Acme-client on FreeBSD failed to retrieve certificates, unable to revoke

My domain is: mail.bhatnagar.net.in bhatnagar.net.in

I ran this command: acme-client -vNn mail.bhatnagar.net.in

It produced this output:

acme-client: acme-client: /usr/local/etc/ssl/acme/private/privkey.pem: generating RSA domain key
/usr/local/etc/acme/privkey.pem: generating RSA account key
acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
acme-client: acme-v01.api.letsencrypt.org: DNS: 118.214.136.206
acme-client: acme-v01.api.letsencrypt.org: DNS: 2600:140f:5:190::3d5
acme-client: acme-v01.api.letsencrypt.org: DNS: 2600:140f:5:185::3d5
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-reg: new-reg
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: $MYDOMAIN
acme-client: /usr/local/www/acme/pOhU3dDhHYyjyAM4SSkuiivzdhwgP3BnTCgwCofWf5Q: created
acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/6vV3EBQCqoq64zla9xtO8GQmoFqXnkPa8X-XaIu8Y-g/2135641107: challenge
acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/6vV3EBQCqoq64zla9xtO8GQmoFqXnkPa8X-XaIu8Y-g/2135641107: status
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: certificate
acme-client: http://cert.int-x3.letsencrypt.org/: full chain
acme-client: cert.int-x3.letsencrypt.org: DNS: 124.124.252.172
acme-client: cert.int-x3.letsencrypt.org: DNS: 124.124.252.99
acme-client: cert.int-x3.letsencrypt.org: DNS: 2600:1417:6d::170f:221a
acme-client: cert.int-x3.letsencrypt.org: DNS: 2600:1417:6d::170f:221b

My web server is (include version):
nginx-1.12.1_1,2

The operating system my web server runs on is (include version):
FreeBSD 11.1-RELEASE

My hosting provider, if applicable, is:
DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

Using acme-client-0.1.16_1 from packages, I found that acme-client would hang at the acme-client: cert.int-x3.letsencrypt.org: DNS: 2600:1417:6d::170f:221b. No certificates are successfully fetched despite the LetsEncrypt system registering them. I have mixed success with the staging servers. Since I do not have the certificates on my end, I am unable to revoke them and try again.

I have opened an issue on the acme-client repository as well:

Hi @manas,

I have no idea what's causing this problem. You're welcome, of course, to try a different client application and see if you experience any different results.

If you're referring to this software

we could try to ask @kelunik for help.

In any case, I just wanted to say in regard to your reference to revocation: Please do NOT revoke your certificates (if you ever have the opportunity). This is intended for situations such as a private key compromise. It does not "reset" anything on the CA side, it does not remove or reduce issuance rate limits, and it also generally does not "reset" the ACME client state. You are allowed to issue new certificates without revoking new certificates (up to a certain limit), but revoking old certificates does not permit issuing additional new certificates.

@schoen thank you for your response.

The link to the software is in my post. It is https://github.com/kristapsdz/acme-client and I have made an issue there as well.

For anyone else who happens to run into this problem: https://letsencrypt.org/docs/rate-limits/ documents rate limits.

There is a limit of 5 duplicate certificates a week, my certificates were issued (but failed to be retrieved) over a week ago so I am going to try again with verbose logging.

Just tried once more and I have successfully issued a certificate for my domains. No idea what the problem was but I’m glad I can move forward with my projects.

Thank you once again!

Edit: I was initially running acme-client in a jail with NAT & port forwarding (makes it easier to shift the configurations around). That’s how I have been using acme-client for the past year or so without problems. Not sure what the problem was this time but running acme-client and nginx on the host and not in a jail worked this time.

I’m glad you were able to get things working!

It feels like there are too many different tools called acme-client… maybe we should encourage some of the authors to choose more distinctive names for their projects to reduce confusion!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.