Could not renew my certs via acmy-tiny client anymore. What's broken?

Tronde · October 30, 2017, 8:09am

My domain is: http://jabber.my-it-brain.de

I ran this command:

DIR='/path/to/dir/where/i/keep/key_and_csr'
python acme-tiny-by-frezbo/acme_tiny.py --account-key ${DIR}/account.key --csr ${DIR}/jabber_request.csr --acme-dir /var/www/sites/jabber.my-it-brain.de/public/.well-known/acme-challenge/ > ${DIR}/jabber.my-it-brain.de.crt

It produced this output:

Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Signing certificate...
Traceback (most recent call last):
  File "acme-tiny-by-frezbo/acme_tiny.py", line 200, in <module>
    main(sys.argv[1:])
  File "acme-tiny-by-frezbo/acme_tiny.py", line 196, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, verifychallenge=args.verifychallenge, log=LOGGER, CA=args.ca)
  File "acme-tiny-by-frezbo/acme_tiny.py", line 162, in get_crt
    raise ValueError("Error signing certificate: {0} {1}".format(code, result))
ValueError: Error signing certificate: 403 {
  "type": "urn:acme:error:unauthorized",
  "detail": "Error creating new cert :: authorizations for these names not found or expired: jabber.my-it-brain.de",
  "status": 403
}

My web server is (include version): nginx (1.10.3)

The operating system my web server runs on is (include version): Ubuntu 16.04.3 LTS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Additional Notes

Running the command didn’t create a challenge-response key in my acmy-dir. There is only a text file I created for testing:

ls -lisa /var/www/sites/jabber.my-it-brain.de/public/.well-known/acme-challenge/
total 12
73875 4 drwxr-xr-x 2 tronde www-data  4096 Okt 30 07:20 .
73865 4 drwxr-xr-x 3 tronde www-data  4096 Nov 12  2016 ..
73174 4 -rw-rw-r-- 1 tronde tronde    5 Okt 30 07:20 ping.txt

The testfile ‘ping.txt’ was created with the same user which runs the command for the cert renewal. It can be accessed from a webbrowser or from a different host via curl:

curl http://jabber.my-it-brain.de/.well-known/acme-challenge/ping.txt
Pong

And here comes my current nginx vhost config which wasn’t edited for month:

# NGINX - VHOSTS CONFIGURATION                                                #
#                                                                             #
# Author : Tronde
# Site: http://jabber.my-it-brain.de
# Version: 2016-11-12
# 

## BEGIN CONFIGURATION ##############################################
server {
	listen 80;
	listen [::]:80;
	server_name jabber.my-it-brain.de;
#	return 301 https://$server_name$request_uri;

    # Path to the root of your installation
    root /var/www/sites/$host/public;

    index index.html;
    error_page 403 /core/templates/403.php;
    error_page 404 /core/templates/404.php;
}
## END CONFIGURATION ##############################################

I hope I’ve provided enough information to get help. If I missed something, tell me what you need to know, please.

Looking forward to hearing from you soon.

Best regards,
Tronde

system · November 29, 2017, 8:09am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.