Can not get domain token


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: wifi.fscons.ru

I ran this command: /usr/local/pkg/acme/acme.sh --issue -d ‘wifi.fscons.ru’ --home ‘/tmp/acme/wifi.fscons.ru/’ --accountconf ‘/tmp/acme/wifi.fscons.ru/accountconf.conf’ --force --reloadCmd ‘/tmp/acme/wifi.fscons.ru/reloadcmd.sh’ --tls --listen-v4 --tlsport ‘443’ --log-level 3 --log ‘/tmp/acme/wifi.fscons.ru/acme_issuecert.log’

It produced this output:

wifi.fscons.ru
Renewing certificateaccount: wifi
server: letsencrypt-production

/usr/local/pkg/acme/acme.sh --issue -d ‘wifi.fscons.ru’ --home ‘/tmp/acme/wifi.fscons.ru/’ --accountconf ‘/tmp/acme/wifi.fscons.ru/accountconf.conf’ --force --reloadCmd ‘/tmp/acme/wifi.fscons.ru/reloadcmd.sh’ --tls --listen-v4 --tlsport ‘443’ --log-level 3 --log ‘/tmp/acme/wifi.fscons.ru/acme_issuecert.log’

Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[port] => 443
[ipv6] =>
)
[Wed Jan 24 11:49:01 MSK 2018] Standalone tls mode.
[Wed Jan 24 11:49:02 MSK 2018] Single domain=‘wifi.fscons.ru
[Wed Jan 24 11:49:02 MSK 2018] Getting domain auth token for each domain
[Wed Jan 24 11:49:02 MSK 2018] Getting webroot for domain=‘wifi.fscons.ru
[Wed Jan 24 11:49:02 MSK 2018] Getting new-authz for domain=‘wifi.fscons.ru
[Wed Jan 24 11:49:04 MSK 2018] The new-authz request is ok.
[Wed Jan 24 11:49:04 MSK 2018] Error, can not get domain token wifi.fscons.ru
[Wed Jan 24 11:49:04 MSK 2018] Please check log file for more details: /tmp/acme/wifi.fscons.ru/acme_issuecert.log

My web server is (include version):PFSense

The operating system my web server runs on is (include version):FreeBSD

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#2

What do you see when you check that log?


#3

[Thu Jan 25 03:16:10 MSK 2018] code=‘201’
[Thu Jan 25 03:16:10 MSK 2018] The new-authz request is ok.
[Thu Jan 25 03:16:10 MSK 2018] base64 single line.
[Thu Jan 25 03:16:10 MSK 2018] entry
[Thu Jan 25 03:16:10 MSK 2018] Error, can not get domain token wifi.fscons.ru
[Thu Jan 25 03:16:10 MSK 2018] pid
[Thu Jan 25 03:16:10 MSK 2018] No need to restore nginx, skip.
[Thu Jan 25 03:16:10 MSK 2018] _clearupdns
[Thu Jan 25 03:16:10 MSK 2018] skip dns.
[Thu Jan 25 03:16:10 MSK 2018] _on_issue_err
[Thu Jan 25 03:16:10 MSK 2018] Please check log file for more details: /tmp/acme/wifi.fscons.ru/acme_issuecert.log
[Thu Jan 25 03:16:10 MSK 2018] _chk_vlist


#4

You are using the --tls option, which instructs acme.sh to use the tls-sni-01 validation method. However, the tls-sni-01 validation method was disabled due to security issues. Although using tls-sni-01 to renew previously existing certificates should be allowed, maybe it does not work in your case (e.g., I see that the --accountconf option specifies a file under /tmp, which probably means that acme.sh generates a new account key every time, and the whitelisting works only when the same account is used to renew the certificate).

You need to migrate to another supported validation method — either http-01 or dns-01.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.