My domain is: blog.stephane-huc.net
I ran this command:
acme-client -v blog.stephane-huc.net
It produced this output:
$ acme-client -v blog.stephane-huc.net
acme-client: /etc/ssl/acme/blog.stephane-huc.net.cert.pem: certificate renewable: 28 days left
acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
acme-client: acme-v01.api.letsencrypt.org: DNS: 23.38.4.37
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: blog.stephane-huc.net
acme-client: /var/www/acme/blog.stephane-huc.net/.well-known/acme-challenge/I8tex7T0VtWRAI1MLXFWSjbWDi3OCica7T_jz2euZ68: created
acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/vhoFq1oFHf-SDg4vn8GLB7YA_E1YjNYTPJomaXbsC9A/1946384045: challenge
acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/vhoFq1oFHf-SDg4vn8GLB7YA_E1YjNYTPJomaXbsC9A/1946384045: status
acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/vhoFq1oFHf-SDg4vn8GLB7YA_E1YjNYTPJomaXbsC9A/1946384045: bad response
acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid", "error": { "type": "urn:acme:error:connection", "detail": "Fetching http://blog.stephane-huc.net/.well-known/acme-challenge/I8tex7T0VtWRAI1MLXFWSjbWDi3OCica7T_jz2euZ68: Error getting validation data", "status": 400 }, "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/vhoFq1oFHf-SDg4vn8GLB7YA_E1YjNYTPJomaXbsC9A/1946384045", "token": "I8tex7T0VtWRAI1MLXFWSjbWDi3OCica7T_jz2euZ68", "keyAuthorization": "I8tex7T0VtWRAI1MLXFWSjbWDi3OCica7T_jz2euZ68.btIkQ8owertOE1LvXr1mezl9i5h6KptZrzIehfgwdcg", "validationRecord": [ { "url": "http://blog.stephane-huc.net/.well-known/acme-challenge/I8tex7T0VtWRAI1MLXFWSjbWDi3OCica7T_jz2euZ68", "hostname": "blog.stephane-huc.net", "port": "80", "addressesResolved": [ "213.246.39.160", "2a00:c70:1:213:246:39:160:1" ], "addressUsed": "2a00:c70:1:213:246:39:160:1", "addressesTried": [] } ] }] (971 bytes)
acme-client: bad exit: netproc(73533): 1
My web server is (include version):
nginx version: nginx/1.12.1
built with LibreSSL 2.5.2
The operating system my web server runs on is (include version): OpenBSD 6.1
My hosting provider, if applicable, is: Ikoula.fr
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
Hi, i attempt to explain the problem.
I’ve few domains and subdomains managed into this server.
Quasi-all renew correctly, except both subdomains : ‘blog.stephane-huc.net’ and ‘ecrits.stephane-huc.net’.
I verify all rights folder, users rights on www and acme directories. No change. No problem recognized.
I got the idea to comment the header CSP : After, restart nginx, and retry with acme-client : i was able to renew my certs for my blog.
My CSP is :
content-security-policy: default-src 'none'; block-all-mixed-content; connect-src 'self' http://fontawesome.io; child-src 'self'; font-src 'self' data: https://cdn.rawgit.com https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com ; form-action 'self'; frame-ancestors 'none'; img-src 'self' data: https://gravatar.com; report-uri https://hucste.report-uri.io/r/default/csp/reportOnly; reflected-xss block;sandbox allow-forms allow-modals allow-same-origin allow-scripts; script-src 'self' https://.disqus.com https://fonts.googleapis.com https://maxcdn.bootstrapcdn.com data: https: 'unsafe-inline' ; style-src 'self' https://cdn.rawgit.com https://fonts.googleapis.com https://maxcdn.bootstrapcdn.com data: https: 'unsafe-inline';
Header CSP for my website ecrits.stephane-huc.net:
content-security-policy: default-src 'none'; block-all-mixed-content; connect-src 'self' http://fontawesome.io; child-src 'self'; font-src 'self' data: https://cdn.rawgit.com https://fonts.googleapis.comfonts.googleapis.com https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com ; form-action 'self'; frame-ancestors 'none'; img-src 'self' data: https://gravatar.com; report-uri https://hucste.report-uri.io/r/default/csp/reportOnly; reflected-xss block; referrer same-origin; sandbox allow-forms allow-modals allow-same-origin allow-scripts; script-src 'self' https://.disqus.com https://cdnjs.cloudflare.com https://fonts.googleapis.com https://maxcdn.bootstrapcdn.com data: https: 'unsafe-inline' ; style-src 'self' https://cdn.rawgit.com https://cdnjs.cloudflare.com https://fonts.googleapis.com https://maxcdn.bootstrapcdn.com data: https: 'unsafe-inline';
Cert no renew!
I read the explainations of @mnordhoff.
But, it seems really this CSP declaration prevents renew certs!
What’s wrong in my CSP declaration to permit renew?
(i have 28 days to resolve this…)