Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 1519C200CC2 for ; Wed, 21 Jun 2017 02:29:18 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 1430A160BEF; Wed, 21 Jun 2017 00:29:18 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 31FEE160BE1 for ; Wed, 21 Jun 2017 02:29:17 +0200 (CEST) Received: (qmail 81366 invoked by uid 500); 21 Jun 2017 00:29:15 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 81356 invoked by uid 99); 21 Jun 2017 00:29:15 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 21 Jun 2017 00:29:15 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 817FBC0311 for ; Wed, 21 Jun 2017 00:29:15 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.379 X-Spam-Level: X-Spam-Status: No, score=0.379 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id Oyg1eQ1xCGIL for ; Wed, 21 Jun 2017 00:29:13 +0000 (UTC) Received: from mail-ot0-f174.google.com (mail-ot0-f174.google.com [74.125.82.174]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 3735C5F6C1 for ; Wed, 21 Jun 2017 00:29:13 +0000 (UTC) Received: by mail-ot0-f174.google.com with SMTP id s7so101652252otb.3 for ; Tue, 20 Jun 2017 17:29:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=nboVH0tiATDuk3jhPY/uqorK03+fixzy2dnJ0ChC7Qg=; b=Weu1buTPNO2n49SR5hijF+yAtczDUgODrHVPGOCca61Qan+E1meS5Pp5E/xe1rx2ds SxBpKjaCZfJIARHRabnOIb0YiMslxV7kt1yUF5UK2mALXCmCl9/J4b/FWpZHi0XPQhfo mfe2teqsyagrvz29WtNWOLjRHkjWtBpHnIo/2zed7+Oq/I3PIlp4GBwUBC5MOEjvgDI9 EubWZTVzqQzlpBP3r7wPz/8GXQnw3doNDC1ta2ahsKJ/RrhW+PQ2Muf3hwZ9ZYOwfRPH UAI0hcQnEnzqH1F6oLNzsYE+V3CTyKJaDpOYnoLVK4yyUQa1reIH4Ee5dNMwHvubLZsu rLbg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=nboVH0tiATDuk3jhPY/uqorK03+fixzy2dnJ0ChC7Qg=; b=Yb5aHasPMcNvad42EWcJH1DCCB+5P4lAY63b68TfGCsvV+nNDe+GiC5A3uRiDxxCLo 9aDTVXZ2Pwc3qHHme66jfnhX3bfc28VKgi5gvLbpJsmLAxiDPyhpkkrAwT8FLLmveiAb D8tR4TmaWRKpbv3bwVeyFLOmO0lDG5Hfi0wCwR90KHSKa38yFvAtGNuZVnIFIZrgtuat wwKtmt84CEVmv+ATxZNF+yPv7tRHbVYICwc3ZVL2esm2b5Pmwb3T19LbSQQVP/1vKaBJ Hx5xAgiI5C6g3UYljmHpaxF/p0gFNf5FrHe+euZBZfUneotSzhnMvTenmJuBl8HJf248 LlCw== X-Gm-Message-State: AKS2vOzpH8rVZpMOBijeIyOHUlD21+9NbV4/t/dxyAt+BS4ytunWwd8Z IsBhB/1kF2BAKwXo5DjI7plXpfLK+Q== X-Received: by 10.157.41.205 with SMTP id g13mr18330041otd.77.1498004952351; Tue, 20 Jun 2017 17:29:12 -0700 (PDT) MIME-Version: 1.0 Received: by 10.157.17.210 with HTTP; Tue, 20 Jun 2017 17:29:12 -0700 (PDT) From: David Mehler Date: Tue, 20 Jun 2017 20:29:12 -0400 Message-ID: To: users Content-Type: text/plain; charset="UTF-8" Subject: [users@httpd] Apache 2.4 and letsencrypt challenge setup issue? archived-at: Wed, 21 Jun 2017 00:29:18 -0000 Hello, I'm trying to get letsencrypt certificates working with security/acme-client on FreeBSD 10.3, which I like much better than the python certbot client. That being said I'm having a problem where authentication is failing, account keys are created, and from the output below it looks like the tokens are being successfully generated, not retrieved. I'm thinking an apache configuration problem. I've got two different runs with two different messages. Any help appreciated. Thanks. Dave. # Domain letsencrypt creation export DS="example.com www.example.com webmail.example.com"; \ acme-client -mvnNOC /usr/local/www/.well-known/ \ $DS && echo $DS >> /usr/local/etc/acme/domains.txt acme-client: /usr/local/etc/ssl/acme/example.com: creating directory acme-client: /usr/local/etc/ssl/acme/private/example.com: creating directory acme-client: /usr/local/etc/acme/example.com: creating directory acme-client: /usr/local/etc/ssl/acme/private/example.com/privkey.pem: generating RSA domain key acme-client: /usr/local/etc/acme/example.com/privkey.pem: generating RSA account key acme-client: adding SAN: www.example.com acme-client: adding SAN: webmail.example.com acme-client: adding OCSP stapling acme-client: https://acme-v01.api.letsencrypt.org/directory: directories acme-client: acme-v01.api.letsencrypt.org: DNS: 23.217.173.130 acme-client: acme-v01.api.letsencrypt.org: DNS: 2600:1400:a:196::3d5 acme-client: acme-v01.api.letsencrypt.org: DNS: 2600:1400:a:197::3d5 acme-client: https://acme-v01.api.letsencrypt.org/acme/new-reg: new-reg acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: example.com acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: www.example.com acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: webmail.example.com acme-client: /usr/local/www/acme//PL_5ypf44x6hPtkTahuhiGvbdbHti0lnW2jwZegIq5c: created acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/N5-IIl5WRsCfSQfwuEu4dWmvLQY5wYLoW1_MMKUgRDo/1381988522: challenge acme-client: /usr/local/www/acme//Y8JozYRWNboKZcs1PNDoeMxw0bcQsMjFpRU4Z-10ov4: created acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/TwCh4pIh3OsrT1ao6nb3THypuMeKMYyXRfKQeI711Uw/1381988564: challenge acme-client: /usr/local/www/acme//k5bqluXjn_93UknVNwhYv7VIT6eje9E9JzYcM4JDKtQ: created acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/4AtVqZWIXB-rp87DTgLos79h5yMbO-g4FeOvldpcC9s/1381988597: challenge acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/N5-IIl5WRsCfSQfwuEu4dWmvLQY5wYLoW1_MMKUgRDo/1381988522: status acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/N5-IIl5WRsCfSQfwuEu4dWmvLQY5wYLoW1_MMKUgRDo/1381988522: bad response acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid", "error": { "type": "urn:acme:error:unauthorized", "detail": "Invalid response from http://example.com/.well-known/acme-challenge/PL_5ypf44x6hPtkTahuhiGvbdbHti0lnW2jwZegIq5c: \"\u003c!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\"\u003e\r\n\u003chtml xmlns=\"http\"", "status": 403 }, "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/N5-IIl5WRsCfSQfwuEu4dWmvLQY5wYLoW1_MMKUgRDo/1381988522", "token": "PL_5ypf44x6hPtkTahuhiGvbdbHti0lnW2jwZegIq5c", "keyAuthorization": "PL_5ypf44x6hPtkTahuhiGvbdbHti0lnW2jwZegIq5c.af3ncVsUzcTQuGUzKGx9RoPA5jbhTlVq8PQocLc0-o0", "validationRecord": [ { "url": "http://www.example.com/.well-known/acme-challenge/PL_5ypf44x6hPtkTahuhiGvbdbHti0lnW2jwZegIq5c", "hostname": "www.example.com", "port": "80", "addressesResolved": [ "66.228.47.34" ], "addressUsed": "66.228.47.34", "addressesTried": [] }, { "url": "http://example.com/.well-known/acme-challenge/PL_5ypf44x6hPtkTahuhiGvbdbHti0lnW2jwZegIq5c", "hostname": "example.com", "port": "80", "addressesResolved": [ "66.228.47.34" ], "addressUsed": "66.228.47.34", "addressesTried": [] } ] }] (1350 bytes) acme-client: bad exit: netproc(30353): 1 # second run export DS="example.com www.example.com webmail.example.com"; \ acme-client -mvnNOC /usr/local/www/.well-known/ \ $DS && echo $DS >> /usr/local/etc/acme/domains.txt acme-client: /usr/local/etc/ssl/acme/example.com: creating directory acme-client: /usr/local/etc/ssl/acme/example.com: No such file or directory # httpd configuration mkdir -pm750 /usr/local/www/.well-known && chown -R www:www /usr/local/www/.well-known # httpd.conf Options None AllowOverride None Require all granted Header add Content-Type text/plain # virtual hosts # The example.com http virtual host ServerName example.com RewriteEngine On RewriteRule ^/?(.*) http://www.example.com/$1 [R,L] ServerAdmin nick@example.com DocumentRoot "/usr/vhosts/example.com/htdocs/" ServerName www.example.com ServerAlias www.example.com ErrorDocument 404 /errordocs/error404.htm # share well-known for renewal via Let's Encrypt! Alias /.well-known/ /usr/local/www/.well-known/ # Anything that isn't going to example.com/.well-known gets forwarded to the https site # RewriteEngine on # RewriteCond %{REQUEST_URI} !^/.well-known # RewriteRule (.*) https://www.davemehler.com/$1 [R=301,L] ErrorLog "/usr/vhosts/example.com/logs/error.log" Options FollowSymLinks AllowOverRide None Require all granted CustomLog "|/usr/local/sbin/rotatelogs -l /usr/vhosts/example.com/logs/access.log-%Y-%m-%d.log 86400" combined # Disc cache setup CacheQuickHandler off CacheLock on CacheLockPath /tmp/mod_cache-lock CacheLockMaxAge 5 CacheIgnoreHeaders Set-Cookie CacheEnable disk CacheHeader on CacheDefaultExpire 600 CacheMaxExpire 86400 CacheLastModifiedFactor 0.5 ExpiresActive on ExpiresDefault "access plus 5 minutes" Header merge Cache-Control public FileETag All ServerAdmin nick@example.com DocumentRoot "/usr/vhosts/webmail.example.com/htdocs/" ServerName webmail.example.com ServerAlias webmail.example.com ErrorDocument 404 /errordocs/error404.htm # share well-known for renewal via Let's Encrypt! Alias /.well-known/ /usr/local/www/.well-known/ # Anything that isn't going to webmail.example.com/.well-known gets forwarded to the https site RewriteEngine on RewriteCond %{REQUEST_URI} !^/.well-known RewriteRule (.*) https://webmail.example.com/$1 [R=301,L] ErrorLog "/usr/vhosts/webmail.example.com/logs/error.log" Options FollowSymLinks AllowOverRide None Require all granted CustomLog "|/usr/local/sbin/rotatelogs -l /usr/vhosts/webmail.example.com/logs/access.log-%Y-%m-%d.log 86400" combined # Disc cache setup CacheQuickHandler off CacheLock on CacheLockPath /tmp/mod_cache-lock CacheLockMaxAge 5 CacheIgnoreHeaders Set-Cookie CacheEnable disk CacheHeader on CacheDefaultExpire 600 CacheMaxExpire 86400 CacheLastModifiedFactor 0.5 ExpiresActive on ExpiresDefault "access plus 5 minutes" Header merge Cache-Control public FileETag All --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org