Certificate Expiration

Help
21

barryserver# acme-client -v barryserver.com && rcctl reload httpd
acme-client: /etc/ssl/barryserver.com:443.crt: certificate valid: 85 days left

22

What I have for the acme-client.config file is very similar to what's in the OpenBSD "example" file. Here's what I've got...

barryserver# cat /etc/acme-client.conf

authority letsencrypt {
  api url "https://acme-v02.api.letsencrypt.org/directory"
  account key "/etc/acme/letsencrypt-privkey.pem"
}

authority letsencrypt-staging {
  api url "https://acme-staging-v02.api.letsencrypt.org/directory"
  account key "/etc/acme/letsencrypt-staging-privkey.pem"
}

domain barryserver.com {
  alternative names { www.barryserver.com dav.barryserver.com }
  domain key "/etc/ssl/private/barryserver.com:443.key"
  domain full chain certificate "/etc/ssl/barryserver.com:443.crt"
  sign with letsencrypt
}
1 Like
23

And thank you for the suggestion for the acme-client syntax but it did not work. Either got a syntax error or the signwith authority was unrecognized. Tried a few variations all to no avail. Yet!

2 Likes
24

Please post the complete error.

4 Likes
25

Here's the config file followed by the syntax errors I'm getting. I will try separating the words 'full chain' and see if that fixes that error. But for now, this is where I am.

barryserver# cat acme-client.conf

authority letsencrypt {
  api url "https://acme-v02.api.letsencrypt.org/directory"
  account key "/etc/acme/letsencrypt-privkey.pem"
}

authority letsencrypt-staging {
  api url "https://acme-staging-v02.api.letsencrypt.org/directory"
  account key "/etc/acme/letsencrypt-staging-privkey.pem"
}

domain barryserver.com {
  domain dav.barryserver.com {
     domain www.barryserver.com {
        domain key "/etc/ssl/private/barryserver.com.key"
        certificate "/etc/ssl/barryserver.com.crt"
        fullchain "/etc/ssl/barryserver.com.fullchain.pem"
        signwith "/etc/ssl/private/barryserver.com.com.key" 
        challenge ftp
        challenge http
        challenge tls-http-01
    }
  }
}

barryserver# acme-client barryserver.com && rcctl reload httpd

/etc/acme-client.conf:12: syntax error
/etc/acme-client.conf:15: syntax error

barryserver#

26

Also, I'm wondering if the signwith line should have a space 'sign with' and should it have .com.com or just one of the .com. I'll experiment with that later too.

27

What shows?:
ls -l /etc/ssl/private/barryserver.*

2 Likes
28

I'm no expert in this software...
But, I think they may need to be spread out - not nested.
"dav" and "www" may be able to nest under "barryserver.com".
But "www." can't nest inside "dav".
[it would have to be "www.dav.barryserver.com"]

OR use:

2 Likes
29

barryserver# ls -l /etc/ssl/private/barryserver.*
-r-------- 1 root wheel 3272 Jun 1 20:09 /etc/ssl/private/barryserver.com:443.key
barryserver#

30

Should probably be:
sign with "/etc/ssl/private/barryserver.com:443.key"

2 Likes
31

Quite possible. My memory evades me. AND the manual is quite vague on this syntax issue. yeah... the nesting count starts on line 12.... (Ill look into this deeper.)

@barry fullchain is "fullchain" not "full chain"

4 Likes
32

OK so I think @rg305 was correct. The nesting fails syntax.
A closer look at the acme-client documentation states:

alternative names
A list of alternative names, comma or space separated, for which the certificate will be valid. The common name is included automatically if this option is present, but there is no automatic conversion/inclusion between "www." and plain domain name forms.
SO I would suggest that:

authority letsencrypt {
    api url "https://acme-v02.api.letsencrypt.org/directory"
}

domain barryserver.com {
    alternative names {
        www.barryserver.com
        dav.barryserver.com.com
    }
    
    domainkey "/etc/ssl/private/barryserver.com.key"
    certificate "/etc/ssl/barryserver.com.crt"
    fullchain "/etc/ssl/barryserver.com.fullchain.pem"
    signwith "/etc/ssl/private/barryserver.com.key"
    challenge ftp
    challenge http
    challenge tls-http-01
}

Should work!

4 Likes
33

OR ? ? ?

4 Likes
34

Team,
Thank you very much for helping with this. I've got the issue resolved. My acme-client file was fine, but my process was missing a key line apparently. After my command of 'acme-client barryserver.com && rcctl reload httpd' I needed another command to 'rcctl reload relayd' which reloads the secure certificate at startup. Yikes! Learn something new (almost) every day. Again, thank you for your help, your patience your persistence and your courtesy!
Barry

3 Likes
35

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.