Let's Encrypt Error with cgit, httpd, acme-client

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Let's Encrypt Error with cgit, httpd, acme-client

Parikh, Samir
I am running cgit to host my git repositories on OpenBSD 6.3 and am
trying enable https using Let's Encrypt.  The URL of the cgit
repositories is a subdomain of my main domain (e.g. git.domain.com).  I
get the following error below whenever I try to provision a certificate
using acme-client.  I have specified my hosting provider's nameservers
to my domain registrar and have created an A record pointing the "git"
subdomain to my VM's IP address.  Relevant .conf files and
file/directory permissions are below as well.

Any help would be greatly appreciated.  Thanks in advance!
Samir

# acme-client -vAD git.domain.com
acme-client: /etc/ssl/private/git.domain.com.key: domain key exists (not
creating)
acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not
creating)
acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
acme-client: acme-v01.api.letsencrypt.org: DNS: 23.203.116.227
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz:
req-auth: git.domain.com
acme-client: /var/www/acme/nWmGUBfLtIJuzuoNGfegToiMezdT6GaFes83Id2yctQ:
created
acme-client:
https://acme-v01.api.letsencrypt.org/acme/challenge/-kVwLPlPys451fI4-3TgDBcJRBQmvjO7yzUcifUW0AY/6175217714:
challenge
acme-client:
https://acme-v01.api.letsencrypt.org/acme/challenge/-kVwLPlPys451fI4-3TgDBcJRBQmvjO7yzUcifUW0AY/6175217714:
status
acme-client:
https://acme-v01.api.letsencrypt.org/acme/challenge/-kVwLPlPys451fI4-3TgDBcJRBQmvjO7yzUcifUW0AY/6175217714:
bad response
acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid",
"error": { "type": "urn:acme:error:unauthorized", "detail": "Invalid
response from
http://git.domain.com/.well-known/acme-challenge/nWmGUBfLtIJuzuoNGfegToiMezdT6GaFes83Id2yctQ:
\"\u003c!DOCTYPE
html\u003e\n\u003chtml\u003e\n\u003chead\u003e\n\u003cmeta
http-equiv=\"Content-Type\" content=\"text/html;
charset=utf-8\"/\u003e\n\u003ctitle\u003e500 Internal Server Er\"",
"status": 403 }, "uri":
"https://acme-v01.api.letsencrypt.org/acme/challenge/-kVwLPlPys451fI4-3TgDBcJRBQmvjO7yzUcifUW0AY/6175217714",
"token": "nWmGUBfLtIJuzuoNGfegToiMezdT6GaFes83Id2yctQ",
"keyAuthorization":
"nWmGUBfLtIJuzuoNGfegToiMezdT6GaFes83Id2yctQ.cbdgaka6s7Kv6R_a_Rhq_6VMDSKE2D4VdJyddLn65QI",
"validationRecord": [ { "url":
"http://git.domain.com/.well-known/acme-challenge/nWmGUBfLtIJuzuoNGfegToiMezdT6GaFes83Id2yctQ",
"hostname": "git.domain.com", "port": "80", "addressesResolved": [
"ip.address" ], "addressUsed": "ip.address" } ] }] (1039 bytes)
acme-client: bad exit: netproc(21893): 1


/etc/httpd.conf:

ext_ip="0.0.0.0"
server "localhost" {
     listen on $ext_ip port 80

     # serve the cgit static files directly
     location "/cgit.*" {
         root "/cgit"
         no fastcgi
     }
     # cgit CGI
     root "/cgi-bin/cgit.cgi"
     fastcgi socket "/run/slowcgi.sock"
     location "/.well-known/acme-challenge/*" {
         root { "/acme", strip 2 }
     }
}


/etc/acme-client.conf:

authority letsencrypt {
         api url "https://acme-v01.api.letsencrypt.org/directory"
         account key "/etc/acme/letsencrypt-privkey.pem"
}

authority letsencrypt-staging {
         api url "https://acme-staging.api.letsencrypt.org/directory"
         account key "/etc/acme/letsencrypt-staging-privkey.pem"
}

domain git.domain.com {
         domain key "/etc/ssl/private/git.domain.com.key"
         domain certificate "/etc/ssl/git.domain.com.crt"
         domain full chain certificate
"/etc/ssl/git.domain.com.fullchain.pem"
         sign with letsencrypt
}


/var/www/conf/cgitrc
footer=/conf/cgit.footer

# Enable caching of up to 1000 output entries
cache-size=1000

cache-root=/cgit/cache

# Specify some default clone urls using macro expansion
clone-url=git://git.domain.com/$CGIT_REPO_URL

# Specify the css url
css=/cgit.css

# Show owner on index page
enable-index-owner=0

# Allow http transport git clone
enable-http-clone=0

# Show extra links for each repository on the index page
enable-index-links=0

# Enable ASCII art commit history graph on the log pages
enable-commit-graph=1

# Show number of affected files per commit on the log pages
enable-log-filecount=1

# Show number of added/removed lines per commit on the log pages
enable-log-linecount=1

# Sort branches by date
branch-sort=age

# Add a cgit favicon
favicon=/favicon.ico

# Enable statistics per week, month and quarter
max-stats=quarter

# Set the title and heading of the repository index page
root-title=HotBSD Code Repositories

# Set a subheading for the repository index page
root-desc=

# Allow download of tar.gz, tar.bz2 and zip-files
snapshots=tar.gz

## List of common mimetypes
mimetype.gif=image/gif
mimetype.html=text/html
mimetype.jpg=image/jpeg
mimetype.jpeg=image/jpeg
mimetype.pdf=application/pdf
mimetype.png=image/png
mimetype.svg=image/svg+xml

## Search for these files in the root of the default branch of repositories
## for coming up with the about page:
readme=:README

virtual-root=/

#scan-path=/htdocs/src
scan-path=/repos

# Disable adhoc downloads of this repo
repo.snapshots=0

# Disable line-counts for this repo
repo.enable-log-linecount=0

# Restrict the max statistics period for this repo
repo.max-stats=month


File/directory permissions:
# ls -all /etc/acme /etc/ssl
/etc/acme:
total 16
drwx------   2 root  wheel   512 Aug  3 12:58 .
drwxr-xr-x  22 root  wheel  1536 Jul 30 01:30 ..
-r--------   1 root  wheel  3272 Aug  3 12:58 letsencrypt-privkey.pem

/etc/ssl:
total 772
drwxr-xr-x   5 root  wheel     512 Jul 29 12:51 .
drwxr-xr-x  22 root  wheel    1536 Jul 30 01:30 ..
drwxr-xr-x   3 root  wheel     512 Jul 29 12:51 acme
-r--r--r--   1 root  bin    349364 Mar 24 20:12 cert.pem
-rw-r--r--   1 root  wheel    2703 Mar 24 20:12 ikeca.cnf
drwxr-xr-x   2 root  wheel     512 Mar 24 20:12 lib
-r--r--r--   1 root  bin       745 Mar 24 20:12 openssl.cnf
drwx------   2 root  wheel     512 Aug  3 12:58 private
-r--r--r--   1 root  bin      1006 Mar 24 20:12 x509v3.cnf

# ls -all /var/www
total 52
drwxr-xr-x  13 root  daemon  512 Jul 19 02:12 .
drwxr-xr-x  23 root  wheel   512 Mar 24 20:43 ..
drwxr-xr-x   2 root  daemon  512 Aug  4 11:50 acme
drwxr-xr-x   2 root  daemon  512 Mar 24 20:12 bin
drwx-----T   2 www   daemon  512 Mar 24 20:12 cache
drwxr-xr-x   2 root  daemon  512 Jul 13 19:43 cgi-bin
drwxr-xr-x   2 root  daemon  512 Jul 13 19:43 cgit
drwxr-xr-x   2 root  daemon  512 Jul 13 19:50 conf
drwxr-xr-x   3 root  daemon  512 Mar 24 20:12 htdocs
drwxr-xr-x   2 root  daemon  512 Aug  1 15:00 logs
drwxr-xr-x   4 git   git     512 Jul 20 17:30 repos
drwxr-xr-x   2 root  daemon  512 Jul 13 19:50 run



This e-mail, and any attachments are strictly confidential and intended for the addressee(s) only. The content may also contain legal, professional or other privileged information. If you are not the intended recipient, please notify the sender immediately and then delete the e-mail and any attachments. You should not disclose, copy or take any action in reliance on this transmission.

You may report the matter by contacting us via our UK Contacts Page<https://www.nationalgrid.com/uk/contact-us/> or our US Contacts Page<https://www.nationalgridus.com/contact-us> (accessed by clicking on the appropriate link)

Please ensure you have adequate virus protection before you open or detach any documents from this transmission. National Grid plc and its affiliates do not accept any liability for viruses. An e-mail reply to this address may be subject to monitoring for operational reasons or lawful business practices.

For the registered information on the UK operating companies within the National Grid group please use the attached link: https://www.nationalgrid.com/group/about-us/corporate-registrations

Reply | Threaded
Open this post in threaded view
|

Re: Let's Encrypt Error with cgit, httpd, acme-client

Flipchan
Try removing all keys in the ssl directory aswell as /etc/acme/letsencrypt-privkey.pem

On August 21, 2018 7:46:24 PM UTC, "Parikh, Samir" <[hidden email]> wrote:

>I am running cgit to host my git repositories on OpenBSD 6.3 and am
>trying enable https using Let's Encrypt.  The URL of the cgit
>repositories is a subdomain of my main domain (e.g. git.domain.com).  I
>get the following error below whenever I try to provision a certificate
>using acme-client.  I have specified my hosting provider's nameservers
>to my domain registrar and have created an A record pointing the "git"
>subdomain to my VM's IP address.  Relevant .conf files and
>file/directory permissions are below as well.
>
>Any help would be greatly appreciated.  Thanks in advance!
>Samir
>
># acme-client -vAD git.domain.com
>acme-client: /etc/ssl/private/git.domain.com.key: domain key exists
>(not
>creating)
>acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not
>creating)
>acme-client: https://acme-v01.api.letsencrypt.org/directory:
>directories
>acme-client: acme-v01.api.letsencrypt.org: DNS: 23.203.116.227
>acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz:
>req-auth: git.domain.com
>acme-client: /var/www/acme/nWmGUBfLtIJuzuoNGfegToiMezdT6GaFes83Id2yctQ:
>created
>acme-client:
>https://acme-v01.api.letsencrypt.org/acme/challenge/-kVwLPlPys451fI4-3TgDBcJRBQmvjO7yzUcifUW0AY/6175217714:
>challenge
>acme-client:
>https://acme-v01.api.letsencrypt.org/acme/challenge/-kVwLPlPys451fI4-3TgDBcJRBQmvjO7yzUcifUW0AY/6175217714:
>status
>acme-client:
>https://acme-v01.api.letsencrypt.org/acme/challenge/-kVwLPlPys451fI4-3TgDBcJRBQmvjO7yzUcifUW0AY/6175217714:
>bad response
>acme-client: transfer buffer: [{ "type": "http-01", "status":
>"invalid",
>"error": { "type": "urn:acme:error:unauthorized", "detail": "Invalid
>response from
>http://git.domain.com/.well-known/acme-challenge/nWmGUBfLtIJuzuoNGfegToiMezdT6GaFes83Id2yctQ:
>\"\u003c!DOCTYPE
>html\u003e\n\u003chtml\u003e\n\u003chead\u003e\n\u003cmeta
>http-equiv=\"Content-Type\" content=\"text/html;
>charset=utf-8\"/\u003e\n\u003ctitle\u003e500 Internal Server Er\"",
>"status": 403 }, "uri":
>"https://acme-v01.api.letsencrypt.org/acme/challenge/-kVwLPlPys451fI4-3TgDBcJRBQmvjO7yzUcifUW0AY/6175217714",
>"token": "nWmGUBfLtIJuzuoNGfegToiMezdT6GaFes83Id2yctQ",
>"keyAuthorization":
>"nWmGUBfLtIJuzuoNGfegToiMezdT6GaFes83Id2yctQ.cbdgaka6s7Kv6R_a_Rhq_6VMDSKE2D4VdJyddLn65QI",
>"validationRecord": [ { "url":
>"http://git.domain.com/.well-known/acme-challenge/nWmGUBfLtIJuzuoNGfegToiMezdT6GaFes83Id2yctQ",
>"hostname": "git.domain.com", "port": "80", "addressesResolved": [
>"ip.address" ], "addressUsed": "ip.address" } ] }] (1039 bytes)
>acme-client: bad exit: netproc(21893): 1
>
>
>/etc/httpd.conf:
>
>ext_ip="0.0.0.0"
>server "localhost" {
>     listen on $ext_ip port 80
>
>     # serve the cgit static files directly
>     location "/cgit.*" {
>         root "/cgit"
>         no fastcgi
>     }
>     # cgit CGI
>     root "/cgi-bin/cgit.cgi"
>     fastcgi socket "/run/slowcgi.sock"
>     location "/.well-known/acme-challenge/*" {
>         root { "/acme", strip 2 }
>     }
>}
>
>
>/etc/acme-client.conf:
>
>authority letsencrypt {
>         api url "https://acme-v01.api.letsencrypt.org/directory"
>         account key "/etc/acme/letsencrypt-privkey.pem"
>}
>
>authority letsencrypt-staging {
>         api url "https://acme-staging.api.letsencrypt.org/directory"
>         account key "/etc/acme/letsencrypt-staging-privkey.pem"
>}
>
>domain git.domain.com {
>         domain key "/etc/ssl/private/git.domain.com.key"
>         domain certificate "/etc/ssl/git.domain.com.crt"
>         domain full chain certificate
>"/etc/ssl/git.domain.com.fullchain.pem"
>         sign with letsencrypt
>}
>
>
>/var/www/conf/cgitrc
>footer=/conf/cgit.footer
>
># Enable caching of up to 1000 output entries
>cache-size=1000
>
>cache-root=/cgit/cache
>
># Specify some default clone urls using macro expansion
>clone-url=git://git.domain.com/$CGIT_REPO_URL
>
># Specify the css url
>css=/cgit.css
>
># Show owner on index page
>enable-index-owner=0
>
># Allow http transport git clone
>enable-http-clone=0
>
># Show extra links for each repository on the index page
>enable-index-links=0
>
># Enable ASCII art commit history graph on the log pages
>enable-commit-graph=1
>
># Show number of affected files per commit on the log pages
>enable-log-filecount=1
>
># Show number of added/removed lines per commit on the log pages
>enable-log-linecount=1
>
># Sort branches by date
>branch-sort=age
>
># Add a cgit favicon
>favicon=/favicon.ico
>
># Enable statistics per week, month and quarter
>max-stats=quarter
>
># Set the title and heading of the repository index page
>root-title=HotBSD Code Repositories
>
># Set a subheading for the repository index page
>root-desc=
>
># Allow download of tar.gz, tar.bz2 and zip-files
>snapshots=tar.gz
>
>## List of common mimetypes
>mimetype.gif=image/gif
>mimetype.html=text/html
>mimetype.jpg=image/jpeg
>mimetype.jpeg=image/jpeg
>mimetype.pdf=application/pdf
>mimetype.png=image/png
>mimetype.svg=image/svg+xml
>
>## Search for these files in the root of the default branch of
>repositories
>## for coming up with the about page:
>readme=:README
>
>virtual-root=/
>
>#scan-path=/htdocs/src
>scan-path=/repos
>
># Disable adhoc downloads of this repo
>repo.snapshots=0
>
># Disable line-counts for this repo
>repo.enable-log-linecount=0
>
># Restrict the max statistics period for this repo
>repo.max-stats=month
>
>
>File/directory permissions:
># ls -all /etc/acme /etc/ssl
>/etc/acme:
>total 16
>drwx------   2 root  wheel   512 Aug  3 12:58 .
>drwxr-xr-x  22 root  wheel  1536 Jul 30 01:30 ..
>-r--------   1 root  wheel  3272 Aug  3 12:58 letsencrypt-privkey.pem
>
>/etc/ssl:
>total 772
>drwxr-xr-x   5 root  wheel     512 Jul 29 12:51 .
>drwxr-xr-x  22 root  wheel    1536 Jul 30 01:30 ..
>drwxr-xr-x   3 root  wheel     512 Jul 29 12:51 acme
>-r--r--r--   1 root  bin    349364 Mar 24 20:12 cert.pem
>-rw-r--r--   1 root  wheel    2703 Mar 24 20:12 ikeca.cnf
>drwxr-xr-x   2 root  wheel     512 Mar 24 20:12 lib
>-r--r--r--   1 root  bin       745 Mar 24 20:12 openssl.cnf
>drwx------   2 root  wheel     512 Aug  3 12:58 private
>-r--r--r--   1 root  bin      1006 Mar 24 20:12 x509v3.cnf
>
># ls -all /var/www
>total 52
>drwxr-xr-x  13 root  daemon  512 Jul 19 02:12 .
>drwxr-xr-x  23 root  wheel   512 Mar 24 20:43 ..
>drwxr-xr-x   2 root  daemon  512 Aug  4 11:50 acme
>drwxr-xr-x   2 root  daemon  512 Mar 24 20:12 bin
>drwx-----T   2 www   daemon  512 Mar 24 20:12 cache
>drwxr-xr-x   2 root  daemon  512 Jul 13 19:43 cgi-bin
>drwxr-xr-x   2 root  daemon  512 Jul 13 19:43 cgit
>drwxr-xr-x   2 root  daemon  512 Jul 13 19:50 conf
>drwxr-xr-x   3 root  daemon  512 Mar 24 20:12 htdocs
>drwxr-xr-x   2 root  daemon  512 Aug  1 15:00 logs
>drwxr-xr-x   4 git   git     512 Jul 20 17:30 repos
>drwxr-xr-x   2 root  daemon  512 Jul 13 19:50 run
>
>
>
>This e-mail, and any attachments are strictly confidential and intended
>for the addressee(s) only. The content may also contain legal,
>professional or other privileged information. If you are not the
>intended recipient, please notify the sender immediately and then
>delete the e-mail and any attachments. You should not disclose, copy or
>take any action in reliance on this transmission.
>
>You may report the matter by contacting us via our UK Contacts
>Page<https://www.nationalgrid.com/uk/contact-us/> or our US Contacts
>Page<https://www.nationalgridus.com/contact-us> (accessed by clicking
>on the appropriate link)
>
>Please ensure you have adequate virus protection before you open or
>detach any documents from this transmission. National Grid plc and its
>affiliates do not accept any liability for viruses. An e-mail reply to
>this address may be subject to monitoring for operational reasons or
>lawful business practices.
>
>For the registered information on the UK operating companies within the
>National Grid group please use the attached link:
>https://www.nationalgrid.com/group/about-us/corporate-registrations

--
Take Care Sincerely flipchan layerprox dev
Reply | Threaded
Open this post in threaded view
|

Re: Let's Encrypt Error with cgit, httpd, acme-client

Chris Narkiewicz
In reply to this post by Parikh, Samir
On 21/08/2018 20:46, Parikh, Samir wrote:>       # cgit CGI
>       root "/cgi-bin/cgit.cgi"
>       fastcgi socket "/run/slowcgi.sock"
>       location "/.well-known/acme-challenge/*" {
>           root { "/acme", strip 2 }
>       }
> }

Do you have /var/www/cgi-bin/cgit.cgi/.well-known/acme-challenge/ directory?

Because this is where the httpd server will look for it.

I usually set a separate virtual host for ACME and serve
it from default path /var/www/acme.

Reply | Threaded
Open this post in threaded view
|

Re: Let's Encrypt Error with cgit, httpd, acme-client

Anthony J. Bentley-4
In reply to this post by Parikh, Samir
Hi Samir,

Parikh, Samir writes:
> I am running cgit to host my git repositories on OpenBSD 6.3 and am
> trying enable https using Let's Encrypt.

I run cgit as well (with the same httpd.conf, acme-client.conf, file
permissions, etc), and have no trouble creating and renewing certs.

Do you see anything in /var/www/logs/access.log? Here's what I see:

example.com 66.133.109.36 - - [21/Aug/2018:23:03:35 -0600] "GET
/.well-known/acme-challenge/YXRuZWJ1c2FvdGV1Ym5hc290ZGFvZXNudGh1YW9lc25
HTTP/1.1" 200 87

Reply | Threaded
Open this post in threaded view
|

Re: Let's Encrypt Error with cgit, httpd, acme-client

Anthony J. Bentley-4
In reply to this post by Chris Narkiewicz
[hidden email] writes:

> On 21/08/2018 20:46, Parikh, Samir wrote:>       # cgit CGI
> >       root "/cgi-bin/cgit.cgi"
> >       fastcgi socket "/run/slowcgi.sock"
> >       location "/.well-known/acme-challenge/*" {
> >           root { "/acme", strip 2 }
> >       }
> > }
>
> Do you have /var/www/cgi-bin/cgit.cgi/.well-known/acme-challenge/ directory?
>
> Because this is where the httpd server will look for it.

Not when you have a location block specifying the correct root...

Reply | Threaded
Open this post in threaded view
|

Re: Let's Encrypt Error with cgit, httpd, acme-client

Parikh, Samir
In reply to this post by Flipchan
flipchan wrote on 22/08/18 01:19:
> Try removing all keys in the ssl directory aswell as
> /etc/acme/letsencrypt-privkey.pem

Thank you for your suggestion! I tried that and still received a similar
error:

# acme-client -vAD git.example.com
acme-client: /etc/ssl/private/git.example.com.key: domain key exists
(not creating)
acme-client: /etc/acme/letsencrypt-privkey.pem: generated RSA account key
acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
acme-client: acme-v01.api.letsencrypt.org: DNS: 23.203.86.101
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-reg: new-reg
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz:
req-auth: git.example.com
acme-client: /var/www/acme/tkQw_0qDhDjEgxvy5WNZKuyhjPQwRHvIgT3nbGrCAI0:
created
acme-client:
https://acme-v01.api.letsencrypt.org/acme/challenge/qG_m-oh4J3c4mTSsdOoVZmOg3EpLwXQn1zRHgDTtwgM/6689241118:
challenge
acme-client:
https://acme-v01.api.letsencrypt.org/acme/challenge/qG_m-oh4J3c4mTSsdOoVZmOg3EpLwXQn1zRHgDTtwgM/6689241118:
status
acme-client:
https://acme-v01.api.letsencrypt.org/acme/challenge/qG_m-oh4J3c4mTSsdOoVZmOg3EpLwXQn1zRHgDTtwgM/6689241118:
bad response
acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid",
"error": { "type": "urn:acme:error:unauthorized", "detail": "Invalid
response from
http://git.example.com/.well-known/acme-challenge/tkQw_0qDhDjEgxvy5WNZKuyhjPQwRHvIgT3nbGrCAI0:
\"\u003c!DOCTYPE
html\u003e\n\u003chtml\u003e\n\u003chead\u003e\n\u003cmeta
http-equiv=\"Content-Type\" content=\"text/html;
charset=utf-8\"/\u003e\n\u003ctitle\u003e500 Internal Server Er\"",
"status": 403 }, "uri":
"https://acme-v01.api.letsencrypt.org/acme/challenge/qG_m-oh4J3c4mTSsdOoVZmOg3EpLwXQn1zRHgDTtwgM/6689241118",
"token": "tkQw_0qDhDjEgxvy5WNZKuyhjPQwRHvIgT3nbGrCAI0",
"keyAuthorization":
"tkQw_0qDhDjEgxvy5WNZKuyhjPQwRHvIgT3nbGrCAI0.JoZcpmrIKNVhHlsofYyIPvX9025UcWhHyj-vQAnrTkg",
"validationRecord": [ { "url":
"http://git.example.com/.well-known/acme-challenge/tkQw_0qDhDjEgxvy5WNZKuyhjPQwRHvIgT3nbGrCAI0",
"hostname": "git.example.com", "port": "80", "addressesResolved": [
"144.202.9.26" ], "addressUsed": "144.202.9.26" } ] }] (1039 bytes)
acme-client: bad exit: netproc(80489): 1



This e-mail, and any attachments are strictly confidential and intended for the addressee(s) only. The content may also contain legal, professional or other privileged information. If you are not the intended recipient, please notify the sender immediately and then delete the e-mail and any attachments. You should not disclose, copy or take any action in reliance on this transmission.

You may report the matter by contacting us via our UK Contacts Page<https://www.nationalgrid.com/uk/contact-us/> or our US Contacts Page<https://www.nationalgridus.com/contact-us> (accessed by clicking on the appropriate link)

Please ensure you have adequate virus protection before you open or detach any documents from this transmission. National Grid plc and its affiliates do not accept any liability for viruses. An e-mail reply to this address may be subject to monitoring for operational reasons or lawful business practices.

For the registered information on the UK operating companies within the National Grid group please use the attached link: https://www.nationalgrid.com/group/about-us/corporate-registrations

Reply | Threaded
Open this post in threaded view
|

Re: Let's Encrypt Error with cgit, httpd, acme-client

Parikh, Samir
In reply to this post by Anthony J. Bentley-4
Anthony J. Bentley wrote on 22/08/18 01:37:
> Do you see anything in /var/www/logs/access.log? Here's what I see:
>
> example.com 66.133.109.36 - - [21/Aug/2018:23:03:35 -0600] "GET
> /.well-known/acme-challenge/YXRuZWJ1c2FvdGV1Ym5hc290ZGFvZXNudGh1YW9lc25
> HTTP/1.1" 200 87

Thanks for your reply! I do see the following:

# grep well-known /var/www/logs/access.log
localhost 64.78.149.164 - - [21/Aug/2018:19:40:39 +0000] "GET
/.well-known/acme-challenge/5HgvXSBECEtZGTGaMh3b64LVQ1RG7OQGBp-iJBt0CjY
HTTP/1.1" 500 0
git.example.com 64.78.149.164 - - [21/Aug/2018:19:41:24 +0000] "GET
/.well-known/acme-challenge/ccmy5LbVl6-mIft2IhlL2NooxHx33dag7QntuZ5RGW0
HTTP/1.1" 500 0
git.example.com 64.78.149.164 - - [22/Aug/2018:17:19:43 +0000] "GET
/.well-known/acme-challenge/tkQw_0qDhDjEgxvy5WNZKuyhjPQwRHvIgT3nbGrCAI0
HTTP/1.1" 500 0

Does that mean that the acme-client is able to at least reach Let's Encrypt?

Thanks
Samir



This e-mail, and any attachments are strictly confidential and intended for the addressee(s) only. The content may also contain legal, professional or other privileged information. If you are not the intended recipient, please notify the sender immediately and then delete the e-mail and any attachments. You should not disclose, copy or take any action in reliance on this transmission.

You may report the matter by contacting us via our UK Contacts Page<https://www.nationalgrid.com/uk/contact-us/> or our US Contacts Page<https://www.nationalgridus.com/contact-us> (accessed by clicking on the appropriate link)

Please ensure you have adequate virus protection before you open or detach any documents from this transmission. National Grid plc and its affiliates do not accept any liability for viruses. An e-mail reply to this address may be subject to monitoring for operational reasons or lawful business practices.

For the registered information on the UK operating companies within the National Grid group please use the attached link: https://www.nationalgrid.com/group/about-us/corporate-registrations

Reply | Threaded
Open this post in threaded view
|

Re: Let's Encrypt Error with cgit, httpd, acme-client

trondd-2
In reply to this post by Parikh, Samir
On Wed, August 22, 2018 1:23 pm, Parikh, Samir wrote:

> flipchan wrote on 22/08/18 01:19:
>> Try removing all keys in the ssl directory aswell as
>> /etc/acme/letsencrypt-privkey.pem
>
> Thank you for your suggestion! I tried that and still received a similar
> error:
>
> # acme-client -vAD git.example.com
> acme-client: /etc/ssl/private/git.example.com.key: domain key exists
> (not creating)
> acme-client: /etc/acme/letsencrypt-privkey.pem: generated RSA account key
> acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
> acme-client: acme-v01.api.letsencrypt.org: DNS: 23.203.86.101
> acme-client: https://acme-v01.api.letsencrypt.org/acme/new-reg: new-reg
> acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz:
> req-auth: git.example.com
> acme-client: /var/www/acme/tkQw_0qDhDjEgxvy5WNZKuyhjPQwRHvIgT3nbGrCAI0:
> created
> acme-client:
> https://acme-v01.api.letsencrypt.org/acme/challenge/qG_m-oh4J3c4mTSsdOoVZmOg3EpLwXQn1zRHgDTtwgM/6689241118:
> challenge
> acme-client:
> https://acme-v01.api.letsencrypt.org/acme/challenge/qG_m-oh4J3c4mTSsdOoVZmOg3EpLwXQn1zRHgDTtwgM/6689241118:
> status
> acme-client:
> https://acme-v01.api.letsencrypt.org/acme/challenge/qG_m-oh4J3c4mTSsdOoVZmOg3EpLwXQn1zRHgDTtwgM/6689241118:
> bad response
> acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid",
> "error": { "type": "urn:acme:error:unauthorized", "detail": "Invalid
> response from
> http://git.example.com/.well-known/acme-challenge/tkQw_0qDhDjEgxvy5WNZKuyhjPQwRHvIgT3nbGrCAI0:
> \"\u003c!DOCTYPE
> html\u003e\n\u003chtml\u003e\n\u003chead\u003e\n\u003cmeta
> http-equiv=\"Content-Type\" content=\"text/html;
> charset=utf-8\"/\u003e\n\u003ctitle\u003e500 Internal Server Er\"",
> "status": 403 }, "uri":

Clearly, Let's Encrypt can't access teh file on your server.  The easiest
way to debug is to drop an html file into /acme and go to your server
/.well-known/acme-challenge/file.html in a browser and see what happens.

I could reproduce the 500 error in a browser with your config.  I had to
do 2 things to fix it (which may or may not break cgit).

Wrap your general root "/cgi-bin/cgit.cgi" and fastcgi socket in a
location "*" {} block and then move that block to the bottom of the server
block under location ".well-known..."

This works for me (you might need to fix the "request strip" line as I am
on some version of -current).  The cgit location might need to move as
well, I didn't test further.

server "localhost" {
    listen on 127.0.0.1 port 80
    #serve the cgit static files directly
    location "/cgit.*" {
        root "/cgit"
        no fastcgi
    }
    location "/.well-known/acme-challenge/*" {
        root "/acme"
        request strip 2
    }
    # cgit CGI
    location "*" {
        root "/cgi-bin/cgit.cgi"
        fastcgi socket "/run/slowcgi.sock"
    }
}



Reply | Threaded
Open this post in threaded view
|

Re: Let's Encrypt Error with cgit, httpd, acme-client

Parikh, Samir
Your suggestion of changing things up in my /etc/httpd.conf file did the
trick!  My initial version of the file, prior to initializing the
account and requesting a new domain key ended up looking like this based
on your suggestions:

ext_ip="0.0.0.0"
#server "localhost" {
server "git.example.com" {
     listen on $ext_ip port 80

     # serve the cgit static files directly
     location "/cgit.*" {
         root "/cgit"
         no fastcgi
     }

     location "/.well-known/acme-challenge/*" {
         root { "/acme", strip 2 }
     }

     # cgit CGI
     location "*" {
         root "/cgi-bin/cgit.cgi"
         fastcgi socket "/run/slowcgi.sock"
     }
}

After I was able to successfully run
# acme-client -vAD git.example.com

I modified /etc/httpd.conf to:

ext_ip="0.0.0.0"
#server "localhost" {
server "git.example.com" {
#    listen on $ext_ip port 80
     listen on * tls port 443
     tls certificate "/etc/ssl/git.example.com.fullchain.pem"
     tls key "/etc/ssl/private/git.example.com.key"

     # serve the cgit static files directly
     location "/cgit.*" {
         root "/cgit"
         no fastcgi
     }

     location "/.well-known/acme-challenge/*" {
         root { "/acme", strip 2 }
     }

     # cgit CGI
     location "*" {
         root "/cgi-bin/cgit.cgi"
         fastcgi socket "/run/slowcgi.sock"
     }
}

server "git.example.com" {
     listen on * port 80
     block return 301 "https://git.example.com$REQUEST_URI"
}

The site now gets an "A" grade over at ssllabs.com.

I guess my only remaining question is how did you know I needed to make
this change?  I know the OpenBSD documentation is really good but I'm
still fascinated how people manage to sort things like this out.  Maybe
it's just pure experience?

Either way, thanks again!

Samir



This e-mail, and any attachments are strictly confidential and intended for the addressee(s) only. The content may also contain legal, professional or other privileged information. If you are not the intended recipient, please notify the sender immediately and then delete the e-mail and any attachments. You should not disclose, copy or take any action in reliance on this transmission.

You may report the matter by contacting us via our UK Contacts Page<https://www.nationalgrid.com/uk/contact-us/> or our US Contacts Page<https://www.nationalgridus.com/contact-us> (accessed by clicking on the appropriate link)

Please ensure you have adequate virus protection before you open or detach any documents from this transmission. National Grid plc and its affiliates do not accept any liability for viruses. An e-mail reply to this address may be subject to monitoring for operational reasons or lawful business practices.

For the registered information on the UK operating companies within the National Grid group please use the attached link: https://www.nationalgrid.com/group/about-us/corporate-registrations

Reply | Threaded
Open this post in threaded view
|

Re: Let's Encrypt Error with cgit, httpd, acme-client

trondd-2
On Sun, August 26, 2018 4:40 pm, Parikh, Samir wrote:

>
> I guess my only remaining question is how did you know I needed to make
> this change?  I know the OpenBSD documentation is really good but I'm
> still fascinated how people manage to sort things like this out.  Maybe
> it's just pure experience?
>
> Either way, thanks again!
>
> Samir
>

It's part experience, part reading the output and logs, and part just
trying things.  I didn't know what the solution was.  I looked at
/etc/examples/httpd.conf, looked at the errors and made changes.

Be explicit in the configuration.  The 'root' without a 'location' wasn't
explicit so I didn't know how it got intrepreted.  Put it in a 'location'.
And most configurations on OpenBSD have an order to their evaluation.
Some are first match wins, some are last match wins, so move things
around.

Tim.