Acme.sh can't get a certificate because the existing certificate is self signed

Help
1

Please fill out the fields below so we can help you better.

My domain is:

www-br.llnl.gov

I ran this command:

First I tried certbot, but then switched to acme.sh

acme.sh --issue -d www-br.llnl.gov -d www-br.ucllnl.org -www-eng-x.llnl.gov -w /wwwbr1/www/br --debug 2

These are all the same machine; just different aliases.

It produced this output:

[Mon Feb 13 20:07:19 PST 2017] Lets find script dir.
[Mon Feb 13 20:07:19 PST 2017] SCRIPT=’/root/.acme.sh/acme.sh’
[Mon Feb 13 20:07:19 PST 2017] _script=’/root/.acme.sh/acme.sh’
[Mon Feb 13 20:07:19 PST 2017] _script_home=’/root/.acme.sh’
[Mon Feb 13 20:07:19 PST 2017] Using config home:/root/.acme.sh
[Mon Feb 13 20:07:19 PST 2017] LE_WORKING_DIR=’/root/.acme.sh’


v2.6.6
[Mon Feb 13 20:07:19 PST 2017] Using api:
[Mon Feb 13 20:07:19 PST 2017] Using config home:/root/.acme.sh
[Mon Feb 13 20:07:19 PST 2017] DOMAIN_PATH=’/root/.acme.sh/www-br.llnl.gov’
[Mon Feb 13 20:07:19 PST 2017] Le_NextRenewTime
[Mon Feb 13 20:07:19 PST 2017] 1:Le_Domain=‘www-br.llnl.gov
[Mon Feb 13 20:07:19 PST 2017] 2:Le_Alt=‘www-br.ucllnl.org,www-eng-x.llnl.gov
[Mon Feb 13 20:07:19 PST 2017] 3:Le_Webroot=’/wwwbr1/www/br’
[Mon Feb 13 20:07:19 PST 2017] 4:Le_PreHook=’’
[Mon Feb 13 20:07:19 PST 2017] 5:Le_PostHook=’’
[Mon Feb 13 20:07:19 PST 2017] 6:Le_RenewHook=’’
[Mon Feb 13 20:07:19 PST 2017] 7:Le_API=‘https://acme-v01.api.letsencrypt.org
[Mon Feb 13 20:07:19 PST 2017] _on_before_issue
[Mon Feb 13 20:07:19 PST 2017] ‘/wwwbr1/www/br’ does not contain ‘no’
[Mon Feb 13 20:07:19 PST 2017] Le_LocalAddress
[Mon Feb 13 20:07:19 PST 2017] Check for domain=‘www-br.llnl.gov
[Mon Feb 13 20:07:19 PST 2017] _currentRoot=’/wwwbr1/www/br’
[Mon Feb 13 20:07:19 PST 2017] Check for domain=‘www-br.ucllnl.org
[Mon Feb 13 20:07:19 PST 2017] _currentRoot=’/wwwbr1/www/br’
[Mon Feb 13 20:07:19 PST 2017] Check for domain=‘www-eng-x.llnl.gov
[Mon Feb 13 20:07:19 PST 2017] _currentRoot=’/wwwbr1/www/br’
[Mon Feb 13 20:07:19 PST 2017] ‘/wwwbr1/www/br’ does not contain ‘apache’
[Mon Feb 13 20:07:19 PST 2017] config file is empty, can not read CA_KEY_HASH
[Mon Feb 13 20:07:19 PST 2017] _saved_account_key_hash
[Mon Feb 13 20:07:19 PST 2017] Using config home:/root/.acme.sh
[Mon Feb 13 20:07:19 PST 2017] RSA key
[Mon Feb 13 20:07:20 PST 2017] AGREEMENT
[Mon Feb 13 20:07:20 PST 2017] Registering account
[Mon Feb 13 20:07:20 PST 2017] url=‘https://acme-v01.api.letsencrypt.org/acme/new-reg
[Mon Feb 13 20:07:20 PST 2017] payload=’{“resource”: “new-reg”, “agreement”: “”}’
[Mon Feb 13 20:07:20 PST 2017] Use cached jwk for file: /root/.acme.sh/ca/acme-v01.api.letsencrypt.org/account.key
[Mon Feb 13 20:07:20 PST 2017] Get nonce.
[Mon Feb 13 20:07:20 PST 2017] GET
[Mon Feb 13 20:07:20 PST 2017] url=‘https://acme-v01.api.letsencrypt.org/directory
[Mon Feb 13 20:07:20 PST 2017] timeout
[Mon Feb 13 20:07:20 PST 2017] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.6IMlCQhCW4 '
[Mon Feb 13 20:07:21 PST 2017] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
[Mon Feb 13 20:07:21 PST 2017] Here is the curl dump log:
[Mon Feb 13 20:07:21 PST 2017] == Info: About to connect() to acme-v01.api.letsencrypt.org port 443 (#0)
== Info: Trying 23.10.197.215… == Info: connected
== Info: Connected to acme-v01.api.letsencrypt.org (23.10.197.215) port 443 (#0)
== Info: Initializing NSS with certpath: sql:/etc/pki/nssdb
== Info: CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
== Info: Certificate is signed by an untrusted issuer: ‘E=ca@llnl.gov,CN=ca.llnl.gov,OU=Cyber Security Program,O=Lawrence Livermore National Laboratory,L=Livermore,ST=California,C=US’
== Info: NSS error -8172
== Info: Closing connection #0
== Info: Peer certificate cannot be authenticated with known CA certificates
[Mon Feb 13 20:07:21 PST 2017] ret=‘60’
[Mon Feb 13 20:07:21 PST 2017] Can not connect to https://acme-v01.api.letsencrypt.org/directory to get nonce.
[Mon Feb 13 20:07:21 PST 2017] Register account Error:
[Mon Feb 13 20:07:21 PST 2017] _on_issue_err
[Mon Feb 13 20:07:21 PST 2017] Please add ‘–debug’ or ‘–log’ to check more details.
[Mon Feb 13 20:07:21 PST 2017] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Mon Feb 13 20:07:21 PST 2017] Diagnosis versions:
openssl:openssl
OpenSSL 1.1.0d 26 Jan 2017
apache:
Server version: Apache/2.4.23 (Unix)
Server built: Feb 10 2017 19:49:23
Server’s Module Magic Number: 20120211:61
Server loaded: APR 1.5.2, APR-UTIL 1.5.4
Compiled using: APR 1.5.2, APR-UTIL 1.5.4
Architecture: 64-bit
Server MPM: prefork
threaded: no
forked: yes (variable process count)
Server compiled with…
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT="/usr"
-D SUEXEC_BIN="/usr/bin/suexec"
-D DEFAULT_PIDLOG="/var/run/httpd.pid"
-D DEFAULT_SCOREBOARD=“logs/apache_runtime_status”
-D DEFAULT_ERRORLOG=“logs/error_log”
-D AP_TYPES_CONFIG_FILE="/etc/httpd/conf/mime.types"
-D SERVER_CONFIG_FILE="/etc/httpd/conf/httpd.conf"
nc:
usage: nc [-46DdhklnrStUuvzC] [-i interval] [-p source_port]
[-s source_ip_address] [-T ToS] [-w timeout] [-X proxy_version]
[-x proxy_address[:port]] [hostname] [port[s]]
Command Summary:
-4 Use IPv4
-6 Use IPv6
-D Enable the debug socket option
-d Detach from stdin
-h This help text
-i secs Delay interval for lines sent, ports scanned
-k Keep inbound sockets open for multiple connects
-l Listen mode, for inbound connects
-n Suppress name/port resolutions
-p port Specify local port for remote connects
-r Randomize remote ports
-S Enable the TCP MD5 signature option
-s addr Local source address
-T ToS Set IP Type of Service
-C Send CRLF as line-ending
-t Answer TELNET negotiation
-U Use UNIX domain socket
-u UDP mode
-v Verbose
-w secs Timeout for connects and final net reads
-X proto Proxy protocol: “4”, “5” (SOCKS) or “connect”
-x addr[:port] Specify proxy address and port
-z Zero-I/O mode [used for scanning]
Port numbers can be individual or ranges: lo-hi [inclusive]

My operating system is (include version):

RHEL 6.8

My web server is (include version):

apache 2.4.23, with the ssl patch on top of 2.4.23

My hosting provider, if applicable, is:

N/A

I can login to a root shell on my machine (yes or no, or I don’t know):

Yes. I’m using ssh as root.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

No.

It seems to be complaining about the following:

  1. getting stuck on the curl statement (producing error 60) which comes from the nss statement (error -8172)
  2. there isn’t a /wwwbr1/www/br/apache. Yes, that’s true. Why should there be?
  3. there isn’t a /wwwbr1/www/br/no. Yes, that’s true. Why should there be?

Is there some way to get around the 60/8172 errors?

Thank you for your efforts, support, and great tool!

Scott

2

Please try on your server.

curl https://acme-v01.api.letsencrypt.org/directory

I guess the letsencrypt CA’s api certificate is not trusted by your system.

please add --insecure to your command and try again.

acme.sh --issue  -d ...  -d ...   -w ...      --insecure
1 Like
3

I ran this command:

acme.sh --issue -d www-br.llnl.gov -d www-br.ucllnl.org -d www-eng-x.llnl.gov -w /wwwbr1/www/br --debug 2 --insecure

It produced this output:

.
.
.
e-v01.api.letsencrypt.org/acme/challenge/tF3b2dX9RPXO831PXxLBWLaiu9su15xAj3xIVDV3yVo/649573934#http-01#/wwwbr1/www/br
[Tue Feb 14 09:10:02 PST 2017] Getting webroot for domain=‘www-eng-x.llnl.gov
[Tue Feb 14 09:10:02 PST 2017] _w=’/wwwbr1/www/br’
[Tue Feb 14 09:10:02 PST 2017] _currentRoot=’/wwwbr1/www/br’
[Tue Feb 14 09:10:02 PST 2017] Getting new-authz for domain=‘www-eng-x.llnl.gov
[Tue Feb 14 09:10:02 PST 2017] Try new-authz for the 0 time.
[Tue Feb 14 09:10:02 PST 2017] _is_idn_d=‘www-eng-x.llnl.gov
[Tue Feb 14 09:10:02 PST 2017] _idn_temp
[Tue Feb 14 09:10:02 PST 2017] url=‘https://acme-v01.api.letsencrypt.org/acme/new-authz
[Tue Feb 14 09:10:02 PST 2017] payload=’{“resource”: “new-authz”, “identifier”: {“type”: “dns”, “value”: “www-eng-x.llnl.gov”}}’
[Tue Feb 14 09:10:02 PST 2017] Use cached jwk for file: /root/.acme.sh/ca/acme-v01.api.letsencrypt.org/account.key
[Tue Feb 14 09:10:02 PST 2017] Use _CACHED_NONCE=‘MJ6p5jv8J3K6rpe5JZPv13QG64LI_XRpwCmuSQZFTNI’
[Tue Feb 14 09:10:02 PST 2017] nonce=‘MJ6p5jv8J3K6rpe5JZPv13QG64LI_XRpwCmuSQZFTNI’
[Tue Feb 14 09:10:02 PST 2017] POST
[Tue Feb 14 09:10:02 PST 2017] url=‘https://acme-v01.api.letsencrypt.org/acme/new-authz
[Tue Feb 14 09:10:02 PST 2017] body=’{“header”: {“alg”: “RS256”, “jwk”: {“e”: “AQAB”, “kty”: “RSA”, “n”: “2f02zlu7ClMWV-J987IFhv8ew7hkvCkoPCsLMggk-rvAQBsczoPJIGnkoMXQJRSiQnT3Cs9cMpkcSS4iDNWihkvEIWHLuZxWHtaepIAU2yTRaA5axG_eImzR1uf64Ngq21r4VzGfKF00NRbX_H2LX92KeGH2GTiYiqRFvA5G-EN9aW-Ap2AvyUlL0RvwL5L4DmcGGRjb9H5esyLBWGeuoZXJVZmiWNS_xzE-Mq1sfMYzG9LKP5kr-t-_OfNFz4rgYduiXa-QqECfAGZ1Dg39F4JPCZD4HzYxukb3nmrHsH2EN4Pi1u270hpBqMwj5D3s7X5fbELn8qJ1lf5TuZhXuw”}}, “protected”: “eyJub25jZSI6ICJNSjZwNWp2OEozSzZycGU1SlpQdjEzUUc2NExJX1hScHdDbXVTUVpGVE5JIiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAiMmYwMnpsdTdDbE1XVi1KOTg3SUZodjhldzdoa3ZDa29QQ3NMTWdnay1ydkFRQnNjem9QSklHbmtvTVhRSlJTaVFuVDNDczljTXBrY1NTNGlETldpaGt2RUlXSEx1WnhXSHRhZXBJQVUyeVRSYUE1YXhHX2VJbXpSMXVmNjROZ3EyMXI0VnpHZktGMDBOUmJYX0gyTFg5MktlR0gyR1RpWWlxUkZ2QTVHLUVOOWFXLUFwMkF2eVVsTDBSdndMNUw0RG1jR0dSamI5SDVlc3lMQldHZXVvWlhKVlptaVdOU194ekUtTXExc2ZNWXpHOUxLUDVrci10LV9PZk5GejRyZ1lkdWlYYS1RcUVDZkFHWjFEZzM5RjRKUENaRDRIell4dWtiM25tckhzSDJFTjRQaTF1MjcwaHBCcU13ajVEM3M3WDVmYkVMbjhxSjFsZjVUdVpoWHV3In19”, “payload”: “eyJyZXNvdXJjZSI6ICJuZXctYXV0aHoiLCAiaWRlbnRpZmllciI6IHsidHlwZSI6ICJkbnMiLCAidmFsdWUiOiAid3d3LWVuZy14LmxsbmwuZ292In19”, “signature”: “ToCDNnZbBA0kVdK2Y12oxfxFS67qACjAB7NoP4mqSZfqEkcFXnZtbYi4c11OLrAlc88CMdN9_ILQ_tgmt51UjuiWljJTtjswnj513lJJblwRTW0fyX-Qp-KVeGzVZgxP7dqEPkXruklYiA0YK44BIPbf7IV6vEAFUIn8ysZ3mjTq6z_rvV4yX55vlxIfIooiHYCqwC6jtIK1TC4NJ9BnuYoGOXHyG1a93hEirYjINgAiJwIssUXdE-3A9w31wXfjypZng82LSf1lR1Car5hQF262lPyj7rBTRiFNDSCPwBB07l-xauLtJLetc1sVg4ilFEuGltBDPGZQBnyApEVCgw”}’
[Tue Feb 14 09:10:02 PST 2017] _CURL=‘curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.UUgkXYvn0P --insecure ‘
[Tue Feb 14 09:10:03 PST 2017] _ret=‘0’
[Tue Feb 14 09:10:03 PST 2017] original=’{
“identifier”: {
“type”: “dns”,
“value”: “www-eng-x.llnl.gov
},
“status”: “pending”,
“expires”: “2017-02-21T17:10:02.997812412Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “pending”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/UUQanxOVn0ACHCtJ13q79VZLPO41rbWqX9M8QKX8rDI/649574345”,
“token”: “nqWCV732bsvH5s7CevDLn85489RISQYt3rZ8gc7CVm8”
},
{
“type”: “tls-sni-01”,
“status”: “pending”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/UUQanxOVn0ACHCtJ13q79VZLPO41rbWqX9M8QKX8rDI/649574347”,
“token”: “3xBLz-q_iNllZjsRwEhRaQAUzRnFqpZ8CtCuVEKdqFY”
},
{
“type”: “http-01”,
“status”: “pending”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/UUQanxOVn0ACHCtJ13q79VZLPO41rbWqX9M8QKX8rDI/649574349”,
“token”: “GF-uWtp1w4xIr7AY89ZqLohDYhwBsRviUqga-kIPctQ”
}
],
“combinations”: [
[
0
],
[
2
],
[
1
]
]
}’
[Tue Feb 14 09:10:03 PST 2017] responseHeaders='HTTP/1.1 100 Continue
Expires: Tue, 14 Feb 2017 17:10:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 201 Created
Server: nginx
Content-Type: application/json
Content-Length: 1003
Boulder-Request-Id: QrSr6xDuTP8K8LCCVXG2VCrwX_IF-7HzViffpwCmbkQ
Boulder-Requester: 9585373
Link: https://acme-v01.api.letsencrypt.org/acme/new-cert;rel="next"
Location: https://acme-v01.api.letsencrypt.org/acme/authz/UUQanxOVn0ACHCtJ13q79VZLPO41rbWqX9M8QKX8rDI
Replay-Nonce: mGYLcMtvSULXVBZTWBlSGuakb8dxhElMy9kPl9zu4qU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 14 Feb 2017 17:10:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 14 Feb 2017 17:10:03 GMT
Connection: keep-alive

[Tue Feb 14 09:10:03 PST 2017] response=’{“identifier”:{“type”:“dns”,“value”:“www-eng-x.llnl.gov”},“status”:“pending”,“expires”:“2017-02-21T17:10:02.997812412Z”,“challenges”:[{“type”:“dns-01”,“status”:“pending”,“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/UUQanxOVn0ACHCtJ13q79VZLPO41rbWqX9M8QKX8rDI/649574345",“token”:“nqWCV732bsvH5s7CevDLn85489RISQYt3rZ8gc7CVm8”},{“type”:“tls-sni-01”,“status”:“pending”,“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/UUQanxOVn0ACHCtJ13q79VZLPO41rbWqX9M8QKX8rDI/649574347”,“token”:“3xBLz-q_iNllZjsRwEhRaQAUzRnFqpZ8CtCuVEKdqFY”},{“type”:“http-01”,“status”:“pending”,“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/UUQanxOVn0ACHCtJ13q79VZLPO41rbWqX9M8QKX8rDI/649574349”,“token”:“GF-uWtp1w4xIr7AY89ZqLohDYhwBsRviUqga-kIPctQ”}],"combinations”:[[0],[2],[1]]}’
[Tue Feb 14 09:10:03 PST 2017] code=‘201’
[Tue Feb 14 09:10:03 PST 2017] The new-authz request is ok.
[Tue Feb 14 09:10:03 PST 2017] entry=’“type”:“http-01”,“status”:“pending”,“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/UUQanxOVn0ACHCtJ13q79VZLPO41rbWqX9M8QKX8rDI/649574349",“token”:"GF-uWtp1w4xIr7AY89ZqLohDYhwBsRviUqga-kIPctQ”’
[Tue Feb 14 09:10:03 PST 2017] token=‘GF-uWtp1w4xIr7AY89ZqLohDYhwBsRviUqga-kIPctQ’
[Tue Feb 14 09:10:03 PST 2017] uri=‘https://acme-v01.api.letsencrypt.org/acme/challenge/UUQanxOVn0ACHCtJ13q79VZLPO41rbWqX9M8QKX8rDI/649574349
[Tue Feb 14 09:10:03 PST 2017] keyauthorization=‘GF-uWtp1w4xIr7AY89ZqLohDYhwBsRviUqga-kIPctQ.hHP-OMfDsPttoXueFLmQizHSAVJNBHTTRm2TKb4nwmE’
[Tue Feb 14 09:10:03 PST 2017] dvlist=‘www-eng-x.llnl.gov#GF-uWtp1w4xIr7AY89ZqLohDYhwBsRviUqga-kIPctQ.hHP-OMfDsPttoXueFLmQizHSAVJNBHTTRm2TKb4nwmE#https://acme-v01.api.letsencrypt.org/acme/challenge/UUQanxOVn0ACHCtJ13q79VZLPO41rbWqX9M8QKX8rDI/649574349#http-01#/wwwbr1/www/br
[Tue Feb 14 09:10:03 PST 2017] ok, let’s start to verify
[Tue Feb 14 09:10:03 PST 2017] Verifying:www-br.llnl.gov
[Tue Feb 14 09:10:03 PST 2017] d=‘www-br.llnl.gov
[Tue Feb 14 09:10:03 PST 2017] keyauthorization=‘a0G-6bah0XGc2g69Ojj3M60QHFSF6FPJRaPsLICFVSA.hHP-OMfDsPttoXueFLmQizHSAVJNBHTTRm2TKb4nwmE’
[Tue Feb 14 09:10:03 PST 2017] uri=‘https://acme-v01.api.letsencrypt.org/acme/challenge/-C0mMOK0_rjNPjU-P33TWCkyb4EEXvXxSQZ6gbpSNLM/649573644
[Tue Feb 14 09:10:03 PST 2017] _currentRoot=’/wwwbr1/www/br’
[Tue Feb 14 09:10:03 PST 2017] wellknown_path=’/wwwbr1/www/br/.well-known/acme-challenge’
[Tue Feb 14 09:10:03 PST 2017] writing token:a0G-6bah0XGc2g69Ojj3M60QHFSF6FPJRaPsLICFVSA to /wwwbr1/www/br/.well-known/acme-challenge/a0G-6bah0XGc2g69Ojj3M60QHFSF6FPJRaPsLICFVSA
[Tue Feb 14 09:10:03 PST 2017] Changing owner/group of .well-known to root:root
[Tue Feb 14 09:10:03 PST 2017] url=‘https://acme-v01.api.letsencrypt.org/acme/challenge/-C0mMOK0_rjNPjU-P33TWCkyb4EEXvXxSQZ6gbpSNLM/649573644
[Tue Feb 14 09:10:03 PST 2017] payload=’{“resource”: “challenge”, “keyAuthorization”: “a0G-6bah0XGc2g69Ojj3M60QHFSF6FPJRaPsLICFVSA.hHP-OMfDsPttoXueFLmQizHSAVJNBHTTRm2TKb4nwmE”}’
[Tue Feb 14 09:10:03 PST 2017] Use cached jwk for file: /root/.acme.sh/ca/acme-v01.api.letsencrypt.org/account.key
[Tue Feb 14 09:10:03 PST 2017] Use _CACHED_NONCE=‘mGYLcMtvSULXVBZTWBlSGuakb8dxhElMy9kPl9zu4qU’
[Tue Feb 14 09:10:03 PST 2017] nonce=‘mGYLcMtvSULXVBZTWBlSGuakb8dxhElMy9kPl9zu4qU’
[Tue Feb 14 09:10:03 PST 2017] POST
[Tue Feb 14 09:10:03 PST 2017] url=‘https://acme-v01.api.letsencrypt.org/acme/challenge/-C0mMOK0_rjNPjU-P33TWCkyb4EEXvXxSQZ6gbpSNLM/649573644
[Tue Feb 14 09:10:03 PST 2017] body=’{“header”: {“alg”: “RS256”, “jwk”: {“e”: “AQAB”, “kty”: “RSA”, “n”: “2f02zlu7ClMWV-J987IFhv8ew7hkvCkoPCsLMggk-rvAQBsczoPJIGnkoMXQJRSiQnT3Cs9cMpkcSS4iDNWihkvEIWHLuZxWHtaepIAU2yTRaA5axG_eImzR1uf64Ngq21r4VzGfKF00NRbX_H2LX92KeGH2GTiYiqRFvA5G-EN9aW-Ap2AvyUlL0RvwL5L4DmcGGRjb9H5esyLBWGeuoZXJVZmiWNS_xzE-Mq1sfMYzG9LKP5kr-t-OfNFz4rgYduiXa-QqECfAGZ1Dg39F4JPCZD4HzYxukb3nmrHsH2EN4Pi1u270hpBqMwj5D3s7X5fbELn8qJ1lf5TuZhXuw"}}, “protected”: “eyJub25jZSI6ICJtR1lMY010dlNVTFhWQlpUV0JsU0d1YWtiOGR4aEVsTXk5a1BsOXp1NHFVIiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAiMmYwMnpsdTdDbE1XVi1KOTg3SUZodjhldzdoa3ZDa29QQ3NMTWdnay1ydkFRQnNjem9QSklHbmtvTVhRSlJTaVFuVDNDczljTXBrY1NTNGlETldpaGt2RUlXSEx1WnhXSHRhZXBJQVUyeVRSYUE1YXhHX2VJbXpSMXVmNjROZ3EyMXI0VnpHZktGMDBOUmJYX0gyTFg5MktlR0gyR1RpWWlxUkZ2QTVHLUVOOWFXLUFwMkF2eVVsTDBSdndMNUw0RG1jR0dSamI5SDVlc3lMQldHZXVvWlhKVlptaVdOU194ekUtTXExc2ZNWXpHOUxLUDVrci10LV9PZk5GejRyZ1lkdWlYYS1RcUVDZkFHWjFEZzM5RjRKUENaRDRIell4dWtiM25tckhzSDJFTjRQaTF1MjcwaHBCcU13ajVEM3M3WDVmYkVMbjhxSjFsZjVUdVpoWHV3In19”, “payload”: “eyJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLCAia2V5QXV0aG9yaXphdGlvbiI6ICJhMEctNmJhaDBYR2MyZzY5T2pqM002MFFIRlNGNkZQSlJhUHNMSUNGVlNBLmhIUC1PTWZEc1B0dG9YdWVGTG1RaXpIU0FWSk5CSFRUUm0yVEtiNG53bUUifQ”, “signature”: "Eyl20YZ6LOIoipRYCTG4gPWfJ34lezGkUsYu2mpAIA1UThXoqD7EWMlmyoDqCrH1bFWdj4Z71ZVmrZkqwT0BJI6IxRry24yvzPFimMW647eprSO_WAf1bH1EDK_YeK9YohSZcnN5a4LWiGbrsFGgOPLhiMPehcMt-7dkmXlvszPHYt29uLpb_i4m_6qwC7-aCYTE6IAnNlssUkWHmaoKwqS_HjQKWGuP3C3DoSBq9-ZFGEtozEb2kRv58zvFsfXaWPM7NWUz9dBCS_nII3GlGkMtuQZ0XaxC8GVJ85nmjy8J7WcVYmQIHTDvOZuGlXG9M9PbXqAQLJv0oBpglF2Iw”}’
[Tue Feb 14 09:10:03 PST 2017] _CURL=‘curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.gLOGW9vKO6 --insecure ‘
[Tue Feb 14 09:10:04 PST 2017] _ret=‘0’
[Tue Feb 14 09:10:04 PST 2017] original=’{
“type”: “http-01”,
“status”: “pending”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/-C0mMOK0_rjNPjU-P33TWCkyb4EEXvXxSQZ6gbpSNLM/649573644”,
“token”: “a0G-6bah0XGc2g69Ojj3M60QHFSF6FPJRaPsLICFVSA”,
“keyAuthorization”: “a0G-6bah0XGc2g69Ojj3M60QHFSF6FPJRaPsLICFVSA.hHP-OMfDsPttoXueFLmQizHSAVJNBHTTRm2TKb4nwmE”
}’
[Tue Feb 14 09:10:04 PST 2017] responseHeaders='HTTP/1.1 100 Continue
Expires: Tue, 14 Feb 2017 17:10:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 202 Accepted
Server: nginx
Content-Type: application/json
Content-Length: 335
Boulder-Request-Id: Bq3tpopicGz3l91Gs1Gj54sK7voqIwf8mfHf9UpXsYs
Boulder-Requester: 9585373
Link: https://acme-v01.api.letsencrypt.org/acme/authz/-C0mMOK0_rjNPjU-P33TWCkyb4EEXvXxSQZ6gbpSNLM;rel="up"
Location: https://acme-v01.api.letsencrypt.org/acme/challenge/-C0mMOK0_rjNPjU-P33TWCkyb4EEXvXxSQZ6gbpSNLM/649573644
Replay-Nonce: CnNZgPv5-n1Hue94W08GwTlpTNST2aO0EQ3YynnEKYs
Expires: Tue, 14 Feb 2017 17:10:04 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 14 Feb 2017 17:10:04 GMT
Connection: keep-alive

[Tue Feb 14 09:10:04 PST 2017] response=’{“type”:“http-01”,“status”:“pending”,“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/-C0mMOK0_rjNPjU-P33TWCkyb4EEXvXxSQZ6gbpSNLM/649573644",“token”:“a0G-6bah0XGc2g69Ojj3M60QHFSF6FPJRaPsLICFVSA”,“keyAuthorization”:"a0G-6bah0XGc2g69Ojj3M60QHFSF6FPJRaPsLICFVSA.hHP-OMfDsPttoXueFLmQizHSAVJNBHTTRm2TKb4nwmE”}’
[Tue Feb 14 09:10:04 PST 2017] code=‘202’
[Tue Feb 14 09:10:04 PST 2017] sleep 2 secs to verify
[Tue Feb 14 09:10:06 PST 2017] checking
[Tue Feb 14 09:10:06 PST 2017] GET
[Tue Feb 14 09:10:06 PST 2017] url=‘https://acme-v01.api.letsencrypt.org/acme/challenge/-C0mMOK0_rjNPjU-P33TWCkyb4EEXvXxSQZ6gbpSNLM/649573644
[Tue Feb 14 09:10:06 PST 2017] timeout
[Tue Feb 14 09:10:06 PST 2017] _CURL=‘curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.n5Al9jVQc3 --insecure ‘
[Tue Feb 14 09:10:07 PST 2017] ret=‘0’
[Tue Feb 14 09:10:07 PST 2017] original=’{
“type”: “http-01”,
“status”: “valid”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/-C0mMOK0_rjNPjU-P33TWCkyb4EEXvXxSQZ6gbpSNLM/649573644”,
“token”: “a0G-6bah0XGc2g69Ojj3M60QHFSF6FPJRaPsLICFVSA”,
“keyAuthorization”: “a0G-6bah0XGc2g69Ojj3M60QHFSF6FPJRaPsLICFVSA.hHP-OMfDsPttoXueFLmQizHSAVJNBHTTRm2TKb4nwmE”,
“validationRecord”: [
{
“url”: “http://www-br.llnl.gov/.well-known/acme-challenge/a0G-6bah0XGc2g69Ojj3M60QHFSF6FPJRaPsLICFVSA”,
“hostname”: “www-br.llnl.gov”,
“port”: “80”,
“addressesResolved”: [
“198.128.229.135”
],
“addressUsed”: “198.128.229.135”
}
]
}’
[Tue Feb 14 09:10:07 PST 2017] response=’{“type”:“http-01”,“status”:“valid”,“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/-C0mMOK0_rjNPjU-P33TWCkyb4EEXvXxSQZ6gbpSNLM/649573644",“token”:“a0G-6bah0XGc2g69Ojj3M60QHFSF6FPJRaPsLICFVSA”,“keyAuthorization”:“a0G-6bah0XGc2g69Ojj3M60QHFSF6FPJRaPsLICFVSA.hHP-OMfDsPttoXueFLmQizHSAVJNBHTTRm2TKb4nwmE”,“validationRecord”:[{“url”:“http://www-br.llnl.gov/.well-known/acme-challenge/a0G-6bah0XGc2g69Ojj3M60QHFSF6FPJRaPsLICFVSA”,“hostname”:“www-br.llnl.gov”,“port”:“80”,“addressesResolved”:[“198.128.229.135”],“addressUsed”:"198.128.229.135”}]}’
[Tue Feb 14 09:10:07 PST 2017] Success
[Tue Feb 14 09:10:07 PST 2017] pid
[Tue Feb 14 09:10:07 PST 2017] Debugging, skip removing: /wwwbr1/www/br/.well-known
[Tue Feb 14 09:10:07 PST 2017] Verifying:www-br.ucllnl.org
[Tue Feb 14 09:10:07 PST 2017] d=‘www-br.ucllnl.org
[Tue Feb 14 09:10:07 PST 2017] keyauthorization=‘TTJzczwKPL0Tp0-2ppYWI227c7Wko_WKxQ7RtYKXet8.hHP-OMfDsPttoXueFLmQizHSAVJNBHTTRm2TKb4nwmE’
[Tue Feb 14 09:10:07 PST 2017] uri=‘https://acme-v01.api.letsencrypt.org/acme/challenge/tF3b2dX9RPXO831PXxLBWLaiu9su15xAj3xIVDV3yVo/649573934
[Tue Feb 14 09:10:07 PST 2017] _currentRoot=’/wwwbr1/www/br’
[Tue Feb 14 09:10:07 PST 2017] wellknown_path=’/wwwbr1/www/br/.well-known/acme-challenge’
[Tue Feb 14 09:10:07 PST 2017] writing token:TTJzczwKPL0Tp0-2ppYWI227c7Wko_WKxQ7RtYKXet8 to /wwwbr1/www/br/.well-known/acme-challenge/TTJzczwKPL0Tp0-2ppYWI227c7Wko_WKxQ7RtYKXet8
[Tue Feb 14 09:10:07 PST 2017] Changing owner/group of .well-known to root:root
[Tue Feb 14 09:10:07 PST 2017] url=‘https://acme-v01.api.letsencrypt.org/acme/challenge/tF3b2dX9RPXO831PXxLBWLaiu9su15xAj3xIVDV3yVo/649573934
[Tue Feb 14 09:10:07 PST 2017] payload=’{“resource”: “challenge”, “keyAuthorization”: “TTJzczwKPL0Tp0-2ppYWI227c7Wko_WKxQ7RtYKXet8.hHP-OMfDsPttoXueFLmQizHSAVJNBHTTRm2TKb4nwmE”}’
[Tue Feb 14 09:10:07 PST 2017] Use cached jwk for file: /root/.acme.sh/ca/acme-v01.api.letsencrypt.org/account.key
[Tue Feb 14 09:10:07 PST 2017] Use _CACHED_NONCE=‘CnNZgPv5-n1Hue94W08GwTlpTNST2aO0EQ3YynnEKYs’
[Tue Feb 14 09:10:07 PST 2017] nonce=‘CnNZgPv5-n1Hue94W08GwTlpTNST2aO0EQ3YynnEKYs’
[Tue Feb 14 09:10:07 PST 2017] POST
[Tue Feb 14 09:10:07 PST 2017] url=‘https://acme-v01.api.letsencrypt.org/acme/challenge/tF3b2dX9RPXO831PXxLBWLaiu9su15xAj3xIVDV3yVo/649573934
[Tue Feb 14 09:10:07 PST 2017] body=’{“header”: {“alg”: “RS256”, “jwk”: {“e”: “AQAB”, “kty”: “RSA”, “n”: “2f02zlu7ClMWV-J987IFhv8ew7hkvCkoPCsLMggk-rvAQBsczoPJIGnkoMXQJRSiQnT3Cs9cMpkcSS4iDNWihkvEIWHLuZxWHtaepIAU2yTRaA5axG_eImzR1uf64Ngq21r4VzGfKF00NRbX_H2LX92KeGH2GTiYiqRFvA5G-EN9aW-Ap2AvyUlL0RvwL5L4DmcGGRjb9H5esyLBWGeuoZXJVZmiWNS_xzE-Mq1sfMYzG9LKP5kr-t-_OfNFz4rgYduiXa-QqECfAGZ1Dg39F4JPCZD4HzYxukb3nmrHsH2EN4Pi1u270hpBqMwj5D3s7X5fbELn8qJ1lf5TuZhXuw”}}, “protected”: “eyJub25jZSI6ICJDbk5aZ1B2NS1uMUh1ZTk0VzA4R3dUbHBUTlNUMmFPMEVRM1l5bm5FS1lzIiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAiMmYwMnpsdTdDbE1XVi1KOTg3SUZodjhldzdoa3ZDa29QQ3NMTWdnay1ydkFRQnNjem9QSklHbmtvTVhRSlJTaVFuVDNDczljTXBrY1NTNGlETldpaGt2RUlXSEx1WnhXSHRhZXBJQVUyeVRSYUE1YXhHX2VJbXpSMXVmNjROZ3EyMXI0VnpHZktGMDBOUmJYX0gyTFg5MktlR0gyR1RpWWlxUkZ2QTVHLUVOOWFXLUFwMkF2eVVsTDBSdndMNUw0RG1jR0dSamI5SDVlc3lMQldHZXVvWlhKVlptaVdOU194ekUtTXExc2ZNWXpHOUxLUDVrci10LV9PZk5GejRyZ1lkdWlYYS1RcUVDZkFHWjFEZzM5RjRKUENaRDRIell4dWtiM25tckhzSDJFTjRQaTF1MjcwaHBCcU13ajVEM3M3WDVmYkVMbjhxSjFsZjVUdVpoWHV3In19”, “payload”: “eyJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLCAia2V5QXV0aG9yaXphdGlvbiI6ICJUVEp6Y3p3S1BMMFRwMC0ycHBZV0kyMjdjN1drb19XS3hRN1J0WUtYZXQ4LmhIUC1PTWZEc1B0dG9YdWVGTG1RaXpIU0FWSk5CSFRUUm0yVEtiNG53bUUifQ”, “signature”: “ruYAxiqQ7d8vssmUHYC1J70D6dVC44ux1SZR3CsNRAkusvKJFencmyhK9HFD9Qxzw95rwHb9dosvTY2ovBZMM3iibsbdi8rOmg8bjNmj356Lp-lB-NOz9ZuPwEze_ClGh5XgHNTR6SVss8gDTK1CBUTGzK2HRebx4A4D6uIlMmFRHAExvoBm-C_ixIRMVo4YPjuFg4mymBX0kIN_z-wwn7_cBOsQFmN68_OxgaB6JsOkF0o3PP_BpwTV6X5iAJlyszvZzfoY26WbalBApkmlNzvPU2ZOneH05CLqd71xVluMqNH8A_AG54O1UPMF6m4cnrvYDZtVJRCzShcpePeEkQ”}’
[Tue Feb 14 09:10:07 PST 2017] _CURL=‘curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.k2H22K3vrR --insecure ‘
[Tue Feb 14 09:10:08 PST 2017] _ret=‘0’
[Tue Feb 14 09:10:08 PST 2017] original=’{
“type”: “http-01”,
“status”: “pending”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/tF3b2dX9RPXO831PXxLBWLaiu9su15xAj3xIVDV3yVo/649573934”,
“token”: “TTJzczwKPL0Tp0-2ppYWI227c7Wko_WKxQ7RtYKXet8”,
“keyAuthorization”: “TTJzczwKPL0Tp0-2ppYWI227c7Wko_WKxQ7RtYKXet8.hHP-OMfDsPttoXueFLmQizHSAVJNBHTTRm2TKb4nwmE”
}’
[Tue Feb 14 09:10:08 PST 2017] responseHeaders='HTTP/1.1 100 Continue
Expires: Tue, 14 Feb 2017 17:10:08 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 202 Accepted
Server: nginx
Content-Type: application/json
Content-Length: 335
Boulder-Request-Id: MA_Fjixg51-w1tpcd6_sev0nf-NAdzHS77eoqQJ76xg
Boulder-Requester: 9585373
Link: https://acme-v01.api.letsencrypt.org/acme/authz/tF3b2dX9RPXO831PXxLBWLaiu9su15xAj3xIVDV3yVo;rel="up"
Location: https://acme-v01.api.letsencrypt.org/acme/challenge/tF3b2dX9RPXO831PXxLBWLaiu9su15xAj3xIVDV3yVo/649573934
Replay-Nonce: 6cwcqmnmLukZL_CJt2-BtUQsmP_cA5LL63QaOuKHoEc
Expires: Tue, 14 Feb 2017 17:10:08 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 14 Feb 2017 17:10:08 GMT
Connection: keep-alive

[Tue Feb 14 09:10:08 PST 2017] response=’{“type”:“http-01”,“status”:“pending”,“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/tF3b2dX9RPXO831PXxLBWLaiu9su15xAj3xIVDV3yVo/649573934",“token”:“TTJzczwKPL0Tp0-2ppYWI227c7Wko_WKxQ7RtYKXet8”,“keyAuthorization”:"TTJzczwKPL0Tp0-2ppYWI227c7Wko_WKxQ7RtYKXet8.hHP-OMfDsPttoXueFLmQizHSAVJNBHTTRm2TKb4nwmE”}’
[Tue Feb 14 09:10:08 PST 2017] code=‘202’
[Tue Feb 14 09:10:08 PST 2017] sleep 2 secs to verify
[Tue Feb 14 09:10:10 PST 2017] checking
[Tue Feb 14 09:10:10 PST 2017] GET
[Tue Feb 14 09:10:10 PST 2017] url=‘https://acme-v01.api.letsencrypt.org/acme/challenge/tF3b2dX9RPXO831PXxLBWLaiu9su15xAj3xIVDV3yVo/649573934
[Tue Feb 14 09:10:10 PST 2017] timeout
[Tue Feb 14 09:10:10 PST 2017] _CURL=‘curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.1tnhR2bESq --insecure ‘
[Tue Feb 14 09:10:11 PST 2017] ret=‘0’
[Tue Feb 14 09:10:11 PST 2017] original=’{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:acme:error:unauthorized”,
“detail”: “Invalid response from http://www-br.ucllnl.org/.well-known/acme-challenge/TTJzczwKPL0Tp0-2ppYWI227c7Wko_WKxQ7RtYKXet8: “\u003c!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”\u003e\n\u003chtml\u003e\u003chead\u003e\n\u003ctitle\u003e404 Not Found\u003c/title\u003e\n\u003c/head\u003e\u003cbody\u003e\n\u003ch1\u003eNot Found\u003c/h1\u003e\n\u003cp””,
“status”: 403
},
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/tF3b2dX9RPXO831PXxLBWLaiu9su15xAj3xIVDV3yVo/649573934”,
“token”: “TTJzczwKPL0Tp0-2ppYWI227c7Wko_WKxQ7RtYKXet8”,
“keyAuthorization”: “TTJzczwKPL0Tp0-2ppYWI227c7Wko_WKxQ7RtYKXet8.hHP-OMfDsPttoXueFLmQizHSAVJNBHTTRm2TKb4nwmE”,
“validationRecord”: [
{
“url”: “http://www-br.ucllnl.org/.well-known/acme-challenge/TTJzczwKPL0Tp0-2ppYWI227c7Wko_WKxQ7RtYKXet8”,
“hostname”: “www-br.ucllnl.org”,
“port”: “80”,
“addressesResolved”: [
“198.128.229.135”
],
“addressUsed”: “198.128.229.135”
}
]
}’
[Tue Feb 14 09:10:11 PST 2017] response=’{“type”:“http-01”,“status”:“invalid”,“error”:{“type”:“urn:acme:error:unauthorized”,“detail”:“Invalid response from http://www-br.ucllnl.org/.well-known/acme-challenge/TTJzczwKPL0Tp0-2ppYWI227c7Wko_WKxQ7RtYKXet8: “\u003c!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”\u003e\n\u003chtml\u003e\u003chead\u003e\n\u003ctitle\u003e404 Not Found\u003c/title\u003e\n\u003c/head\u003e\u003cbody\u003e\n\u003ch1\u003eNot Found\u003c/h1\u003e\n\u003cp””,“status”: 403},“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/tF3b2dX9RPXO831PXxLBWLaiu9su15xAj3xIVDV3yVo/649573934",“token”:“TTJzczwKPL0Tp0-2ppYWI227c7Wko_WKxQ7RtYKXet8”,“keyAuthorization”:“TTJzczwKPL0Tp0-2ppYWI227c7Wko_WKxQ7RtYKXet8.hHP-OMfDsPttoXueFLmQizHSAVJNBHTTRm2TKb4nwmE”,“validationRecord”:[{“url”:“http://www-br.ucllnl.org/.well-known/acme-challenge/TTJzczwKPL0Tp0-2ppYWI227c7Wko_WKxQ7RtYKXet8”,“hostname”:“www-br.ucllnl.org”,“port”:“80”,“addressesResolved”:[“198.128.229.135”],“addressUsed”:"198.128.229.135”}]}’
[Tue Feb 14 09:10:11 PST 2017] error=’“error”:{“type”:“urn:acme:error:unauthorized”,“detail”:"Invalid response from http://www-br.ucllnl.org/.well-known/acme-challenge/TTJzczwKPL0Tp0-2ppYWI227c7Wko_WKxQ7RtYKXet8: '
[Tue Feb 14 09:10:11 PST 2017] errordetail='Invalid response from http://www-br.ucllnl.org/.well-known/acme-challenge/TTJzczwKPL0Tp0-2ppYWI227c7Wko_WKxQ7RtYKXet8: '
[Tue Feb 14 09:10:11 PST 2017] www-br.ucllnl.org:Verify error:Invalid response from http://www-br.ucllnl.org/.well-known/acme-challenge/TTJzczwKPL0Tp0-2ppYWI227c7Wko_WKxQ7RtYKXet8:
[Tue Feb 14 09:10:11 PST 2017] Debug: get token url.
[Tue Feb 14 09:10:11 PST 2017] GET
[Tue Feb 14 09:10:11 PST 2017] url=‘http://www-br.ucllnl.org/.well-known/acme-challenge/TTJzczwKPL0Tp0-2ppYWI227c7Wko_WKxQ7RtYKXet8
[Tue Feb 14 09:10:11 PST 2017] timeout=‘1’
[Tue Feb 14 09:10:11 PST 2017] _CURL=‘curl -L --silent --dump-header /root/.acme.sh/http.header --trace-ascii /tmp/tmp.Y8FXPzHbpC --insecure --connect-timeout 1’

404 Not Found

Not Found

The requested URL /.well-known/acme-challenge/TTJzczwKPL0Tp0-2ppYWI227c7Wko_WKxQ7RtYKXet8 was not found on this server.

Apache Server at www-br.ucllnl.org Port 80 [Tue Feb 14 09:10:11 PST 2017] ret='0' [Tue Feb 14 09:10:11 PST 2017] Debugging, skip removing: /wwwbr1/www/br/.well-known/acme-challenge/TTJzczwKPL0Tp0-2ppYWI227c7Wko_WKxQ7RtYKXet8 [Tue Feb 14 09:10:11 PST 2017] pid [Tue Feb 14 09:10:11 PST 2017] _clearupdns [Tue Feb 14 09:10:11 PST 2017] Dns not added, skip. [Tue Feb 14 09:10:11 PST 2017] _on_issue_err [Tue Feb 14 09:10:11 PST 2017] Please add '--debug' or '--log' to check more details. [Tue Feb 14 09:10:11 PST 2017] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh [Tue Feb 14 09:10:11 PST 2017] Diagnosis versions: openssl:openssl OpenSSL 1.1.0d 26 Jan 2017 apache: Server version: Apache/2.4.23 (Unix) Server built: Feb 10 2017 19:49:23 Server's Module Magic Number: 20120211:61 Server loaded: APR 1.5.2, APR-UTIL 1.5.4 Compiled using: APR 1.5.2, APR-UTIL 1.5.4 Architecture: 64-bit Server MPM: prefork threaded: no forked: yes (variable process count) Server compiled with.... -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=256 -D HTTPD_ROOT="/usr" -D SUEXEC_BIN="/usr/bin/suexec" -D DEFAULT_PIDLOG="/var/run/httpd.pid" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_ERRORLOG="logs/error_log" -D AP_TYPES_CONFIG_FILE="/etc/httpd/conf/mime.types" -D SERVER_CONFIG_FILE="/etc/httpd/conf/httpd.conf" nc: usage: nc [-46DdhklnrStUuvzC] [-i interval] [-p source_port] [-s source_ip_address] [-T ToS] [-w timeout] [-X proxy_version] [-x proxy_address[:port]] [hostname] [port[s]] Command Summary: -4 Use IPv4 -6 Use IPv6 -D Enable the debug socket option -d Detach from stdin -h This help text -i secs Delay interval for lines sent, ports scanned -k Keep inbound sockets open for multiple connects -l Listen mode, for inbound connects -n Suppress name/port resolutions -p port Specify local port for remote connects -r Randomize remote ports -S Enable the TCP MD5 signature option -s addr Local source address -T ToS Set IP Type of Service -C Send CRLF as line-ending -t Answer TELNET negotiation -U Use UNIX domain socket -u UDP mode -v Verbose -w secs Timeout for connects and final net reads -X proto Proxy protocol: "4", "5" (SOCKS) or "connect" -x addr[:port] Specify proxy address and port -z Zero-I/O mode [used for scanning] Port numbers can be individual or ranges: lo-hi [inclusive]

It did indeed create the acme directory tree in the directory that I specified ():

ls /wwwbr1/www/br/.

./ …/ .well-known/

ls /wwwbr1/www/br/.well-known/

acme-challenge

ls -alF /wwwbr1/www/br/.well-known/

total 12
drwxr-xr-x 3 root root 4096 Feb 14 09:10 ./
drwxr-xr-x 11 root root 4096 Feb 14 09:10 …/
drwxr-xr-x 2 root root 4096 Feb 14 09:10 acme-challenge/

ls -alF /wwwbr1/www/br/.well-known/acme-challenge/

total 16
drwxr-xr-x 2 root root 4096 Feb 14 09:10 ./
drwxr-xr-x 3 root root 4096 Feb 14 09:10 …/
-rw-r–r-- 1 root root 87 Feb 14 09:10 a0G-6bah0XGc2g69Ojj3M60QHFSF6FPJRaPsLICFVSA
-rw-r–r-- 1 root root 87 Feb 14 09:10 TTJzczwKPL0Tp0-2ppYWI227c7Wko_WKxQ7RtYKXet8

and these files are visible using my web browser:

http://www-br.llnl.gov/.well-known/acme-challenge/

In reading through the above output, it appears that there are a couple of ‘Invalid response’ items towards the bottom.

The --insecure flag helped, but now it seems to be having problems further along in processing the responses.

Scott

4

Ah… I see the issue with the latest problem. My 3 aliases have 3 different top-level directories in the disk’s directory tree. This is why the first one worked (www-br.llnl.gov), but the other 2 didn’t.

So I have created a symbolic link from the latter two directory trees (specified by their conf.d/*.conf DocumentRoot entries) to the first .well-known

Then I reran the acme.sh command and it correctly produced the .key and .cer files. So the solution was:

  1. include the --insecure command line flag (and the --debug flag)

  2. make sure that conf.d/www-*.conf | grep DocumentRoot all point to the same .well-known via symbolic links for the latter two. In debug mode, .well-known is not erased, so it is easy to see where the latter two alias’s symbolic links should point.

Thank you!

Scott

1 Like
5

Hi @nelson18

You don’t need to link all the web root folders to the same one. you can specify different web root folders for each domain:

acme.sh  --issue  -d  domain1.com   -w  /path/to/www1    -d  domain2.com  -w /path/to/www2 ....

you are running Apache server, so another choice would be using apache mode:

acme.sh  --issue  --apache  -d domain1.com  -d domain2.com ....
1 Like
6

Very nice. Thank you!

Scott

7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.