1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
1) The official packages in EPEL are broken (at least I was unable to install them).
2) Guide on https://www.svennd.be/lets-encrypt-with-centos-6-7/
https://acme-v01.api.letsencrypt.org:443 "POST /acme/new-reg HTTP/1.1" 500 109
Received response:
HTTP 500
Server: nginx
Content-Type: application/problem+json
Content-Length: 109
Boulder-Request-Id: c77q1COmALMLIgG9WxjOUsXmj0UN9dt4oUWEe-S_Su0
Replay-Nonce: x5MSSJadipC0jW_qyG7XN8wGBjeNn3eF5bbTe2ciwYM
Expires: Wed, 09 Aug 2017 05:23:01 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 09 Aug 2017 05:23:01 GMT
Connection: close
{
"type": "urn:acme:error:serverInternal",
"detail": "Error creating new registration",
"status": 500
}
Storing nonce: x5MSSJadipC0jW_qyG7XN8wGBjeNn3eF5bbTe2ciwYM
Exiting abnormally:
Traceback (most recent call last):
File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
sys.exit(main())
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/main.py", line 753, in main
return config.func(config, plugins)
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/main.py", line 598, in run
le_client = _init_le_client(config, authenticator, installer)
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/main.py", line 390, in _init_le_client
acc, acme = _determine_account(config)
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/main.py", line 375, in _determine_account
config, account_storage, tos_cb=_tos_cb)
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/client.py", line 165, in register
regr = perform_registration(acme, config)
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/client.py", line 195, in perform_registration
return acme.register(messages.NewRegistration.from_data(email=config.email))
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py", line 97, in register
response = self.net.post(self.directory[new_reg], new_reg)
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py", line 682, in post
return self._post_once(*args, **kwargs)
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py", line 695, in _post_once
return self._check_response(response, content_type=content_type)
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py", line 582, in _check_response
raise messages.Error.from_json(jobj)
Error: urn:acme:error:serverInternal :: The server experienced an internal error :: Error creating new registration
An unexpected error occurred:
The server experienced an internal error :: Error creating new registration
Please see the logfiles in /var/log/letsencrypt for more details.
and installs half of Python bullshit onto machine!
This is no way, compare to acme_client on OpenBSD.
3) https://kristaps.bsd.lv/acme-client/
yum install openssl-devel libbsd-devel gnutls-devel
wget https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.6.0.tar.gz
#build libreesl to /usr/local/
make
make install
# follow https://spin.atomicobject.com/2016/09/20/openbsd-acme-client-lets-encrypt/
cat >/etc/ld.so.conf.d/local.conf <<EOF
/usr/local/lib/
EOF
ldconfig
wget -O /etc/ssl/cert.pem 'https://raw.githubusercontent.com/libressl-portable/openbsd/master/src/lib/libcrypto/cert.pem'
acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid", "error": { "type": "urn:acme:error:connection", "detail": "DNS problem: query timed out looking up A for www.eurospider.com", "status": 400 }, "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/x0oE6rQYMBh6qQIisSzqZecrRFkED-7u7Y-vuid5kKw/1713819082", "token": "IzPOcU-2sFKk65DAk3egE1g2j17f9K3V_pcG0KvrfjQ", "keyAuthorization": "IzPOcU-2sFKk65DAk3egE1g2j17f9K3V_pcG0KvrfjQ.xbEUn0BT4rXH5TjxcmmW1Yjoyb1GWDrQEByNfXawgRc", "validationRecord": [ { "url": "http://www.eurospider.com/.well-known/acme-challenge/IzPOcU-2sFKk65DAk3egE1g2j17f9K3V_pcG0KvrfjQ", "hostname": "www.eurospider.com", "port": "80", "addressesResolved": [], "addressUsed": "", "addressesTried": [] } ] }] (792 bytes)
CNAME DNS entries don't work, so we must provide the real machine as primary host,
everything else as SANs.
acme-client -v -n -N -F -b -e \
-C /var/www/acme \
-c /etc/ssl/acme \
-k /etc/ssl/acme/private/privkey.pem \
-f /etc/acme/privkey.pem www.eurospider.com eurospider.com innobib.news www.innobib.news www.tenders.ch
-b create backups
-F is to update even if the current certificate is still valid
-e is needed to avoid revocation and expanding the list of SANs.
webserver:
main http.conf:
<Directory "/var/www/acme/.well-known/">
Options None
AllowOverride None
Order Deny,Allow
Allow from All
Header add Content-Type text/plain
</Directory>
for every domain we want a certificate for (in the non-SSL-version of the virtual
host configuration):
Alias /.well-known/acme-challenge/ /var/www/acme/
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
links
-----
https://www.metachris.com/2015/12/comparison-of-10-acme-lets-encrypt-clients/
https://medium.com/chris-opperwall/using-acme-client-for-letsencrypt-on-freebsd-db0ee643ef1f
|
