commit e9ddf77aec9aa7bb23065006c79acd34714c71a2 from: jrmu date: Wed Apr 06 15:07:03 2022 UTC Daily Backup commit - 9da65cd5665a2eb0937d66314c11ff29310275f6 commit + e9ddf77aec9aa7bb23065006c79acd34714c71a2 blob - 4af153dacabb587a6e19ab1308622a5b11c3733b blob + e1f075c93f0b61add3026a14a55a59569004b0ce --- wiki.d/Acme-client.Configure +++ wiki.d/Acme-client.Configure @@ -1,16 +1,19 @@ version=pmwiki-2.2.130 ordered=1 urlencoded=1 -agent=Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0 -author=SummerSonw +agent=w3m/0.5.3+git20210102 +author=jrmu charset=UTF-8 -csum=https://acme-staging-v02.api.letsencrypt.org/directory +csum= ctime=1614076701 -host=203.77.49.232 +host=38.87.162.154 name=Acme-client.Configure -rev=53 +rev=54 targets=Openhttpd.Configure,Dns.Overview,Host.Usage,Netcat.Http,Nsd.Troubleshoot,Telnet.Http,Crontab.Edit,Openssl.Http -text=(:title Configuring Acme-client:)%0a%0aTo enable TLS, you will want a certificate signed by a trusted certificate authority (CA). In this guide, we'll use OpenBSD's [[https://man.openbsd.org/acme-client|acme-client]] with Let's Encrypt.%0a%0a!! Overview%0a%0aTLS (Transport Layer Security) aka SSL (Secure Sockets Layer) is the encryption security measure that enables browsers to recognize a website as "secure". In modern browsers the SSL information can be accessed by clicking the padlock icon in the address bar. %0a%0aSSL certificates are obtained from CAs (Certificate Authorities). Currently, the only free CAs are [[https://letsencrypt.org/getting-started/ | Lets Encrypt]], [[https://www.buypass.com/ssl/products/acme | Buypass]] and [[https://zerossl.com/ | ZeroSSL]]. You can request an SSL cert for your web domain using an Automatic Certificate Management Environment (ACME) client such as OpenBSD's Acme-client, which we will configure in this article.%0a%0a!!! Before You Begin %0a%0aYou will first need to properly configure and start [[openhttpd/configure|openhttpd]]. You will also need properly functioning [[dns/overview|DNS records]] for your hostname (@@username.example.com@@). If you are using a training vps, it is likely that DNS records for your hostname have already been set up for you.%0a%0aYou can and should test the two configurations using [[host/usage|host]] and [[netcat/http|netcat]].%0a%0aNote: You must have a server block in [[https://man.openbsd.org/httpd.conf|/etc/httpd.conf]] listening on port 80. Do not delete this block or else acme-client will not work.%0a%0a!! Configuration%0a%0aFirst, copy the [[https://man.openbsd.org/acme-client.conf|acme-client.conf]] template:%0a%0a[@%0a$ doas cp /etc/examples/acme-client.conf /etc/acme-client.conf%0a@]%0a%0aWe'll open up [@ /etc/acme-client.conf @] and analyze the meaning of each block:%0a%0a!!! Authority blocks%0a%0a[@%0aauthority letsencrypt {%0a api url "https://acme-v02.api.letsencrypt.org/directory"%0a account key "/etc/acme/letsencrypt-privkey.pem"%0a}%0a@]%0a%0aThis defines the Certificate Authority [[https://letsencrypt.org/|letsencrypt]]. It provides the API URL and the location of the account key.%0a%0a'''Note''': Let's Encrypt [[https://letsencrypt.org/docs/rate-limits/|rate-limits]] the number of SSL certs you can request. If you encounter an error and are unable to request an SSL cert, please fix all errors before requesting again. If you request too many certs in a short time, your domain will get blacklisted for a few hours or days. To avoid issues, use letsencrypt-staging first and make sure you get success with that before using letsencrypt.%0a%0aAlthough we are using Let's Encrypt for this tutorial, it is important to note that Let's Encrypt currently has a monopoly on free SSL certs. For this reason, IRCNow wants to run its own Certificate Authority in case Let's Encrypt should try to censor our domains.%0a%0a[@%0aauthority letsencrypt-staging {%0a api url "https://acme-staging-v02.api.letsencrypt.org/directory"%0a account key "/etc/acme/letsencrypt-staging-privkey.pem"%0a}%0a@]%0a%0aletsencrypt-staging is a staging server which you can use to practice requesting fake certificates. The rate limits for the staging server are less strict, so you should practice first with this CA.%0a%0aTo both of these blocks, we will want to add our contact email, so we add [@contact "mailto:me@example.com" @] inside both blocks. (make sure to have the @@mailto:@@):%0a%0a[@%0aauthority letsencrypt {%0a api url "https://acme-v02.api.letsencrypt.org/directory"%0a account key "/etc/acme/letsencrypt-privkey.pem"%0a contact "mailto:me@example.com"%0a}%0a%0aauthority letsencrypt-staging {%0a api url "https://acme-staging-v02.api.letsencrypt.org/directory"%0a account key "/etc/acme/letsencrypt-staging-privkey.pem"%0a contact "mailto:me@example.com"%0a}%0a@]%0a%0aNext, the default [[https://man.openbsd.org/acme-client.conf|acme-client.conf]] defines two more authorities:%0a%0a[@%0aauthority buypass {%0a api url "https://api.buypass.com/acme/directory"%0a account key "/etc/acme/buypass-privkey.pem"%0a contact "mailto:me@example.com"%0a}%0a%0aauthority buypass-test {%0a api url "https://api.test4.buypass.no/acme/directory"%0a account key "/etc/acme/buypass-test-privkey.pem"%0a contact "mailto:me@example.com"%0a}%0a@]%0a%0aThese two blocks are the same as for letsencrypt, but with the alternative provider [[https://buypass.com/|buypass]]. Make sure to replace the contact email with your own email.%0a%0a!!! Domain Block%0a%0a[@%0adomain example.com {%0a alternative names { secure.example.com }%0a domain key "/etc/ssl/private/example.com.key"%0a domain full chain certificate "/etc/ssl/example.com.crt"%0a sign with letsencrypt%0a}%0a@]%0a%0adomain: This would configure acme-client for the domain @@ example.com @@. Replace every appearance of @@ example.com @@ with your own domain, which might look like @@ username.fruit.ircnow.org @@.%0a%0aalternative names: Each SSL cert is valid only for a '''common name''' and a set of '''alternative names''' that are provided on the certificate. For example, an SSL certificate might have the common name @@ example.ircnow.org @@ and the alternative names @@ fruit.ircnow.org @@ and @@ vegetable.ircnow.org @@. You can safely skip this by commenting out this line (see warning below)%0a%0aIf you use too many alternative names, an acme-client certificate request has a higher chance of failure. So, I recommend keeping the number of alternative names to under 5.%0a%0a'''Warning''': Having the @@alternative names@@ directive with nothing inside will cause errors. The below will cause errors:%0a%0a[@%0aalternative names { }%0a@]%0a%0aIf you don't need any alternative names, you should comment this line out by putting a # at the beginning of the line, like so:%0a%0a[@%0a# alternative names { }%0a@]%0a%0a%0a'''Note''': If you add an alternative name to the conf file, but the cert already exists, you must remove the old public cert first before requesting a new one. Otherwise, you will get @@unknown SAN error@@ -- acme-client will complain there is an unknown Subject Alternative Name.%0a%0adomain key, domain full chain certificate:%0a%0aThe @@domain key@@ and @@domain full chain certificate@@ tell acme-client where to put the private key and certificate:%0a%0a[@%0a domain key "/etc/ssl/private/example.com.key"%0a domain full chain certificate "/etc/ssl/example.com.crt"%0a@]%0a%0aReplace @@example.com@@ with your real domain. The public key goes inside the folder @@/etc/ssl@@ and the private key goes inside @@/etc/ssl/private@@.%0a%0a%0asign with: %0a%0athis line tells Acme-client which CA (that you defined in the Authority Blocks) to use.%0a%0a[@%0a sign with letsencrypt%0a@]%0a%0awould cause it to use the CA @@ letsencrypt @@. For testing purposes, change it to @@ letsencrypt-staging @@. If you want to use @@ buypass @@ or it's testing CA @@ buypass-test @@, then change it accordingly.%0a%0a'''Note''': staging or testing certificates are not recognized by most browsers and will be rejected as an invalid certificate. After you finish testing with a staging certificate, change this line back to an official authority (@@sign with letsencrypt@@).%0a%0a!! Requesting Certificates%0a%0aAfter you have finished configuring the conf file, we can request certificates:%0a%0a[@%0a$ doas acme-client -Fv example.com%0a@]%0a%0areplace @@ example.com @@ with your domain.%0a%0aIf there are no errors, you should see something similar to the following output:%0a%0a[@%0a$ doas acme-client -Fv example.com%0aacme-client: /etc/acme/letsencrypt-privkey.pem: generated RSA account key%0aacme-client: /etc/ssl/private/example.com.key: generated RSA domain key%0aacme-client: https://acme-v02.api.letsencrypt.org/directory: directories%0aacme-client: acme-v02.api.letsencrypt.org: DNS: 172.65.32.248%0aacme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/11133258838%0aacme-client: challenge, token: uWHZmqhx6NEpcv25LEvodMAeymB1guTFVtyktVzkJgs, uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/11133258838/_UI3-A, status: 0%0aacme-client: /var/www/acme/uWHZmqhx6NEpcv25LEvodMAeymB1guTFVtyktVzkJgs: created%0aacme-client: https://acme-v02.api.letsencrypt.org/acme/chall-v3/11133258838/_UI3-A: challenge%0aacme-client: order.status 0%0aacme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/11133258838%0aacme-client: challenge, token: uWHZmqhx6NEpcv25LEvodMAeymB1guTFVtyktVzkJgs, uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/11133258838/_UI3-A, status: 2%0aacme-client: order.status 1%0aacme-client: https://acme-v02.api.letsencrypt.org/acme/finalize/113861127/8112730231: certificate%0aacme-client: order.status 3%0aacme-client: https://acme-v02.api.letsencrypt.org/acme/cert/03f7fd846802cb0689c2bbd7b6f5e89eb66b: certificate%0aacme-client: /etc/ssl/example.com.crt: created%0a@]%0a%0aNote the last line: it says that the public certificate was generated. If you see that, it's a success!%0a%0aYou now have two certificates, the public key inside @@/etc/ssl/example.com.crt@@, and the private key inside @@/etc/ssl/private/example.com.key@@ (or wherever you changed the path to):%0a%0a[@%0a$ doas ls -l /etc/ssl/example.com.crt /etc/ssl/private/example.com.key%0a-r--r--r-- 1 root wheel 4797 Feb 25 02:11 /etc/ssl/jrmu.coconut.ircnow.org.crt%0a-r-------- 1 root wheel 3272 Feb 25 02:10 /etc/ssl/private/jrmu.coconut.ircnow.org.key%0a@]%0a%0a!! Troubleshooting%0a%0aIf acme-client fails, there are several possible causes:%0a%0a!!! Domain Not Listed%0a%0aIf you add a new alternative name inside your domain block in [[https://man.openbsd.org/acme-client.conf|/etc/acme-client.conf]], you will see this error:%0a %0a[@%0aacme-client: /etc/ssl/example.com.crt: domain not listed: new.example.com%0a@]%0a%0aHere, @@new.example.com@@ was a new alternative name I added. The solution is to move your old public cert and private key to a new location (rather than deleting it, back it up!)%0a%0aExample (using example.com):%0a%0a[@%0a$ doas mv /etc/ssl/example.com.crt /etc/ssl/example.com.crt.bak%0a$ doas mv /etc/ssl/private/example.com.key /etc/ssl/private/example.com.key.bak%0a@]%0a%0aThen request the cert again:%0a%0a[@%0a$ doas acme-client -Fv example.com%0a@]%0a%0a%0a!!! Missing Domain Records%0a%0aIt's possible that your domain records are missing. Run this command, replacing @@example.com@@ with your real hostname:%0a%0a[@%0a$ host example.com%0a@]%0a%0aYou should see one or two records like the following:%0a%0a[@%0aexample.com has address 93.184.216.34%0aexample.com has IPv6 address 2606:2800:220:1:248:1893:25c8:1946%0a@]%0a%0aThe IPv4 and IPv6 address must exactly match the IPs that [[openhttpd/configure|OpenHTTPd]] is listening on.%0a%0a'''Note''': You '''cannot''' request a domain you don't own! The domain must point to an IP you own.%0a%0a There are a few possible mistakes:%0a%0a# Your web server is listening only one IPv4 but your DNS record includes IPv6; or vice versa.%0a# You have the wrong IP addresses.%0a# DNS records are missing.%0a%0aIf you have missing records, you will see this response:%0a%0a[@%0aHost example.com not found: 3(NXDOMAIN)%0a@]%0a%0aYou will either need to speak with your DNS provider or you will need to troubleshoot [[nsd/troubleshoot|nsd]].%0a%0a!!! OpenHTTPd Misconfigured%0a%0aIf [[openhttpd/configure|openhttpd]] is not configured and running properly, acme-client won't work.%0a%0a(acme-client uses the "http-01" challenge. A file is created with a special message in @@/var/www/acme/@@, and the certificate authority requests that file using the URL @@http://example.com/.well-known/acme-challenge/*@@. )%0a%0aTo test if your web server is running properly, use [[telnet/http|telnet]] (replacing @@example.com@@ with your domain) from another computer:%0a%0a[@%0a$ telnet example.com 80%0aGET /index.html HTTP/1.1%0aHost: example.com%0a@]%0a%0aYou should a response similar to the one below:%0a%0a[@%0aHTTP/1.0 302 Found%0aDate: Tue, 23 Feb 2021 14:01:28 GMT%0aOpenBSD httpd%0aConnection: close%0aContent-Type: text/html%0aContent-Length: 486%0aLocation: https://example.com/index.html%0a...%0a@]%0a%0aIf you do not get this response, double check your openhttpd configuration.%0a%0a'''Note''': Using the telnet command above is more reliable than visiting the URL in a web browser. By default, httpd.conf (and most web browsers) will forward all requests for port 80 to port 443. As a result, your web browser will see what is listening on port 443, but the certificate authority will test port 80 only.%0a%0a%0a!!! Incorrect File Permissions%0a%0aDouble check the file permissions for /var/www and /var/www/acme:%0a%0a[@%0a$ ls -ld /var/www /var/www/acme%0adrwxr-xr-x 10 root daemon 512 Oct 5 07:47 /var/www%0adrwxr-xr-x 2 root daemon 512 Oct 5 07:47 /var/www/acme%0a@]%0a%0a!! Automation%0a%0aLet's Encrypt TLS certs expire after 90 days, while Buypass certs expire after 180. For both, you must remember to request the TLS cert or TLS will stop working. To avoid forgetting, we can automate the request process using [[crontab/edit|crontab]].%0a%0a[@%0a$ doas crontab -e%0a@]%0a%0aAdd this line at the bottom:%0a%0a[@%0a~ ~ * * * acme-client example.com >> /var/log/acme-client.log 2>&1 && rcctl reload httpd%0a@]%0a%0aThis cronjob will check the certificate once each day, at a random time of day, to see if it needs to be renewed. If it does, it will renew the cert, then reload openhttpd to use it.%0a%0aSee Also:%0a%0a|| border=1 width=100%25 class="sortable simpletable"%0a|| [[openhttpd/configure|Configure OpenHTTPd]] || Configure HTTPd ||%0a|| [[telnet/http|Telnet HTTP]] || Use Telnet to Troubleshoot HTTP ||%0a|| [[openssl/http|OpenSSL HTTP]] || Use OpenSSL to Troubleshoot HTTPS ||%0a -time=1644404186 +text=(:title Configuring Acme-client:)%0a%0aTo enable TLS, you will want a certificate signed by a trusted certificate authority (CA). In this guide, we'll use OpenBSD's [[https://man.openbsd.org/acme-client|acme-client]] with Let's Encrypt.%0a%0a!! Overview%0a%0aTLS (Transport Layer Security) aka SSL (Secure Sockets Layer) is the encryption security measure that enables browsers to recognize a website as "secure". In modern browsers the SSL information can be accessed by clicking the padlock icon in the address bar. %0a%0aSSL certificates are obtained from CAs (Certificate Authorities). Currently, the only free CAs are [[https://letsencrypt.org/getting-started/ | Lets Encrypt]], [[https://www.buypass.com/ssl/products/acme | Buypass]] and [[https://zerossl.com/ | ZeroSSL]]. You can request an SSL cert for your web domain using an Automatic Certificate Management Environment (ACME) client such as OpenBSD's Acme-client, which we will configure in this article.%0a%0a!!! Before You Begin %0a%0aYou will first need to properly configure and start [[openhttpd/configure|openhttpd]]. You will also need properly functioning [[dns/overview|DNS records]] for your hostname (@@username.example.com@@). If you are using a training vps, it is likely that DNS records for your hostname have already been set up for you.%0a%0aYou can and should test the two configurations using [[host/usage|host]] and [[netcat/http|netcat]].%0a%0aNote: You must have a server block in [[https://man.openbsd.org/httpd.conf|/etc/httpd.conf]] listening on port 80. Do not delete this block or else acme-client will not work.%0a%0a!! Configuration%0a%0aFirst, copy the [[https://man.openbsd.org/acme-client.conf|acme-client.conf]] template:%0a%0a[@%0a$ doas cp /etc/examples/acme-client.conf /etc/acme-client.conf%0a@]%0a%0aWe'll open up [@ /etc/acme-client.conf @] and analyze the meaning of each block:%0a%0a!!! Authority blocks%0a%0a[@%0aauthority letsencrypt {%0a api url "https://acme-v02.api.letsencrypt.org/directory"%0a account key "/etc/acme/letsencrypt-privkey.pem"%0a}%0a@]%0a%0aThis defines the Certificate Authority [[https://letsencrypt.org/|letsencrypt]]. It provides the API URL and the location of the account key.%0a%0a'''Note''': Let's Encrypt [[https://letsencrypt.org/docs/rate-limits/|rate-limits]] the number of SSL certs you can request. If you encounter an error and are unable to request an SSL cert, please fix all errors before requesting again. If you request too many certs in a short time, your domain will get blacklisted for a few hours or days. To avoid issues, use letsencrypt-staging first and make sure you get success with that before using letsencrypt.%0a%0aAlthough we are using Let's Encrypt for this tutorial, it is important to note that Let's Encrypt currently has a monopoly on free SSL certs. For this reason, IRCNow wants to run its own Certificate Authority in case Let's Encrypt should try to censor our domains.%0a%0a[@%0aauthority letsencrypt-staging {%0a api url "https://acme-staging-v02.api.letsencrypt.org/directory"%0a account key "/etc/acme/letsencrypt-staging-privkey.pem"%0a}%0a@]%0a%0aletsencrypt-staging is a staging server which you can use to practice requesting fake certificates. The rate limits for the staging server are less strict, so you should practice first with this CA.%0a%0aTo both of these blocks, we will want to add our contact email, so we add [@contact "mailto:me@example.com" @] inside both blocks. (make sure to have the @@mailto:@@):%0a%0a[@%0aauthority letsencrypt {%0a api url "https://acme-v02.api.letsencrypt.org/directory"%0a account key "/etc/acme/letsencrypt-privkey.pem"%0a contact "mailto:me@example.com"%0a}%0a%0aauthority letsencrypt-staging {%0a api url "https://acme-staging-v02.api.letsencrypt.org/directory"%0a account key "/etc/acme/letsencrypt-staging-privkey.pem"%0a contact "mailto:me@example.com"%0a}%0a@]%0a%0aNext, the default [[https://man.openbsd.org/acme-client.conf|acme-client.conf]] defines two more authorities:%0a%0a[@%0aauthority buypass {%0a api url "https://api.buypass.com/acme/directory"%0a account key "/etc/acme/buypass-privkey.pem"%0a contact "mailto:me@example.com"%0a}%0a%0aauthority buypass-test {%0a api url "https://api.test4.buypass.no/acme/directory"%0a account key "/etc/acme/buypass-test-privkey.pem"%0a contact "mailto:me@example.com"%0a}%0a@]%0a%0aThese two blocks are the same as for letsencrypt, but with the alternative provider [[https://buypass.com/|buypass]]. Make sure to replace the contact email with your own email.%0a%0a!!! Domain Block%0a%0a[@%0adomain example.com {%0a alternative names { secure.example.com }%0a domain key "/etc/ssl/private/example.com.key"%0a domain full chain certificate "/etc/ssl/example.com.crt"%0a sign with letsencrypt%0a}%0a@]%0a%0adomain: This would configure acme-client for the domain @@ example.com @@. Replace every appearance of @@ example.com @@ with your own domain, which might look like @@ username.fruit.ircnow.org @@.%0a%0aalternative names: Each SSL cert is valid only for a '''common name''' and a set of '''alternative names''' that are provided on the certificate. For example, an SSL certificate might have the common name @@ example.ircnow.org @@ and the alternative names @@ fruit.ircnow.org @@ and @@ vegetable.ircnow.org @@. You can safely skip this by commenting out this line (see warning below)%0a%0aIf you use too many alternative names, an acme-client certificate request has a higher chance of failure. So, I recommend keeping the number of alternative names to under 5.%0a%0a'''Warning''': Having the @@alternative names@@ directive with nothing inside will cause errors. The below will cause errors:%0a%0a[@%0aalternative names { }%0a@]%0a%0aIf you don't need any alternative names, you should comment this line out by putting a # at the beginning of the line, like so:%0a%0a[@%0a# alternative names { }%0a@]%0a%0a%0a'''Note''': If you add an alternative name to the conf file, but the cert already exists, you must remove the old public cert first before requesting a new one. Otherwise, you will get @@unknown SAN error@@ -- acme-client will complain there is an unknown Subject Alternative Name.%0a%0adomain key, domain full chain certificate:%0a%0aThe @@domain key@@ and @@domain full chain certificate@@ tell acme-client where to put the private key and certificate:%0a%0a[@%0a domain key "/etc/ssl/private/example.com.key"%0a domain full chain certificate "/etc/ssl/example.com.crt"%0a@]%0a%0aReplace @@example.com@@ with your real domain. The public key goes inside the folder @@/etc/ssl@@ and the private key goes inside @@/etc/ssl/private@@.%0a%0a%0asign with: %0a%0athis line tells Acme-client which CA (that you defined in the Authority Blocks) to use.%0a%0a[@%0a sign with letsencrypt%0a@]%0a%0awould cause it to use the CA @@ letsencrypt @@. For testing purposes, change it to @@ letsencrypt-staging @@. If you want to use @@ buypass @@ or it's testing CA @@ buypass-test @@, then change it accordingly.%0a%0a'''Note''': staging or testing certificates are not recognized by most browsers and will be rejected as an invalid certificate. After you finish testing with a staging certificate, change this line back to an official authority (@@sign with letsencrypt@@).%0a%0a!! Requesting Certificates%0a%0aAfter you have finished configuring the conf file, we can request certificates:%0a%0a[@%0a$ doas acme-client -Fv example.com%0a@]%0a%0areplace @@ example.com @@ with your domain.%0a%0aIf there are no errors, you should see something similar to the following output:%0a%0a[@%0a$ doas acme-client -Fv example.com%0aacme-client: /etc/acme/letsencrypt-privkey.pem: generated RSA account key%0aacme-client: /etc/ssl/private/example.com.key: generated RSA domain key%0aacme-client: https://acme-v02.api.letsencrypt.org/directory: directories%0aacme-client: acme-v02.api.letsencrypt.org: DNS: 172.65.32.248%0aacme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/11133258838%0aacme-client: challenge, token: uWHZmqhx6NEpcv25LEvodMAeymB1guTFVtyktVzkJgs, uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/11133258838/_UI3-A, status: 0%0aacme-client: /var/www/acme/uWHZmqhx6NEpcv25LEvodMAeymB1guTFVtyktVzkJgs: created%0aacme-client: https://acme-v02.api.letsencrypt.org/acme/chall-v3/11133258838/_UI3-A: challenge%0aacme-client: order.status 0%0aacme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/11133258838%0aacme-client: challenge, token: uWHZmqhx6NEpcv25LEvodMAeymB1guTFVtyktVzkJgs, uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/11133258838/_UI3-A, status: 2%0aacme-client: order.status 1%0aacme-client: https://acme-v02.api.letsencrypt.org/acme/finalize/113861127/8112730231: certificate%0aacme-client: order.status 3%0aacme-client: https://acme-v02.api.letsencrypt.org/acme/cert/03f7fd846802cb0689c2bbd7b6f5e89eb66b: certificate%0aacme-client: /etc/ssl/example.com.crt: created%0a@]%0a%0aNote the last line: it says that the public certificate was generated. If you see that, it's a success!%0a%0aYou now have two certificates, the public key inside @@/etc/ssl/example.com.crt@@, and the private key inside @@/etc/ssl/private/example.com.key@@ (or wherever you changed the path to):%0a%0a[@%0a$ doas ls -l /etc/ssl/example.com.crt /etc/ssl/private/example.com.key%0a-r--r--r-- 1 root wheel 4797 Feb 25 02:11 /etc/ssl/jrmu.coconut.ircnow.org.crt%0a-r-------- 1 root wheel 3272 Feb 25 02:10 /etc/ssl/private/jrmu.coconut.ircnow.org.key%0a@]%0a%0a!! Troubleshooting%0a%0aIf acme-client fails, there are several possible causes:%0a%0a!!! Domain Not Listed%0a%0aIf you add a new alternative name inside your domain block in [[https://man.openbsd.org/acme-client.conf|/etc/acme-client.conf]], you will see this error:%0a %0a[@%0aacme-client: /etc/ssl/example.com.crt: domain not listed: new.example.com%0a@]%0a%0aHere, @@new.example.com@@ was a new alternative name I added. The solution is to move your old public cert and private key to a new location (rather than deleting it, back it up!)%0a%0aExample (using example.com):%0a%0a[@%0a$ doas mv /etc/ssl/example.com.crt /etc/ssl/example.com.crt.bak%0a$ doas mv /etc/ssl/private/example.com.key /etc/ssl/private/example.com.key.bak%0a@]%0a%0aThen request the cert again:%0a%0a[@%0a$ doas acme-client -Fv example.com%0a@]%0a%0a%0a!!! Missing Domain Records%0a%0aIt's possible that your domain records are missing. Run this command, replacing @@example.com@@ with your real hostname:%0a%0a[@%0a$ host example.com%0a@]%0a%0aYou should see one or two records like the following:%0a%0a[@%0aexample.com has address 93.184.216.34%0aexample.com has IPv6 address 2606:2800:220:1:248:1893:25c8:1946%0a@]%0a%0aThe IPv4 and IPv6 address must exactly match the IPs that [[openhttpd/configure|OpenHTTPd]] is listening on.%0a%0a'''Note''': You '''cannot''' request a domain you don't own! The domain must point to an IP you own.%0a%0a There are a few possible mistakes:%0a%0a# Your web server is listening only one IPv4 but your DNS record includes IPv6; or vice versa.%0a# You have the wrong IP addresses.%0a# DNS records are missing.%0a%0aIf you have missing records, you will see this response:%0a%0a[@%0aHost example.com not found: 3(NXDOMAIN)%0a@]%0a%0aYou will either need to speak with your DNS provider or you will need to troubleshoot [[nsd/troubleshoot|nsd]].%0a%0a!!! OpenHTTPd Misconfigured%0a%0aIf [[openhttpd/configure|openhttpd]] is not configured and running properly, acme-client won't work.%0a%0a(acme-client uses the "http-01" challenge. A file is created with a special message in @@/var/www/acme/@@, and the certificate authority requests that file using the URL @@http://example.com/.well-known/acme-challenge/*@@. )%0a%0aTo test if your web server is running properly, use [[telnet/http|telnet]] (replacing @@example.com@@ with your domain) from another computer:%0a%0a[@%0a$ telnet example.com 80%0aGET /index.html HTTP/1.1%0aHost: example.com%0a@]%0a%0aYou should a response similar to the one below:%0a%0a[@%0aHTTP/1.0 302 Found%0aDate: Tue, 23 Feb 2021 14:01:28 GMT%0aOpenBSD httpd%0aConnection: close%0aContent-Type: text/html%0aContent-Length: 486%0aLocation: https://example.com/index.html%0a...%0a@]%0a%0aIf you do not get this response, double check your openhttpd configuration.%0a%0a'''Note''': Using the telnet command above is more reliable than visiting the URL in a web browser. By default, httpd.conf (and most web browsers) will forward all requests for port 80 to port 443. As a result, your web browser will see what is listening on port 443, but the certificate authority will test port 80 only.%0a%0a%0a!!! Incorrect File Permissions%0a%0aDouble check the file permissions for /var/www and /var/www/acme:%0a%0a[@%0a$ ls -ld /var/www /var/www/acme%0adrwxr-xr-x 10 root daemon 512 Oct 5 07:47 /var/www%0adrwxr-xr-x 2 root daemon 512 Oct 5 07:47 /var/www/acme%0a@]%0a%0a!! Automation%0a%0aLet's Encrypt TLS certs expire after 90 days, while Buypass certs expire after 180. For both, you must remember to request the TLS cert or TLS will stop working. To avoid forgetting, we can automate the request process using [[crontab/edit|crontab]].%0a%0a[@%0a$ doas crontab -e%0a@]%0a%0aAdd this line at the bottom:%0a%0a[@%0a~ ~ * * * acme-client example.com >> /var/log/acme-client.log 2>&1%0a@]%0a%0aThis cronjob will check the certificate once each day, at a random time of day, to see if it needs to be renewed. If it does, it will renew the cert.%0a%0aSee Also:%0a%0a|| border=1 width=100%25 class="sortable simpletable"%0a|| [[openhttpd/configure|Configure OpenHTTPd]] || Configure HTTPd ||%0a|| [[telnet/http|Telnet HTTP]] || Use Telnet to Troubleshoot HTTP ||%0a|| [[openssl/http|OpenSSL HTTP]] || Use OpenSSL to Troubleshoot HTTPS ||%0a +time=1649038510 title=Configuring Acme-client +author:1649038510=jrmu +diff:1649038510:1644404186:=299c299%0a%3c ~ ~ * * * acme-client example.com >> /var/log/acme-client.log 2>&1%0a---%0a> ~ ~ * * * acme-client example.com >> /var/log/acme-client.log 2>&1 && rcctl reload httpd%0a302c302%0a%3c This cronjob will check the certificate once each day, at a random time of day, to see if it needs to be renewed. If it does, it will renew the cert.%0a---%0a> This cronjob will check the certificate once each day, at a random time of day, to see if it needs to be renewed. If it does, it will renew the cert, then reload openhttpd to use it.%0a +host:1649038510=38.87.162.154 author:1644404186=SummerSonw csum:1644404186=https://acme-staging-v02.api.letsencrypt.org/directory diff:1644404186:1644404177:=