Hi,
I recently dealt with this issue as well and the solution was quite
silly. The problem is that acme-client is failing due to the agreement
url being out of date; there is a new agreement v1.2. acme-client has
been patched in current I believe to fix this issue and automatically
update the agreement url. For now, just change your config to list the
latest agreement url:
"https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
Hope this helps,
Jordan
On 02/01/18 17:16, Predrag Punosevac wrote:
> Hi Misc,
>
> I have done this half dozen times in the past but I am having helluva
> time using acme-client to sign certificate for a domain. Any clues?
> Please see below machine, acme-client.conf and httpd.conf files
>
> # uname -a
> OpenBSD mcba.autonlab.org 6.2 GENERIC.MP#2 amd64
>
> # more /etc/acme-client.conf
>
> #
> # $OpenBSD: acme-client.conf,v 1.4 2017/03/22 11:14:14 benno Exp $
> #
> authority letsencrypt {
> agreement url
> "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
> api url "https://acme-v01.api.letsencrypt.org/directory"
> account key "/etc/acme/letsencrypt-privkey.pem"
> }
>
> authority letsencrypt-staging {
> agreement url
> "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
> api url "https://acme-staging.api.letsencrypt.org/directory"
> account key "/etc/acme/letsencrypt-staging-privkey.pem"
> }
>
> domain mcba.autonlab.org {
> # alternative names { secure.mcba.autonlab.org }
> domain key "/etc/ssl/acme/private/mcba.autonlab.org.key"
> domain certificate "/etc/ssl/acme/mcba.autonlab.org.crt"
> domain full chain certificate
> "/etc/ssl/acme/mcba.autonlab.org.fullchain.pem"
> sign with letsencrypt
> }
>
>
>
> # more /etc/httpd.conf
>
> # $OpenBSD: httpd.conf,v 1.17 2017/04/16 08:50:49 ajacoutot Exp $
>
> #
> # Macros
> #
> ext_addr="*"
>
> #
> # Global Options
> #
> # prefork 3
>
> #
> # Servers
> #
>
> # A name-based "virtual" server on the same address
> # server "mcba.autonlab.org" {
> server "mcba.autonlab.org" {
> listen on $ext_addr port 80
>
> location "/.well-known/acme-challenge/*" {
> root "/acme"
> root strip 2
> }
> # block return 301 "https://$SERVER_NAME$REQUEST_URI"
> }
>
> # An HTTPS server using SSL/TLS
> # server "mcba.autonlab.org" {
> # listen on $ext_addr tls port 443
>
> # TLS certificate and key files created with acme-client(1)
> # tls certificate "/etc/ssl/acme/www.autonsys.com.fullchain.pem"
> # tls key "/etc/ssl/acme/private/www.autonsys.com.key"
>
> # Define server-specific log files relative to /logs
> # log { access "secure-access.log", error "secure-error.log" }
>
> # Increase connection limits to extend the lifetime
> # connection { max requests 500, timeout 3600 }
>
> # root "/htdocs/mcba/pub"
> #}
>
>
> # Include MIME types instead of the built-in ones
> types {
> include "/usr/share/misc/mime.types"
> }
>
>
>
> # acme-client -vAD mcba.autonlab.org
> acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not creating)
> acme-client: /etc/ssl/acme/private/mcba.autonlab.org.key: generated RSA domain key
> acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
> acme-client: acme-v01.api.letsencrypt.org: DNS: 23.196.58.251
> acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: mcba.autonlab.org
> acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: bad HTTP: 403
> acme-client: transfer buffer: [{ "type": "urn:acme:error:unauthorized",
> "detail": "No registration exists matching provided key", "status": 403
> }] (120 bytes)
> acme-client: bad exit: netproc(58513): 1
>
>
No comments:
Post a Comment