Problem renewing certificate (OpenBSD 6.7, httpd + acme-client)

My domain is: nabste.com

I ran this command: acme-client -vv nabste.com

It produced this output:

acme-client: /etc/ssl/private/nabste.com.key: loaded domain key
acme-client: /etc/acme/letsencrypt-privkey.pem: loaded account key
acme-client: /etc/ssl/nabste.com.fullchain.pem: certificate renewable: -5 days left
acme-client: https://acme-v02.api.letsencrypt.org/directory: directories
acme-client: acme-v02.api.letsencrypt.org: DNS: 172.65.32.248
acme-client: transfer buffer: [{ "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change", "meta": { "caaIdentities": [ "letsencrypt.org" ], "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf", "website": "https://letsencrypt.org" }, "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct", "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce", "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order", "quohmMfO-D0": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert" }] (658 bytes)
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: transfer buffer: [{ "key": { "kty": "RSA", "n": "1vChCkduKG5L9i-28CpQbH3cwDLGTZtYGz_Po3DQge7Lglj5f7EDI3pG-vtuwbA5vF60npL0ecDjv-eGKcgOQfxWFjIJfEP7CtaN7y0KVxCVjovF_IE2vrF-AhMPiMWG4RChz1k0BA-F798xv-q5sPidezanJpIqO_Z_Xw7LNMYXpzkwLlfnNlscFn3DjIe9r5aR4LbByiS45nR3v72o1E0xOQs6eXbYJURkOdU7O_E444MsP_sDCSHiIR1QNU3pizlQsOlkjNk62e8PcO6cUrRFODB-9KKzCpZXm3GjTvaSeE9OEBlFINeXv4f2ljLbvVFN1Tm6P_hWTz7CiRDxSDboYGqPx2It28dV0PgGj0gChB64Dv1H9FkEob8JQRWGT1I837PlmNhJieVhHFEOu9YSBsdTifsIviK_86jpYyuPzVtpmuSBvN6Er9i1jI1wBBq4M-bX5u_9wy3S-hp8Wpa7_lXb7NAhjMgCith4SBeQbbPEGDDtu55OFU6YzJYFLDMI9YbGYpYdlujkNo7j9wBlM8YfHyrBR20qwr7jOMICn12qIhHZZHMLp1dBkhPuPEcfuJBsQciqd6xf-spSD-bYQjKaYWkDYdUnA-FJi2imKijhHuaN61wbpEIZ49OwyNPjq8Bz-kzxt96uikj34ddZHtC_O0Rhcwg1m1b0Kqk", "e": "AQAB" }, "contact": [], "initialIp": "84.22.96.131", "createdAt": "2020-12-02T15:32:35Z", "status": "valid" }] (856 bytes)
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: transfer buffer: [{ "status": "pending", "expires": "2021-03-15T12:17:29Z", "identifiers": [ { "type": "dns", "value": "nabste.com" }, { "type": "dns", "value": "www.nabste.com" } ], "authorizations": [ "https://acme-v02.api.letsencrypt.org/acme/authz-v3/11402736437", "https://acme-v02.api.letsencrypt.org/acme/authz-v3/11402736439" ], "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/104851545/8327328743" }] (468 bytes)
acme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/11402736437
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": "nabste.com" }, "status": "pending", "expires": "2021-03-15T12:17:29Z", "challenges": [ { "type": "http-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/11402736437/n252Ug", "token": "1WLGgPRIXay8hR1mEUouPLqc0S0ya2khCY16Il5VlRo" }, { "type": "dns-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/11402736437/Ap6ehQ", "token": "1WLGgPRIXay8hR1mEUouPLqc0S0ya2khCY16Il5VlRo" }, { "type": "tls-alpn-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/11402736437/4SkVfA", "token": "1WLGgPRIXay8hR1mEUouPLqc0S0ya2khCY16Il5VlRo" } ] }] (791 bytes)
acme-client: challenge, token: 1WLGgPRIXay8hR1mEUouPLqc0S0ya2khCY16Il5VlRo, uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/11402736437/n252Ug, status: 0
acme-client: /var/www/acme/1WLGgPRIXay8hR1mEUouPLqc0S0ya2khCY16Il5VlRo: created
acme-client: https://acme-v02.api.letsencrypt.org/acme/chall-v3/11402736437/n252Ug: challenge
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/11402736437/n252Ug", "token": "1WLGgPRIXay8hR1mEUouPLqc0S0ya2khCY16Il5VlRo" }] (186 bytes)
acme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/11402736439
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": "www.nabste.com" }, "status": "pending", "expires": "2021-03-15T12:17:29Z", "challenges": [ { "type": "http-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/11402736439/shMqZA", "token": "GCDqcpq6ySWAdaromWFizDNSxQXGapLiT1ZUIyNdNUc" }, { "type": "dns-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/11402736439/QZSXSw", "token": "GCDqcpq6ySWAdaromWFizDNSxQXGapLiT1ZUIyNdNUc" }, { "type": "tls-alpn-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/11402736439/m3m7nA", "token": "GCDqcpq6ySWAdaromWFizDNSxQXGapLiT1ZUIyNdNUc" } ] }] (795 bytes)
acme-client: challenge, token: GCDqcpq6ySWAdaromWFizDNSxQXGapLiT1ZUIyNdNUc, uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/11402736439/shMqZA, status: 0
acme-client: /var/www/acme/GCDqcpq6ySWAdaromWFizDNSxQXGapLiT1ZUIyNdNUc: created
acme-client: https://acme-v02.api.letsencrypt.org/acme/chall-v3/11402736439/shMqZA: challenge
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/11402736439/shMqZA", "token": "GCDqcpq6ySWAdaromWFizDNSxQXGapLiT1ZUIyNdNUc" }] (186 bytes)
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: transfer buffer: [{ "status": "invalid", "expires": "2021-03-15T12:17:29Z", "identifiers": [ { "type": "dns", "value": "nabste.com" }, { "type": "dns", "value": "www.nabste.com" } ], "authorizations": [ "https://acme-v02.api.letsencrypt.org/acme/authz-v3/11402736437", "https://acme-v02.api.letsencrypt.org/acme/authz-v3/11402736439" ], "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/104851545/8327328743" }] (468 bytes)
acme-client: order.status -1
acme-client: bad exit: netproc(32918): 1

My web server is (include version): httpd

The operating system my web server runs on is (include version): OpenBSD 6.7

My hosting provider, if applicable, is: tilaa.com

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): acme-client (OpenBSD 6.7)

1 Like

Did you add the webserver configuration part where all requests for /.well-known/acme-challenge/* have /var/www/acme as the webroot?

See the man page for more info: acme-client(1) - OpenBSD manual pages

1 Like

That part looked fine.

Turns out the issue was with a http to https redirect rule in httpd.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.