OpenBSD 6.4 acme-client bad CA paths

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: arborlux.com

I ran this command: acme-client -vvDA www.arborlux.com

It produced this output:

acme-client -vvDA www.arborlux.com
acme-client: /etc/ssl/acme/private/arborlux/arborlux.key: domain key exists (not creating)
acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not creating)
acme-client: /etc/ssl/acme/private/arborlux/arborlux.key: loaded RSA domain key
acme-client: /etc/acme/letsencrypt-privkey.pem: loaded RSA account key
acme-client: https://acme-staging-v02.api.letsencrypt.org/directory: directories
acme-client: acme-staging-v02.api.letsencrypt.org: DNS: 23.43.232.191
acme-client: 23.43.232.191: connect: Operation timed out
acme-client: https://acme-staging-v02.api.letsencrypt.org/directory: bad comm
acme-client: bad exit: netproc(35585): 1
hestia# acme-client -vvDA www.arborlux.com
acme-client: /etc/ssl/acme/private/arborlux/arborlux.key: domain key exists (not creating)
acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not creating)
acme-client: acme-client: /etc/ssl/acme/private/arborlux/arborlux.key: loaded RSA domain key
/etc/acme/letsencrypt-privkey.pem: loaded RSA account key
acme-client: https://acme-staging-v02.api.letsencrypt.org/directory: directories
acme-client: acme-staging-v02.api.letsencrypt.org: DNS: 23.43.232.191
acme-client: https://acme-staging-v02.api.letsencrypt.org/directory: bad CA paths
acme-client: transfer buffer: [{ “66kN4An42VY”: “Adding random entries to the directory”, “keyChange”: “https://acme-staging-v02.api.letsencrypt.org/acme/key-change”, “meta”: { “caaIdentities”: [ “letsencrypt.org” ], “termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”, “website”: “https://letsencrypt.org/docs/staging-environment/” }, “newAccount”: “https://acme-staging-v02.api.letsencrypt.org/acme/new-acct”, “newNonce”: “https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce”, “newOrder”: “https://acme-staging-v02.api.letsencrypt.org/acme/new-order”, “revokeCert”: “https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert” }] (724 bytes)
acme-client: bad exit: netproc(46579): 1

My web server is (include version): OpenHTTPd (Included in OpenBSD 6.4)

The operating system my web server runs on is (include version): OpenBSD 6.4

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): acme-client (included in OpenBSD 6.4)

Please add any detail about what it is you are trying to do.

Also show file:
cat /etc/acme-client.conf

and show contents of this directory:
ls -l /etc/ssl/acme/private/arborlux/

and also show the output of:
acme-client -n

cat /etc/acme-client.conf
authority letsencrypt{
api url “https://acme-staging-v02.api.letsencrypt.org/directory”
account key “/etc/acme/letsencrypt-privkey.pem”
}

authority letsencrypt-staging {
api url “https://acme-staging.api.letsencrypt.org/directory”
account key “/etc/acme/letsencrypt-staging-privkey.pem”
}

domain www.arborlux.com {
alternative names { arborlux.com }
domain key “/etc/ssl/acme/private/arborlux/arborlux.key”
domain certificate “/etc/ssl/acme/arborlux/arborlux.crt”
domain full chain certificate “/etc/ssl/acme/private/arborlux/arborlux.pem”
sign with letsencrypt
}

ls -la …
-r-------- 1 root wheel 3272 Feb 15 16:16 arborlux.key

This is set to use the staging environment for both:
[this doesn't seem correct]

I would change the first one to:
api url “https://acme-v02.api.letsencrypt.org/directory”

New acme-client.conf

authority letsencrypt{
api url “https://acme-staging-v02.api.letsencrypt.org/directory”
account key “/etc/acme/letsencrypt-privkey.pem”
}

domain www.arborlux.com {
alternative names { arborlux.com }
domain key “/etc/ssl/acme/private/arborlux/arborlux.key”
domain certificate “/etc/ssl/acme/arborlux/arborlux.crt”
domain full chain certificate “/etc/ssl/acme/private/arborlux/arborlux.pem”
sign with letsencrypt
}

domain www.ocuellar.com.mx {
alternative names {ocuellar.com.mx mail.ocuellar.com.mx biblioteca.ocuellar.com.mx}
domain key “/etc/ssl/acme/private/ocuellar/ocuellar.key”
domain certificate “/etc/ssl/acme/ocuellar/ocuellar.crt”
domain full chain certificate “/etc/ssl/acme/private/ocuellar/ocuellar.pem”
sign with letsencrypt
}

Just the same:

acme-client -vvDA www.arborlux.com
acme-client: /etc/ssl/acme/private/arborlux/arborlux.key: domain key exists (not creating)
acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not creating)
acme-client: /etc/ssl/acme/private/arborlux/arborlux.key: loaded RSA domain key
acme-client: /etc/acme/letsencrypt-privkey.pem: loaded RSA account key
acme-client: https://acme-staging-v02.api.letsencrypt.org/directory: directories
acme-client: acme-staging-v02.api.letsencrypt.org: DNS: 104.102.202.177
acme-client: https://acme-staging-v02.api.letsencrypt.org/directory: bad CA paths
acme-client: transfer buffer: [{ “keyChange”: “https://acme-staging-v02.api.letsencrypt.org/acme/key-change”, “meta”: { “caaIdentities”: [ “letsencrypt.org” ], “termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”, “website”: “https://letsencrypt.org/docs/staging-environment/” }, “newAccount”: “https://acme-staging-v02.api.letsencrypt.org/acme/new-acct”, “newNonce”: “https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce”, “newOrder”: “https://acme-staging-v02.api.letsencrypt.org/acme/new-order”, “revokeCert”: “https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert”, “v8nzg65fo0g”: “Adding random entries to the directory” }] (724 bytes)
acme-client: bad exit: netproc(1429): 1
acme-client -vvDA www.arborlux.com
acme-client: /etc/ssl/acme/private/arborlux/arborlux.key: domain key exists (not creating)
acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not creating)
acme-client: /etc/ssl/acme/private/arborlux/arborlux.key: loaded RSA domain key
acme-client: /etc/acme/letsencrypt-privkey.pem: loaded RSA account key
acme-client: https://acme-staging-v02.api.letsencrypt.org/directory: directories
acme-client: acme-staging-v02.api.letsencrypt.org: DNS: 104.102.202.177
acme-client: https://acme-staging-v02.api.letsencrypt.org/directory: bad CA paths
acme-client: transfer buffer: [{ “keyChange”: “https://acme-staging-v02.api.letsencrypt.org/acme/key-change”, “meta”: { “caaIdentities”: [ “letsencrypt.org” ], “termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”, “website”: “https://letsencrypt.org/docs/staging-environment/” }, “newAccount”: “https://acme-staging-v02.api.letsencrypt.org/acme/new-acct”, “newNonce”: “https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce”, “newOrder”: “https://acme-staging-v02.api.letsencrypt.org/acme/new-order”, “revokeCert”: “https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert”, “v8nzg65fo0g”: “Adding random entries to the directory” }] (724 bytes)
acme-client: bad exit: netproc(1429): 1

It still says "STAGING".

I would change that to:
api url “https://acme-v02.api.letsencrypt.org/directory”

And if you don't need this account, just delete it and get a new one:

authority letsencrypt{
api url “https://acme-v02.api.letsencrypt.org/directory”
account key “/etc/acme/letsencrypt-privkey.pem”
}

domain www.arborlux.com {
alternative names { arborlux.com }
domain key “/etc/ssl/acme/private/arborlux/arborlux.key”
domain certificate “/etc/ssl/acme/arborlux/arborlux.crt”
domain full chain certificate “/etc/ssl/acme/private/arborlux/arborlux.pem”
sign with letsencrypt
}

domain www.ocuellar.com.mx {
alternative names {ocuellar.com.mx mail.ocuellar.com.mx biblioteca.ocuellar.com.mx}
domain key “/etc/ssl/acme/private/ocuellar/ocuellar.key”
domain certificate “/etc/ssl/acme/ocuellar/ocuellar.crt”
domain full chain certificate “/etc/ssl/acme/private/ocuellar/ocuellar.pem”
sign with letsencrypt
}

acme-client -vvDA www.arborlux.com
acme-client: /etc/ssl/acme/private/arborlux/arborlux.key: domain key exists (not creating)
acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not creating)
acme-client: /etc/acme/letsencrypt-privkey.pem: loaded RSA account key
acme-client: /etc/ssl/acme/private/arborlux/arborlux.key: loaded RSA domain key
acme-client: https://acme-v02.api.letsencrypt.org/directory: directories
acme-client: acme-v02.api.letsencrypt.org: DNS: 104.102.202.177
acme-client: https://acme-v02.api.letsencrypt.org/directory: bad CA paths
acme-client: transfer buffer: [{ “6piBFCvKUvY”: “Adding random entries to the directory”, “keyChange”: “https://acme-v02.api.letsencrypt.org/acme/key-change”, “meta”: { “caaIdentities”: [ “letsencrypt.org” ], “termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”, “website”: “https://letsencrypt.org” }, “newAccount”: “https://acme-v02.api.letsencrypt.org/acme/new-acct”, “newNonce”: “https://acme-v02.api.letsencrypt.org/acme/new-nonce”, “newOrder”: “https://acme-v02.api.letsencrypt.org/acme/new-order”, “revokeCert”: “https://acme-v02.api.letsencrypt.org/acme/revoke-cert” }] (658 bytes)
acme-client: bad exit: netproc(20536): 1

Try getting a new account key.
Move the current one out.

[I suspect that account key is from staging and won’t work on production]

I delete the account /etc/acme/lets…

hestia# rm /etc/acme/letsencrypt-privkey.pem
hestia# acme-client -vvDA www.arborlux.com
acme-client: /etc/ssl/acme/private/arborlux/arborlux.key: domain key exists (not creating)
acme-client: /etc/ssl/acme/private/arborlux/arborlux.key: loaded RSA domain key
acme-client: /etc/acme/letsencrypt-privkey.pem: generated RSA account key
acme-client: https://acme-v02.api.letsencrypt.org/directory: directories
acme-client: acme-v02.api.letsencrypt.org: DNS: 104.102.202.177
acme-client: https://acme-v02.api.letsencrypt.org/directory: bad CA paths
acme-client: transfer buffer: [{ “PwXf1_WlEtk”: “Adding random entries to the directory”, “keyChange”: “https://acme-v02.api.letsencrypt.org/acme/key-change”, “meta”: { “caaIdentities”: [ “letsencrypt.org” ], “termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”, “website”: “https://letsencrypt.org” }, “newAccount”: “https://acme-v02.api.letsencrypt.org/acme/new-acct”, “newNonce”: “https://acme-v02.api.letsencrypt.org/acme/new-nonce”, “newOrder”: “https://acme-v02.api.letsencrypt.org/acme/new-order”, “revokeCert”: “https://acme-v02.api.letsencrypt.org/acme/revoke-cert” }] (658 bytes)
acme-client: bad exit: netproc(97576): 1

This part is correct:

This is out of place:

I found this that seems related:

Which ends with:
`i solved it by changing the urls from letsencrypts v2 api to the v1 api url in the conf file"

So try changing the V2 to V1.

With v1

acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: bad HTTP: 403
acme-client: transfer buffer: [{ “type”: “urn:acme:error:unauthorized”, “detail”: “No registration exists matching provided key”, “status”: 403 }] (120 bytes)
acme-client: bad exit: netproc(37813): 1

Ok, with v1 and remove /etc/acme/lets… it works
thank you very much

authority letsencrypt {
api url "https://acme-v01.api.letsencrypt.org/directory"
account key "/etc/acme/letsencrypt-privkey.pem"
}

domain www.arborlux.com {
alternative names { arborlux.com }
domain key "/etc/ssl/acme/private/arborlux/arborlux.key"
domain certificate "/etc/ssl/acme/arborlux/arborlux.crt"
authority letsencrypt {
api url "https://acme-v01.api.letsencrypt.org/directory"
account key "/etc/acme/letsencrypt-privkey.pem"
}

domain www.arborlux.com {
alternative names { arborlux.com }
domain key "/etc/ssl/acme/private/arborlux/arborlux.key"
domain certificate "/etc/ssl/acme/arborlux/arborlux.crt"
domain full chain certificate "/etc/ssl/acme/private/arborlux/arborlux.pem"
sign with "letsencrypt"
}domain full chain certificate "/etc/ssl/acme/private/arborlux/arborlux.pem"
sign with "letsencrypt"
}

Looks good.

I’m trying to find out if/how it can work with v2…

Thank you very much, I wish you found the trouble with v2.

I think acme-client is not being maintained …
The latest version is two years old:
2017-02-01: version 0.1.16
And then there is this:

Not sure what’s going on there.
Which version are you running?

Try:
pkg install -f acme-client
or
pkg_add acme-client
[see if it updated the version]
pkq_info -Q acme-client