On 5/25/2018 2:20 PM, Fred wrote:
> On 05/25/18 21:10, Scott Vanderbilt wrote:
>> I'm having difficulty creating a new SSL cert for a virtual host I'm
>> just standing up for the first time. I get the following error on
>> successive attempts:
>>
>> urn:acme:error:unauthorized
>> Error creating new cert :: authorizations for these names not found or
>> expired: aeneas.datagenic.com
>>
>> I've verified it's not a web server access issue, as I am able to
>> successfully retrieve a static HTML file from the challenge directory
>>
>> aeneas$ curl
>> http://aeneas.datagenic.com/.well-known/acme-challenge/test.html
>> Foo
>> aeneas$
>>
>> Complete verbose error message, config file, and dmesg follow.
>>
>> Thanks in advance for any assistance you can lend.
>>
>> ------------------------------------------------------------------------------------
>>
>>
>> aeneas# acme-client -vvAD aeneas.datagenic.com
>> acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem:
>> domain key exists (not creating)
>> acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists
>> (not creating)
>> acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem:
>> loaded RSA domain key
>> acme-client: /etc/acme/letsencrypt-privkey.pem: loaded RSA account key
>> acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
>> acme-client: acme-v01.api.letsencrypt.org: DNS: 23.75.196.250
>> acme-client: transfer buffer: [{ "key-change":
>> "https://acme-v01.api.letsencrypt.org/acme/key-change", "meta": {
>> "caaIdentities": [ "letsencrypt.org" ], "terms-of-service":
>> "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
>> "website": "https://letsencrypt.org" }, "new-authz":
>> "https://acme-v01.api.letsencrypt.org/acme/new-authz", "new-cert":
>> "https://acme-v01.api.letsencrypt.org/acme/new-cert", "new-reg":
>> "https://acme-v01.api.letsencrypt.org/acme/new-reg", "revoke-cert":
>> "https://acme-v01.api.letsencrypt.org/acme/revoke-cert",
>> "sw0ePngTU-0":
>> "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"
>> }] (658 bytes)
>> acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz:
>> req-auth: aeneas.datagenic.com
>> acme-client: acme-v01.api.letsencrypt.org: cached
>> acme-client: acme-v01.api.letsencrypt.org: cached
>> acme-client: transfer buffer: [{ "identifier": { "type": "dns",
>> "value": "aeneas.datagenic.com" }, "status": "pending", "expires":
>> "2018-06-01T19:22:23Z", "challenges": [ { "type": "tls-sni-01",
>> "status": "pending", "uri":
>> "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114624",
>> "token": "TpW1KNEcns3ebXVxbBwYToVOjsMEzR78MWySuyKvdhI" }, { "type":
>> "dns-01", "status": "pending", "uri":
>> "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114625",
>> "token": "Iq66R_OgKJ2VURMLyVxLD8hjnWtLqrjqSYb0L3YRqNU" }, { "type":
>> "http-01", "status": "pending", "uri":
>> "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626",
>> "token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co" } ],
>> "combinations": [ [ 1 ], [ 0 ], [ 2 ] ] }] (998 bytes)
>> acme-client:
>> /var/www/htdocs/default/acme/iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co:
>> created
>> acme-client:
>> https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626:
>> challenge
>> acme-client: acme-v01.api.letsencrypt.org: cached
>> acme-client: acme-v01.api.letsencrypt.org: cached
>> acme-client: transfer buffer: [{ "type": "http-01", "status":
>> "pending", "uri":
>> "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626",
>> "token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co",
>> "keyAuthorization":
>> "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co.oHnB0_JsMCOWBPKhfVMYsIDZr_T2Wo-Y5z0fh-cmkA4"
>> }] (336 bytes)
>> acme-client:
>> https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626:
>> status
>> acme-client: acme-v01.api.letsencrypt.org: cached
>> acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert:
>> certificate
>> acme-client: acme-v01.api.letsencrypt.org: cached
>> acme-client: acme-v01.api.letsencrypt.org: cached
>> acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: bad
>> HTTP: 403
>> acme-client: transfer buffer: [{ "type":
>> "urn:acme:error:unauthorized", "detail": "Error creating new cert ::
>> authorizations for these names not found or expired:
>> aeneas.datagenic.com", "status": 403 }] (176 bytes)
>> acme-client: bad exit: netproc(38047): 1
>>
>>
>> ---------------------------------------------------------
>> aeneas$ cat /etc/acme-client.conf
>> #
>> # $OpenBSD: acme-client.conf,v 1.7 2018/04/13 08:24:38 ajacoutot Exp $
>> #
>> authority letsencrypt {
>> api url "https://acme-v01.api.letsencrypt.org/directory"
>> account key "/etc/acme/letsencrypt-privkey.pem"
>> }
>>
>> authority letsencrypt-staging {
>> api url "https://acme-staging.api.letsencrypt.org/directory"
>> account key "/etc/acme/letsencrypt-staging-privkey.pem"
>> }
>>
>> domain aeneas.datagenic.com {
>> # alternative names { secure.aeneas.datagenic.com }
>> domain key
>> "/etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem"
>> domain certificate "/etc/ssl/acme/aeneas.datagenic.com/cert.pem"
>> domain chain certificate
>> "/etc/ssl/acme/aeneas.datagenic.com/chain.pem"
>> domain full chain certificate
>> "/etc/ssl/acme/aeneas.datagenic.com/fullchain.pem"
>> sign with letsencrypt
>> challengedir "/var/www/htdocs/default/acme"
>> }
>>
>> -------------------------------------------------------------
>> aeneas$ dmesg
>>
>> OpenBSD 6.3-current (GENERIC.MP) #45: Thu May 24 19:22:57 MDT 2018
>> deraadt@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>> real mem = 4186652672 (3992MB)
>> avail mem = 4051607552 (3863MB)
>> mpath0 at root
>> scsibus0 at mpath0: 256 targets
>> mainbus0 at root
>> bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xe92a0 (93 entries)
>> bios0: vendor American Megatrends Inc. version "0402" date 07/18/2011
>> bios0: ASUSTeK Computer INC. P8H61-M LX
>> acpi0 at bios0: rev 2
>> acpi0: sleep states S0 S1 S3 S4 S5
>> acpi0: tables DSDT FACP APIC SSDT MCFG HPET
>> acpi0: wakeup devices UAR1(S4) PS2K(S4) PS2M(S4) BR20(S3) EUSB(S4)
>> P0P3(S4) P0P4(S4) P0P1(S4) P0P2(S4) PEX0(S4) PEX1(S4) PEX2(S4)
>> PEX3(S4) PEX4(S4) PEX5(S4) PEX6(S4) [...]
>> acpitimer0 at acpi0: 3579545 Hz, 24 bits
>> acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
>> cpu0 at mainbus0: apid 0 (boot processor)
>> cpu0: Intel(R) Celeron(R) CPU G530 @ 2.40GHz, 2394.90 MHz
>> cpu0:
>> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,DEADLINE,XSAVE,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
>>
>> cpu0: 256KB 64b/line 8-way L2 cache
>> cpu0: smt 0, core 0, package 0
>> mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
>> cpu0: apic clock running at 99MHz
>> cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE
>> cpu1 at mainbus0: apid 2 (application processor)
>> cpu1: Intel(R) Celeron(R) CPU G530 @ 2.40GHz, 2394.57 MHz
>> cpu1:
>> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,DEADLINE,XSAVE,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
>>
>> cpu1: 256KB 64b/line 8-way L2 cache
>> cpu1: smt 0, core 1, package 0
>> ioapic0 at mainbus0: apid 0 pa 0xfec00000, version 20, 24 pins
>> acpimcfg0 at acpi0 addr 0xe0000000, bus 0-63
>> acpihpet0 at acpi0: 14318179 Hz
>> acpiprt0 at acpi0: bus 0 (PCI0)
>> acpiprt1 at acpi0: bus -1 (P0P3)
>> acpiprt2 at acpi0: bus -1 (P0P4)
>> acpiprt3 at acpi0: bus 1 (P0P1)
>> acpiprt4 at acpi0: bus -1 (P0P2)
>> acpiprt5 at acpi0: bus 2 (PEX0)
>> acpiprt6 at acpi0: bus 3 (PEX1)
>> acpiprt7 at acpi0: bus 4 (PEX2)
>> acpiprt8 at acpi0: bus 6 (PEX4)
>> acpicpu0 at acpi0: C3(350@104 mwait.3@0x20), C2(500@80 mwait.3@0x10),
>> C1(1000@1 halt), PSS
>> acpicpu1 at acpi0: C3(350@104 mwait.3@0x20), C2(500@80 mwait.3@0x10),
>> C1(1000@1 halt), PSS
>> acpicmos0 at acpi0
>> "INT3F0D" at acpi0 not configured
>> acpibtn0 at acpi0: PWRB
>> "PNP0C14" at acpi0 not configured
>> acpivideo0 at acpi0: GFX0
>> acpivout0 at acpivideo0: DD02
>> cpu0: Enhanced SpeedStep 2394 MHz: speeds: 2400, 2300, 2200, 2100,
>> 2000, 1900, 1800, 1700, 1600 MHz
>> pci0 at mainbus0 bus 0
>> pchb0 at pci0 dev 0 function 0 "Intel Core 2G Host" rev 0x09
>> ppb0 at pci0 dev 1 function 0 "Intel Core 2G PCIE" rev 0x09: msi
>> pci1 at ppb0 bus 1
>> inteldrm0 at pci0 dev 2 function 0 "Intel HD Graphics 2000" rev 0x09
>> drm0 at inteldrm0
>> inteldrm0: msi
>> inteldrm0: 1280x1024, 32bpp
>> wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
>> wsdisplay0: screen 1-5 added (std, vt100 emulation)
>> "Intel 6 Series MEI" rev 0x04 at pci0 dev 22 function 0 not configured
>> ehci0 at pci0 dev 26 function 0 "Intel 6 Series USB" rev 0x05: apic 0
>> int 23
>> usb0 at ehci0: USB revision 2.0
>> uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev
>> 2.00/1.00 addr 1
>> azalia0 at pci0 dev 27 function 0 "Intel 6 Series HD Audio" rev 0x05: msi
>> azalia0: codecs: Realtek/0x0887
>> audio0 at azalia0
>> ppb1 at pci0 dev 28 function 0 "Intel 6 Series PCIE" rev 0xb5: msi
>> pci2 at ppb1 bus 2
>> rtwn0 at pci2 dev 0 function 0 "Realtek RTL8192CE" rev 0x01: msi
>> rtwn0: MAC/BB RTL8192CE, RF 6052 2T2R, address 14:da:e9:f0:d9:de
>> ppb2 at pci0 dev 28 function 1 "Intel 6 Series PCIE" rev 0xb5: msi
>> pci3 at ppb2 bus 3
>> ppb3 at pci0 dev 28 function 2 "Intel 6 Series PCIE" rev 0xb5: msi
>> pci4 at ppb3 bus 4
>> re0 at pci4 dev 0 function 0 "Realtek 8168" rev 0x06:
>> RTL8168E/8111E-VL (0x2c80), msi, address 14:da:e9:b7:15:30
>> rgephy0 at re0 phy 7: RTL8169S/8110S/8211 PHY, rev. 5
>> ppb4 at pci0 dev 28 function 3 "Intel 6 Series PCIE" rev 0xb5: msi
>> pci5 at ppb4 bus 5
>> ppb5 at pci0 dev 28 function 4 "Intel 82801BA Hub-to-PCI" rev 0xb5: msi
>> pci6 at ppb5 bus 6
>> ppb6 at pci0 dev 28 function 5 "Intel 6 Series PCIE" rev 0xb5: msi
>> pci7 at ppb6 bus 7
>> ehci1 at pci0 dev 29 function 0 "Intel 6 Series USB" rev 0x05: apic 0
>> int 23
>> usb1 at ehci1: USB revision 2.0
>> uhub1 at usb1 configuration 1 interface 0 "Intel EHCI root hub" rev
>> 2.00/1.00 addr 1
>> pcib0 at pci0 dev 31 function 0 "Intel H61 LPC" rev 0x05
>> pciide0 at pci0 dev 31 function 2 "Intel 6 Series SATA" rev 0x05: DMA,
>> channel 0 configured to native-PCI, channel 1 configured to native-PCI
>> pciide0: using apic 0 int 20 for native-PCI interrupt
>> wd0 at pciide0 channel 0 drive 0: <INTEL SSDSC2BW120A4>
>> wd0: 16-sector PIO, LBA48, 114473MB, 234441648 sectors
>> wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 6
>> ichiic0 at pci0 dev 31 function 3 "Intel 6 Series SMBus" rev 0x05:
>> apic 0 int 18
>> iic0 at ichiic0
>> spdmem0 at iic0 addr 0x50: 2GB DDR3 SDRAM PC3-10600
>> spdmem1 at iic0 addr 0x52: 2GB DDR3 SDRAM PC3-10600
>> pciide1 at pci0 dev 31 function 5 "Intel 6 Series SATA" rev 0x05: DMA,
>> channel 0 wired to native-PCI, channel 1 wired to native-PCI
>> pciide1: using apic 0 int 20 for native-PCI interrupt
>> isa0 at pcib0
>> isadma0 at isa0
>> com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
>> pckbc0 at isa0 port 0x60/5 irq 1 irq 12
>> pckbd0 at pckbc0 (kbd slot)
>> wskbd0 at pckbd0: console keyboard, using wsdisplay0
>> pms0 at pckbc0 (aux slot)
>> wsmouse0 at pms0 mux 0
>> pcppi0 at isa0 port 0x61
>> spkr0 at pcppi0
>> lpt0 at isa0 port 0x378/4 irq 7
>> wbsio0 at isa0 port 0x2e/2: NCT6776F rev 0x33
>> lm1 at wbsio0 port 0x290/8: NCT6776F
>> uhub2 at uhub0 port 1 configuration 1 interface 0 "Intel Rate Matching
>> Hub" rev 2.00/0.00 addr 2
>> uhub3 at uhub1 port 1 configuration 1 interface 0 "Intel Rate Matching
>> Hub" rev 2.00/0.00 addr 2
>> vscsi0 at root
>> scsibus1 at vscsi0: 256 targets
>> softraid0 at root
>> scsibus2 at softraid0: 256 targets
>> root on wd0a (766cf76462667bec.a) swap on wd0b dump on wd0b
>>
>>
>
> Hi,
>
> What does your httpd.conf say for acme-challenge?
>
Sorry. Using nginx.
aeneas$ ls -al /var/www/htdocs/default/
total 16
drwxr-xr-x 3 root daemon 512 May 25 09:56 .
drwxr-xr-x 8 root daemon 512 May 25 10:03 ..
drwxr-xr-x 2 root daemon 512 May 25 12:41 acme
aeneas$ nginx -v
nginx version: nginx/1.14.0
aeneas$ cat /etc/nginx/aeneas.datagenic.com.inc
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name aeneas.datagenic.com;
access_log logs/aeneas_access.log;
error_log logs/aeneas_error.log debug; # warn or debug
rewrite_log on;
root /var/www/htdocs/default;
try_files $uri $uri/ /index.php;
location ~ \.php$ {
fastcgi_connect_timeout 3s;
fastcgi_read_timeout 10s;
fastcgi_pass unix:run/php-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ ^/\.well-known/acme-challenge/ {
auth_basic off;
#return 200 $uri;
rewrite ^(/.well-known/acme-challenge)(.*)$ /acme$2 break;
}
}
No comments:
Post a Comment