alias /usr/local/www/acme;
> try_files $uri =3D404;
> }

/usr/local/www seems unlikely on OpenBSD.

I just have

location /.well-known/acme-challenge { root /var/www/letsencrypt/; }

and

challengedir "/var/www/letsencrypt/.well-known/acme-challenge"

but there are several ways you can configure this. (e.g. you might want
to use a different directory layout if you have anything else that uses
the RFC5785 .well-known URIs). It doesn't matter what you use as long as
letsencrypt can fetch the file that acme-client wrote.

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)