[BlueOnyx:22951] Re: Lets encrypt - renew for root name fail

Thomas Petersen thomas at nsd.dk
Mon Jun 17 00:17:41 -05 2019 

Hmm, I can't get it to work, no IP v6 no Nginx 
Tried to put a index.html in folder but did not work.
It was working fine 3 month ago. 
This server is only used as DNS so there is no vsites on it.
>From log:

[Mon Jun 17 07:09:23 CEST 2019] Lets find script dir.
[Mon Jun 17 07:09:23 CEST 2019] _SCRIPT_='/usr/sausalito/acme/acme.sh'
[Mon Jun 17 07:09:23 CEST 2019] _script='/usr/sausalito/acme/acme.sh'
[Mon Jun 17 07:09:23 CEST 2019] _script_home='/usr/sausalito/acme'
[Mon Jun 17 07:09:23 CEST 2019] Using config home:/usr/sausalito/acme/data [Mon Jun 17 07:09:23 CEST 2019] _main_domain='ns.nsd.dk'
[Mon Jun 17 07:09:23 CEST 2019] _alt_domains='no'
[Mon Jun 17 07:09:23 CEST 2019] Using config home:/usr/sausalito/acme/data [Mon Jun 17 07:09:23 CEST 2019] ACME_DIRECTORY='https://acme-v01.api.letsencrypt.org/directory'
[Mon Jun 17 07:09:23 CEST 2019] DOMAIN_PATH='/usr/sausalito/acme/certs/ns.nsd.dk'
[Mon Jun 17 07:09:23 CEST 2019] Using ACME_DIRECTORY: https://acme-v01.api.letsencrypt.org/directory
[Mon Jun 17 07:09:23 CEST 2019] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Mon Jun 17 07:09:23 CEST 2019] GET
[Mon Jun 17 07:09:23 CEST 2019] url='https://acme-v01.api.letsencrypt.org/directory'
[Mon Jun 17 07:09:23 CEST 2019] timeout= 
[Mon Jun 17 07:09:23 CEST 2019] _CURL='curl -L --silent --dump-header /usr/sausalito/acme/data/http.header  -g '
[Mon Jun 17 07:09:23 CEST 2019] ret='0'
[Mon Jun 17 07:09:23 CEST 2019] ACME_KEY_CHANGE='https://acme-v01.api.letsencrypt.org/acme/key-change'
[Mon Jun 17 07:09:23 CEST 2019] ACME_NEW_AUTHZ='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Mon Jun 17 07:09:23 CEST 2019] ACME_NEW_ORDER='https://acme-v01.api.letsencrypt.org/acme/new-cert'
[Mon Jun 17 07:09:23 CEST 2019] ACME_NEW_ACCOUNT='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Mon Jun 17 07:09:23 CEST 2019] ACME_REVOKE_CERT='https://acme-v01.api.letsencrypt.org/acme/revoke-cert'
[Mon Jun 17 07:09:23 CEST 2019] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Mon Jun 17 07:09:23 CEST 2019] ACME_NEW_NONCE 
[Mon Jun 17 07:09:23 CEST 2019] ACME_VERSION [Mon Jun 17 07:09:23 CEST 2019] Le_NextRenewTime [Mon Jun 17 07:09:24 CEST 2019] _on_before_issue [Mon Jun 17 07:09:24 CEST 2019] _chk_main_domain='ns.nsd.dk'
[Mon Jun 17 07:09:24 CEST 2019] _chk_alt_domains 
[Mon Jun 17 07:09:24 CEST 2019] Le_LocalAddress [Mon Jun 17 07:09:24 CEST 2019] d='ns.nsd.dk'
[Mon Jun 17 07:09:24 CEST 2019] Check for domain='ns.nsd.dk'
[Mon Jun 17 07:09:24 CEST 2019] _currentRoot='/home/.acme/'
[Mon Jun 17 07:09:24 CEST 2019] d
[Mon Jun 17 07:09:24 CEST 2019] _saved_account_key_hash is not changed, skip register account.
[Mon Jun 17 07:09:24 CEST 2019] Read key length:4096 
[Mon Jun 17 07:09:24 CEST 2019] _createcsr 
[Mon Jun 17 07:09:24 CEST 2019] Single domain='ns.nsd.dk'
[Mon Jun 17 07:09:24 CEST 2019] Getting domain auth token for each domain 
[Mon Jun 17 07:09:24 CEST 2019] d='ns.nsd.dk'
[Mon Jun 17 07:09:24 CEST 2019] Getting webroot for domain='ns.nsd.dk'
[Mon Jun 17 07:09:24 CEST 2019] _w='/home/.acme/'
[Mon Jun 17 07:09:24 CEST 2019] _currentRoot='/home/.acme/'
[Mon Jun 17 07:09:24 CEST 2019] Getting new-authz for domain='ns.nsd.dk'
[Mon Jun 17 07:09:24 CEST 2019] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Mon Jun 17 07:09:24 CEST 2019] Try new-authz for the 0 time.
[Mon Jun 17 07:09:24 CEST 2019] url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Mon Jun 17 07:09:24 CEST 2019] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "ns.nsd.dk"}}'
[Mon Jun 17 07:09:24 CEST 2019] RSA key
[Mon Jun 17 07:09:24 CEST 2019] GET
[Mon Jun 17 07:09:24 CEST 2019] url='https://acme-v01.api.letsencrypt.org/directory'
[Mon Jun 17 07:09:24 CEST 2019] timeout= [Mon Jun 17 07:09:24 CEST 2019] _CURL='curl -L --silent --dump-header /usr/sausalito/acme/data/http.header  -g '
[Mon Jun 17 07:09:24 CEST 2019] ret='0'
[Mon Jun 17 07:09:24 CEST 2019] POST
[Mon Jun 17 07:09:24 CEST 2019] _post_url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Mon Jun 17 07:09:24 CEST 2019] _CURL='curl -L --silent --dump-header /usr/sausalito/acme/data/http.header  -g '
[Mon Jun 17 07:09:25 CEST 2019] _ret='0'
[Mon Jun 17 07:09:25 CEST 2019] code='201'
[Mon Jun 17 07:09:25 CEST 2019] The new-authz request is ok.
[Mon Jun 17 07:09:25 CEST 2019] entry='"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/kY4oaZMkKPBtlY2uyuCqa8ezgO_qVXl5-4d0F0mioFE/17169188783","token":"EZ4gNtKEVzIBgCp4ZUsFn5E6z9WcgOiL_mmDj5JTBwI"'
[Mon Jun 17 07:09:25 CEST 2019] token='EZ4gNtKEVzIBgCp4ZUsFn5E6z9WcgOiL_mmDj5JTBwI'
[Mon Jun 17 07:09:25 CEST 2019] uri='https://acme-v01.api.letsencrypt.org/acme/challenge/kY4oaZMkKPBtlY2uyuCqa8ezgO_qVXl5-4d0F0mioFE/17169188783'
[Mon Jun 17 07:09:25 CEST 2019] keyauthorization='EZ4gNtKEVzIBgCp4ZUsFn5E6z9WcgOiL_mmDj5JTBwI.Zi4ztj8V1kY7mGOkafS0LYCnRUvBXsZY4UwVpwNicXg'
[Mon Jun 17 07:09:25 CEST 2019] dvlist='ns.nsd.dk#EZ4gNtKEVzIBgCp4ZUsFn5E6z9WcgOiL_mmDj5JTBwI.Zi4ztj8V1kY7mGOkafS0LYCnRUvBXsZY4UwVpwNicXg#https://acme-v01.api.letsencrypt.org/acme/challenge/kY4oaZMkKPBtlY2uyuCqa8ezgO_qVXl5-4d0F0mioFE/17169188783#http-01#/home/.acme/'
[Mon Jun 17 07:09:25 CEST 2019] d
[Mon Jun 17 07:09:25 CEST 2019] vlist='ns.nsd.dk#EZ4gNtKEVzIBgCp4ZUsFn5E6z9WcgOiL_mmDj5JTBwI.Zi4ztj8V1kY7mGOkafS0LYCnRUvBXsZY4UwVpwNicXg#https://acme-v01.api.letsencrypt.org/acme/challenge/kY4oaZMkKPBtlY2uyuCqa8ezgO_qVXl5-4d0F0mioFE/17169188783#http-01#/home/.acme/,'
[Mon Jun 17 07:09:25 CEST 2019] d='ns.nsd.dk'
[Mon Jun 17 07:09:25 CEST 2019] ok, let's start to verify [Mon Jun 17 07:09:25 CEST 2019] Verifying: ns.nsd.dk [Mon Jun 17 07:09:25 CEST 2019] d='ns.nsd.dk'
[Mon Jun 17 07:09:25 CEST 2019] keyauthorization='EZ4gNtKEVzIBgCp4ZUsFn5E6z9WcgOiL_mmDj5JTBwI.Zi4ztj8V1kY7mGOkafS0LYCnRUvBXsZY4UwVpwNicXg'
[Mon Jun 17 07:09:25 CEST 2019] uri='https://acme-v01.api.letsencrypt.org/acme/challenge/kY4oaZMkKPBtlY2uyuCqa8ezgO_qVXl5-4d0F0mioFE/17169188783'
[Mon Jun 17 07:09:25 CEST 2019] _currentRoot='/home/.acme/'
[Mon Jun 17 07:09:25 CEST 2019] wellknown_path='/home/.acme//.well-known/acme-challenge'
[Mon Jun 17 07:09:25 CEST 2019] writing token:EZ4gNtKEVzIBgCp4ZUsFn5E6z9WcgOiL_mmDj5JTBwI to /home/.acme//.well-known/acme-challenge/EZ4gNtKEVzIBgCp4ZUsFn5E6z9WcgOiL_mmDj5JTBwI
[Mon Jun 17 07:09:25 CEST 2019] Changing owner/group of .well-known to root:root 
[Mon Jun 17 07:09:25 CEST 2019] url='https://acme-v01.api.letsencrypt.org/acme/challenge/kY4oaZMkKPBtlY2uyuCqa8ezgO_qVXl5-4d0F0mioFE/17169188783'
[Mon Jun 17 07:09:25 CEST 2019] payload='{"resource": "challenge", "type": "http-01", "keyAuthorization": "EZ4gNtKEVzIBgCp4ZUsFn5E6z9WcgOiL_mmDj5JTBwI.Zi4ztj8V1kY7mGOkafS0LYCnRUvBXsZY4UwVpwNicXg"}'
[Mon Jun 17 07:09:25 CEST 2019] POST
[Mon Jun 17 07:09:25 CEST 2019] _post_url='https://acme-v01.api.letsencrypt.org/acme/challenge/kY4oaZMkKPBtlY2uyuCqa8ezgO_qVXl5-4d0F0mioFE/17169188783'
[Mon Jun 17 07:09:25 CEST 2019] _CURL='curl -L --silent --dump-header /usr/sausalito/acme/data/http.header  -g '
[Mon Jun 17 07:09:26 CEST 2019] _ret='0'
[Mon Jun 17 07:09:26 CEST 2019] code='202'
[Mon Jun 17 07:09:26 CEST 2019] sleep 2 secs to verify 
[Mon Jun 17 07:09:28 CEST 2019] checking [Mon Jun 17 07:09:28 CEST 2019] GET [Mon Jun 17 07:09:28 CEST 2019] url='https://acme-v01.api.letsencrypt.org/acme/challenge/kY4oaZMkKPBtlY2uyuCqa8ezgO_qVXl5-4d0F0mioFE/17169188783'
[Mon Jun 17 07:09:28 CEST 2019] timeout= 
[Mon Jun 17 07:09:28 CEST 2019] _CURL='curl -L --silent --dump-header /usr/sausalito/acme/data/http.header  -g '
[Mon Jun 17 07:09:29 CEST 2019] ret='0'
[Mon Jun 17 07:09:29 CEST 2019] ns.nsd.dk:Verify error:Invalid response from http://ns.nsd.dk/.well-known/acme-challenge/EZ4gNtKEVzIBgCp4ZUsFn5E6z9WcgOiL_mmDj5JTBwI [62.242.205.1]: 
[Mon Jun 17 07:09:29 CEST 2019] Debug: get token url.
[Mon Jun 17 07:09:29 CEST 2019] GET
[Mon Jun 17 07:09:29 CEST 2019] url='http://ns.nsd.dk/.well-known/acme-challenge/EZ4gNtKEVzIBgCp4ZUsFn5E6z9WcgOiL_mmDj5JTBwI'
[Mon Jun 17 07:09:29 CEST 2019] timeout=1 
[Mon Jun 17 07:09:29 CEST 2019] _CURL='curl -L --silent --dump-header /usr/sausalito/acme/data/http.header  -g  --connect-timeout 1'
[Mon Jun 17 07:09:29 CEST 2019] ret='0'
[Mon Jun 17 07:09:29 CEST 2019] Debugging, skip removing: /home/.acme//.well-known/acme-challenge/EZ4gNtKEVzIBgCp4ZUsFn5E6z9WcgOiL_mmDj5JTBwI
[Mon Jun 17 07:09:29 CEST 2019] pid
[Mon Jun 17 07:09:29 CEST 2019] No need to restore nginx, skip.
[Mon Jun 17 07:09:29 CEST 2019] _clearupdns 
[Mon Jun 17 07:09:29 CEST 2019] dnsadded [Mon Jun 17 07:09:29 CEST 2019] vlist='ns.nsd.dk#EZ4gNtKEVzIBgCp4ZUsFn5E6z9WcgOiL_mmDj5JTBwI.Zi4ztj8V1kY7mGOkafS0LYCnRUvBXsZY4UwVpwNicXg#https://acme-v01.api.letsencrypt.org/acme/challenge/kY4oaZMkKPBtlY2uyuCqa8ezgO_qVXl5-4d0F0mioFE/17169188783#http-01#/home/.acme/,'
[Mon Jun 17 07:09:29 CEST 2019] skip dns.
[Mon Jun 17 07:09:29 CEST 2019] _on_issue_err 
[Mon Jun 17 07:09:29 CEST 2019] Please check log file for more details: /var/log/letsencrypt/letsencrypt.log
[Mon Jun 17 07:09:29 CEST 2019] url='https://acme-v01.api.letsencrypt.org/acme/challenge/kY4oaZMkKPBtlY2uyuCqa8ezgO_qVXl5-4d0F0mioFE/17169188783'
[Mon Jun 17 07:09:29 CEST 2019] payload='{"resource": "challenge", "type": "", "keyAuthorization": "EZ4gNtKEVzIBgCp4ZUsFn5E6z9WcgOiL_mmDj5JTBwI.Zi4ztj8V1kY7mGOkafS0LYCnRUvBXsZY4UwVpwNicXg"}'
[Mon Jun 17 07:09:29 CEST 2019] POST
[Mon Jun 17 07:09:29 CEST 2019] _post_url='https://acme-v01.api.letsencrypt.org/acme/challenge/kY4oaZMkKPBtlY2uyuCqa8ezgO_qVXl5-4d0F0mioFE/17169188783'
[Mon Jun 17 07:09:29 CEST 2019] _CURL='curl -L --silent --dump-header /usr/sausalito/acme/data/http.header  -g '
[Mon Jun 17 07:09:30 CEST 2019] _ret='0'
[Mon Jun 17 07:09:30 CEST 2019] code='400'
[Mon Jun 17 07:09:30 CEST 2019] socat doesn't exists.
[Mon Jun 17 07:09:30 CEST 2019] Diagnosis versions: 
openssl:openssl
OpenSSL 1.0.2k-fips  26 Jan 2017
apache:
apache doesn't exists.
nginx:
nginx version: nginx/1.14.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) built with OpenSSL 1.1.0h  27 Mar 2018 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' --with-openssl=/home/solarspeed/openssl/sources
socat:


/Thomas




-----Oprindelig meddelelse-----
Fra: Blueonyx <blueonyx-bounces at mail.blueonyx.it> På vegne af Michael Stauber
Sendt: 16. juni 2019 23:21

Hi Thomas,

> is home/.acme/ the right place for the token ?

Yes, see:

[root@ ~]# cat /etc/httpd/conf.d/acme_sh.conf Alias /.well-known/acme-challenge/ /home/.acme/ <Directory "/home/.acme/">
    Options FollowSymLinks
    AllowOverride None
    ForceType text/plain
    RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
    Require all granted
</Directory>

In the past (before we redirected the /.well-known/acme-challenge calls to /home/.acme/) it was always possible that an .htaccess file or other Apache config related setting might interfere with the validation.

This created too much unnecessary support overhead both for our users as well as for us.

Check your /var/log/letsencrypt/letsencrypt.log for a more detailed error message. It could be that one alias didn't verify or that there were IPv6 issues or things like that.

--
With best regards

Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list