Monday, December 30, 2024

Re: acme-client challenges

updating with a little more info on most-recent error.

On Mon, 30 Dec 2024 22:54:52 -0500, Amelia A Lewis wrote:
[snip]
> lessee, delete an 'acme-' ...
>
> $ doas acme-client -vv simmonpatch.com
> acme-client: /etc/acme/letsencrypt-staging-privkey.pem: loaded account
> key
> acme-client: /etc/ssl/private/leo-simmonpatch.com.key: loaded domain key
> acme-client: https://staging.api.letsencrypt.org/directory: directories
> acme-client: staging.api.letsencrypt.org: DNS: 172.65.46.172
> acme-client: 172.65.46.172: tls_write: name
> `staging.api.letsencrypt.org' not present in server certificate
> acme-client: 172.65.46.172: tls_read: name
> `staging.api.letsencrypt.org' not present in server certificate
> acme-client: https://staging.api.letsencrypt.org/directory: bad comm
> acme-client: bad exit: netproc(18286): 1
>
[snip some more; i talk too much]
>
> Thanks for the quick reply and pointers! Have you any idea what the
> tls_write tls_read errors are? They're not triggering off pretend pear
> x1 and bogus broccoli x2 are they?

Call stack for the tls_read/tls_write bit:

netproc.c/nreq() -> http.c/http_get() -> http.c/http_alloc() \
-> http.c/dotlsread() -> http.c/tls_read()
-> http.c/dotlswrite() -> http.c/tls_write()

There are three calls of http_get() in netproc, one directly in nreq()
(most likely?, line 203), and two more in sreq(), which isn't called by
nreq() directly, but is called ten times by various dosomething()
functions, and it's too late for me to continue tracing (prolly easier
to instrument, but reading (somebody else's) code does make it easier
to sleep).

I'm not familiar enough with certificate contents and the protocol's
expectations of contents to decipher which server is supposed to have
staging.api in it and doesn't. Prolly the one delivered by staging.api
to identify itself? which seems ... weird. One would expect a server
providing certificate chains to remember to add its own link to its own
cert chain. Very absent minded to forget such a thing, like getting all
dressed up to go out for dinner, only to realize on arrival that one is
not wearing shoes. Not impossible, but rather unexpected. And with that
horribly strained analogy, I'm out for the night.

Amy!
Amelia A. Lewis amyzing {at} talsever.com
Love?
A joke, that. Love was the problem, not the solution. Being hit by a
car was better than love.
-- Steven Brust, PJF, "Cowboy Feng's Space Bar and Grille"

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)