search

acmesh-official / acme.sh

A pure Unix shell script implementing ACME client protocol
https://acme.sh
GNU General Public License v3.0
37.62k stars 4.84k forks source link

Unable to generate certicate "status": 400 #908

Open Bohjan opened 7 years ago

Bohjan commented 7 years ago

Hello, I'm trying to generate certificate with webroot and I have the issue in staging/production with. We are using CentOS Linux release 7.3.1611 (Core), curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.21 Basic ECC zlib/1.2.7 libidn/1.28 libssh2/1.4.3

I don't understand the following line. Why port 8443? That is internal port of Tomcat and it is not accessible from internet. Access is through standard 443 port. We are using amother domains with the same configuration, Tomcat + port + access, without problem during generating or renewing certificate.

[Wed Jun 28 20:08:54 CEST 2017] kruk.okbase.cz:Verify error:Fetching https://kruk.okbase.cz:8443/.well-known/acme-challenge/eGb_6B7q_E8D_Wa9zENneoWeK3tke8GjT7NZvSnHzoI: Timeout

Thanks for your help Bohumil

~/.acme.sh $ ./acme.sh --issue --renew-hook "cp ~/.acme.sh/kruk.okbase.cz /usr/share/tomcat/conf -R" -d kruk.okbase.cz -w "/usr/share/tomcat/webapps/ROOT" --test --debug 2

[Wed Jun 28 20:08:42 CEST 2017] Using config home:/home/emil/.acme.sh
[Wed Jun 28 20:08:42 CEST 2017] Using stage ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
[Wed Jun 28 20:08:42 CEST 2017] DOMAIN_PATH='/home/emil/.acme.sh/kruk.okbase.cz'
[Wed Jun 28 20:08:42 CEST 2017] Using ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
[Wed Jun 28 20:08:42 CEST 2017] _init api for server: https://acme-staging.api.letsencrypt.org/directory
[Wed Jun 28 20:08:42 CEST 2017] GET
[Wed Jun 28 20:08:42 CEST 2017] url='https://acme-staging.api.letsencrypt.org/directory'
[Wed Jun 28 20:08:42 CEST 2017] timeout
[Wed Jun 28 20:08:42 CEST 2017] _CURL='curl -L --silent --dump-header /home/emil/.acme.sh/http.header  --trace-ascii /tmp/tmp.4pWKPV2Czo '
[Wed Jun 28 20:08:42 CEST 2017] ret='0'
[Wed Jun 28 20:08:42 CEST 2017] ACME_KEY_CHANGE='https://acme-staging.api.letsencrypt.org/acme/key-change'
[Wed Jun 28 20:08:42 CEST 2017] ACME_NEW_AUTHZ='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Wed Jun 28 20:08:42 CEST 2017] ACME_NEW_ORDER='https://acme-staging.api.letsencrypt.org/acme/new-cert'
[Wed Jun 28 20:08:42 CEST 2017] ACME_NEW_ACCOUNT='https://acme-staging.api.letsencrypt.org/acme/new-reg'
[Wed Jun 28 20:08:42 CEST 2017] ACME_REVOKE_CERT='https://acme-staging.api.letsencrypt.org/acme/revoke-cert'
[Wed Jun 28 20:08:42 CEST 2017] Le_NextRenewTime
[Wed Jun 28 20:08:42 CEST 2017] _on_before_issue
[Wed Jun 28 20:08:42 CEST 2017] Le_LocalAddress
[Wed Jun 28 20:08:42 CEST 2017] Check for domain='kruk.okbase.cz'
[Wed Jun 28 20:08:42 CEST 2017] _currentRoot='/usr/share/tomcat/webapps/ROOT'
[Wed Jun 28 20:08:42 CEST 2017] _saved_account_key_hash is not changed, skip register account.
[Wed Jun 28 20:08:42 CEST 2017] Read key length:
[Wed Jun 28 20:08:42 CEST 2017] _createcsr
[Wed Jun 28 20:08:42 CEST 2017] Single domain='kruk.okbase.cz'
[Wed Jun 28 20:08:43 CEST 2017] Getting domain auth token for each domain
[Wed Jun 28 20:08:43 CEST 2017] Getting webroot for domain='kruk.okbase.cz'
[Wed Jun 28 20:08:43 CEST 2017] _w='/usr/share/tomcat/webapps/ROOT'
[Wed Jun 28 20:08:43 CEST 2017] _currentRoot='/usr/share/tomcat/webapps/ROOT'
[Wed Jun 28 20:08:43 CEST 2017] Getting new-authz for domain='kruk.okbase.cz'
[Wed Jun 28 20:08:43 CEST 2017] _init api for server: https://acme-staging.api.letsencrypt.org/directory
[Wed Jun 28 20:08:43 CEST 2017] ACME_KEY_CHANGE='https://acme-staging.api.letsencrypt.org/acme/key-change'
[Wed Jun 28 20:08:43 CEST 2017] ACME_NEW_AUTHZ='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Wed Jun 28 20:08:43 CEST 2017] ACME_NEW_ORDER='https://acme-staging.api.letsencrypt.org/acme/new-cert'
[Wed Jun 28 20:08:43 CEST 2017] ACME_NEW_ACCOUNT='https://acme-staging.api.letsencrypt.org/acme/new-reg'
[Wed Jun 28 20:08:43 CEST 2017] ACME_REVOKE_CERT='https://acme-staging.api.letsencrypt.org/acme/revoke-cert'
[Wed Jun 28 20:08:43 CEST 2017] Try new-authz for the 0 time.
[Wed Jun 28 20:08:43 CEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Wed Jun 28 20:08:43 CEST 2017] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "kruk.okbase.cz"}}'
[Wed Jun 28 20:08:43 CEST 2017] RSA key
[Wed Jun 28 20:08:43 CEST 2017] GET
[Wed Jun 28 20:08:43 CEST 2017] url='https://acme-staging.api.letsencrypt.org/directory'
[Wed Jun 28 20:08:43 CEST 2017] timeout
[Wed Jun 28 20:08:43 CEST 2017] _CURL='curl -L --silent --dump-header /home/emil/.acme.sh/http.header  --trace-ascii /tmp/tmp.J0QCKMi5vW '
[Wed Jun 28 20:08:43 CEST 2017] ret='0'
[Wed Jun 28 20:08:43 CEST 2017] POST
[Wed Jun 28 20:08:43 CEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Wed Jun 28 20:08:43 CEST 2017] _CURL='curl -L --silent --dump-header /home/emil/.acme.sh/http.header  --trace-ascii /tmp/tmp.ZubZyOT6iq '
[Wed Jun 28 20:08:45 CEST 2017] _ret='0'
[Wed Jun 28 20:08:45 CEST 2017] code='201'
[Wed Jun 28 20:08:45 CEST 2017] The new-authz request is ok.
[Wed Jun 28 20:08:45 CEST 2017] entry='"type":"http-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/ljmr62iV5T1ox1b9ivhIZVNQt6bKf3DuSfGXNrLFpAc/45993524","token":"eGb_6B7q_E8D_Wa9zENneoWeK3tke8GjT7NZvSnHzoI"'
[Wed Jun 28 20:08:45 CEST 2017] token='eGb_6B7q_E8D_Wa9zENneoWeK3tke8GjT7NZvSnHzoI'
[Wed Jun 28 20:08:45 CEST 2017] uri='https://acme-staging.api.letsencrypt.org/acme/challenge/ljmr62iV5T1ox1b9ivhIZVNQt6bKf3DuSfGXNrLFpAc/45993524'
[Wed Jun 28 20:08:45 CEST 2017] keyauthorization='eGb_6B7q_E8D_Wa9zENneoWeK3tke8GjT7NZvSnHzoI.MI66LH_G45PI8hHN3vk0-OE8eKpGIgqRdN11-9Za6Vc'
[Wed Jun 28 20:08:45 CEST 2017] dvlist='kruk.okbase.cz#eGb_6B7q_E8D_Wa9zENneoWeK3tke8GjT7NZvSnHzoI.MI66LH_G45PI8hHN3vk0-OE8eKpGIgqRdN11-9Za6Vc#https://acme-staging.api.letsencrypt.org/acme/challenge/ljmr62iV5T1ox1b9ivhIZVNQt6bKf3DuSfGXNrLFpAc/45993524#http-01#/usr/share/tomcat/webapps/ROOT'
[Wed Jun 28 20:08:45 CEST 2017] vlist='kruk.okbase.cz#eGb_6B7q_E8D_Wa9zENneoWeK3tke8GjT7NZvSnHzoI.MI66LH_G45PI8hHN3vk0-OE8eKpGIgqRdN11-9Za6Vc#https://acme-staging.api.letsencrypt.org/acme/challenge/ljmr62iV5T1ox1b9ivhIZVNQt6bKf3DuSfGXNrLFpAc/45993524#http-01#/usr/share/tomcat/webapps/ROOT,'
[Wed Jun 28 20:08:45 CEST 2017] ok, let's start to verify
[Wed Jun 28 20:08:45 CEST 2017] Verifying:kruk.okbase.cz
[Wed Jun 28 20:08:45 CEST 2017] d='kruk.okbase.cz'
[Wed Jun 28 20:08:45 CEST 2017] keyauthorization='eGb_6B7q_E8D_Wa9zENneoWeK3tke8GjT7NZvSnHzoI.MI66LH_G45PI8hHN3vk0-OE8eKpGIgqRdN11-9Za6Vc'
[Wed Jun 28 20:08:45 CEST 2017] uri='https://acme-staging.api.letsencrypt.org/acme/challenge/ljmr62iV5T1ox1b9ivhIZVNQt6bKf3DuSfGXNrLFpAc/45993524'
[Wed Jun 28 20:08:45 CEST 2017] _currentRoot='/usr/share/tomcat/webapps/ROOT'
[Wed Jun 28 20:08:45 CEST 2017] wellknown_path='/usr/share/tomcat/webapps/ROOT/.well-known/acme-challenge'
[Wed Jun 28 20:08:45 CEST 2017] writing token:eGb_6B7q_E8D_Wa9zENneoWeK3tke8GjT7NZvSnHzoI to /usr/share/tomcat/webapps/ROOT/.well-known/acme-challenge/eGb_6B7q_E8D_Wa9zENneoWeK3tke8GjT7NZvSnHzoI
[Wed Jun 28 20:08:45 CEST 2017] Changing owner/group of .well-known to root:root
[Wed Jun 28 20:08:45 CEST 2017] chown: changing ownership of â/usr/share/tomcat/webapps/ROOT/.well-known/acme-challenge/ukyENAD-vybeLoNfnFQllZXWn0SXASumnaGeh7d_jDIâ: Operation not permitted
chown: changing ownership of â/usr/share/tomcat/webapps/ROOT/.well-known/acme-challenge/b7QdM8RHA_4BOwlFQ6tCq-qcOfOaNpyjmXg1lPtqK2kâ: Operation not permitted
chown: changing ownership of â/usr/share/tomcat/webapps/ROOT/.well-known/acme-challenge/_ENgJJxD1QqsVJFcIwu-5ZcwLSoHYWCipPMNNWY1ckoâ: Operation not permitted
chown: changing ownership of â/usr/share/tomcat/webapps/ROOT/.well-known/acme-challenge/c00IxuSNoTG6l0FZFkcYNm_uAgIqIJP_k2K9cP1GWTEâ: Operation not permitted
chown: changing ownership of â/usr/share/tomcat/webapps/ROOT/.well-known/acme-challenge/nZHN_X94--6fAKhqvMV2UjybLkx0tMtA5ms-Xv15qWwâ: Operation not permitted
chown: changing ownership of â/usr/share/tomcat/webapps/ROOT/.well-known/acme-challenge/iG7Ec_oHNfvriBYWRL7C-nfk9l2QFk1Qd7Mg82LUcpgâ: Operation not permitted
chown: changing ownership of â/usr/share/tomcat/webapps/ROOT/.well-known/acme-challenge/sjq4c89pBLDrcPDXvQNLB0ZF1vLyLnkgtTXfUaWE9Ugâ: Operation not permitted
chown: changing ownership of â/usr/share/tomcat/webapps/ROOT/.well-known/acme-challenge/cQlD9DN0FBI6xtAoRp6hBE_wer4ov_RSqYotympk08wâ: Operation not permitted
chown: changing ownership of â/usr/share/tomcat/webapps/ROOT/.well-known/acme-challenge/DNDo0jxdMUff6RyXoM3FzksUqkfH7pu0P7kFVYyvOoIâ: Operation not permitted
chown: changing ownership of â/usr/share/tomcat/webapps/ROOT/.well-known/acme-challenge/_fzAaqbSoHLc2EYzmYCaPdIycYT94jFG8V6o40k-CJUâ: Operation not permitted
chown: changing ownership of â/usr/share/tomcat/webapps/ROOT/.well-known/acme-challenge/bJxory9TxE8tldv4IR5cWI6H6EJmI_bWQzHIB0r4hPAâ: Operation not permitted
chown: changing ownership of â/usr/share/tomcat/webapps/ROOT/.well-known/acme-challenge/B23MdgFbRMCe82tzCpKCnkH-qzOBIrO4gLCT87Lv_84â: Operation not permitted
chown: changing ownership of â/usr/share/tomcat/webapps/ROOT/.well-known/acme-challenge/eGb_6B7q_E8D_Wa9zENneoWeK3tke8GjT7NZvSnHzoIâ: Operation not permitted
chown: changing ownership of â/usr/share/tomcat/webapps/ROOT/.well-known/acme-challengeâ: Operation not permitted
chown: changing ownership of â/usr/share/tomcat/webapps/ROOT/.well-knownâ: Operation not permitted
[Wed Jun 28 20:08:45 CEST 2017] chown: changing ownership of â/usr/share/tomcat/webapps/ROOT/.well-known/acme-challenge/ukyENAD-vybeLoNfnFQllZXWn0SXASumnaGeh7d_jDIâ: Operation not permitted
chown: changing ownership of â/usr/share/tomcat/webapps/ROOT/.well-known/acme-challenge/b7QdM8RHA_4BOwlFQ6tCq-qcOfOaNpyjmXg1lPtqK2kâ: Operation not permitted
chown: changing ownership of â/usr/share/tomcat/webapps/ROOT/.well-known/acme-challenge/_ENgJJxD1QqsVJFcIwu-5ZcwLSoHYWCipPMNNWY1ckoâ: Operation not permitted
chown: changing ownership of â/usr/share/tomcat/webapps/ROOT/.well-known/acme-challenge/c00IxuSNoTG6l0FZFkcYNm_uAgIqIJP_k2K9cP1GWTEâ: Operation not permitted
chown: changing ownership of â/usr/share/tomcat/webapps/ROOT/.well-known/acme-challenge/nZHN_X94--6fAKhqvMV2UjybLkx0tMtA5ms-Xv15qWwâ: Operation not permitted
chown: changing ownership of â/usr/share/tomcat/webapps/ROOT/.well-known/acme-challenge/iG7Ec_oHNfvriBYWRL7C-nfk9l2QFk1Qd7Mg82LUcpgâ: Operation not permitted
chown: changing ownership of â/usr/share/tomcat/webapps/ROOT/.well-known/acme-challenge/sjq4c89pBLDrcPDXvQNLB0ZF1vLyLnkgtTXfUaWE9Ugâ: Operation not permitted
chown: changing ownership of â/usr/share/tomcat/webapps/ROOT/.well-known/acme-challenge/cQlD9DN0FBI6xtAoRp6hBE_wer4ov_RSqYotympk08wâ: Operation not permitted
chown: changing ownership of â/usr/share/tomcat/webapps/ROOT/.well-known/acme-challenge/DNDo0jxdMUff6RyXoM3FzksUqkfH7pu0P7kFVYyvOoIâ: Operation not permitted
chown: changing ownership of â/usr/share/tomcat/webapps/ROOT/.well-known/acme-challenge/_fzAaqbSoHLc2EYzmYCaPdIycYT94jFG8V6o40k-CJUâ: Operation not permitted
chown: changing ownership of â/usr/share/tomcat/webapps/ROOT/.well-known/acme-challenge/bJxory9TxE8tldv4IR5cWI6H6EJmI_bWQzHIB0r4hPAâ: Operation not permitted
chown: changing ownership of â/usr/share/tomcat/webapps/ROOT/.well-known/acme-challenge/B23MdgFbRMCe82tzCpKCnkH-qzOBIrO4gLCT87Lv_84â: Operation not permitted
chown: changing ownership of â/usr/share/tomcat/webapps/ROOT/.well-known/acme-challenge/eGb_6B7q_E8D_Wa9zENneoWeK3tke8GjT7NZvSnHzoIâ: Operation not permitted
chown: changing ownership of â/usr/share/tomcat/webapps/ROOT/.well-known/acme-challengeâ: Operation not permitted
chown: changing ownership of â/usr/share/tomcat/webapps/ROOT/.well-knownâ: Operation not permitted
[Wed Jun 28 20:08:45 CEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/challenge/ljmr62iV5T1ox1b9ivhIZVNQt6bKf3DuSfGXNrLFpAc/45993524'
[Wed Jun 28 20:08:45 CEST 2017] payload='{"resource": "challenge", "keyAuthorization": "eGb_6B7q_E8D_Wa9zENneoWeK3tke8GjT7NZvSnHzoI.MI66LH_G45PI8hHN3vk0-OE8eKpGIgqRdN11-9Za6Vc"}'
[Wed Jun 28 20:08:45 CEST 2017] POST
[Wed Jun 28 20:08:45 CEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/challenge/ljmr62iV5T1ox1b9ivhIZVNQt6bKf3DuSfGXNrLFpAc/45993524'
[Wed Jun 28 20:08:46 CEST 2017] _CURL='curl -L --silent --dump-header /home/emil/.acme.sh/http.header  --trace-ascii /tmp/tmp.MT8lqQhBMD '
[Wed Jun 28 20:08:46 CEST 2017] _ret='0'
[Wed Jun 28 20:08:47 CEST 2017] code='202'
[Wed Jun 28 20:08:47 CEST 2017] sleep 2 secs to verify
[Wed Jun 28 20:08:49 CEST 2017] checking
[Wed Jun 28 20:08:49 CEST 2017] GET
[Wed Jun 28 20:08:49 CEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/challenge/ljmr62iV5T1ox1b9ivhIZVNQt6bKf3DuSfGXNrLFpAc/45993524'
[Wed Jun 28 20:08:49 CEST 2017] timeout
[Wed Jun 28 20:08:49 CEST 2017] _CURL='curl -L --silent --dump-header /home/emil/.acme.sh/http.header  --trace-ascii /tmp/tmp.MdZvmWPOMk '
[Wed Jun 28 20:08:49 CEST 2017] ret='0'
[Wed Jun 28 20:08:49 CEST 2017] Pending
[Wed Jun 28 20:08:49 CEST 2017] sleep 2 secs to verify
[Wed Jun 28 20:08:51 CEST 2017] checking
[Wed Jun 28 20:08:51 CEST 2017] GET
[Wed Jun 28 20:08:51 CEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/challenge/ljmr62iV5T1ox1b9ivhIZVNQt6bKf3DuSfGXNrLFpAc/45993524'
[Wed Jun 28 20:08:51 CEST 2017] timeout
[Wed Jun 28 20:08:51 CEST 2017] _CURL='curl -L --silent --dump-header /home/emil/.acme.sh/http.header  --trace-ascii /tmp/tmp.3K2VnDMjyt '
[Wed Jun 28 20:08:52 CEST 2017] ret='0'
[Wed Jun 28 20:08:52 CEST 2017] Pending
[Wed Jun 28 20:08:52 CEST 2017] sleep 2 secs to verify
[Wed Jun 28 20:08:54 CEST 2017] checking
[Wed Jun 28 20:08:54 CEST 2017] GET
[Wed Jun 28 20:08:54 CEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/challenge/ljmr62iV5T1ox1b9ivhIZVNQt6bKf3DuSfGXNrLFpAc/45993524'
[Wed Jun 28 20:08:54 CEST 2017] timeout
[Wed Jun 28 20:08:54 CEST 2017] _CURL='curl -L --silent --dump-header /home/emil/.acme.sh/http.header  --trace-ascii /tmp/tmp.mm5gwBm4cq '
[Wed Jun 28 20:08:54 CEST 2017] ret='0'
[Wed Jun 28 20:08:54 CEST 2017] kruk.okbase.cz:Verify error:Fetching https://kruk.okbase.cz:8443/.well-known/acme-challenge/eGb_6B7q_E8D_Wa9zENneoWeK3tke8GjT7NZvSnHzoI: Timeout
[Wed Jun 28 20:08:54 CEST 2017] Debug: get token url.
[Wed Jun 28 20:08:54 CEST 2017] GET
[Wed Jun 28 20:08:54 CEST 2017] url='http://kruk.okbase.cz/.well-known/acme-challenge/eGb_6B7q_E8D_Wa9zENneoWeK3tke8GjT7NZvSnHzoI'
[Wed Jun 28 20:08:54 CEST 2017] timeout='1'
[Wed Jun 28 20:08:54 CEST 2017] _CURL='curl -L --silent --dump-header /home/emil/.acme.sh/http.header  --trace-ascii /tmp/tmp.CtnkZ7RqEA  --connect-timeout 1'
[Wed Jun 28 20:08:55 CEST 2017] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 28
[Wed Jun 28 20:08:55 CEST 2017] Here is the curl dump log:
[Wed Jun 28 20:08:55 CEST 2017] == Info: About to connect() to kruk.okbase.cz port 80 (#0)
== Info:   Trying 193.222.130.204...
== Info: Connection timed out after 1001 milliseconds
== Info: Closing connection 0
[Wed Jun 28 20:08:55 CEST 2017] ret='28'
[Wed Jun 28 20:08:55 CEST 2017] Debugging, skip removing: /usr/share/tomcat/webapps/ROOT/.well-known/acme-challenge/eGb_6B7q_E8D_Wa9zENneoWeK3tke8GjT7NZvSnHzoI
[Wed Jun 28 20:08:55 CEST 2017] pid
[Wed Jun 28 20:08:55 CEST 2017] No need to restore nginx, skip.
[Wed Jun 28 20:08:55 CEST 2017] _clearupdns
[Wed Jun 28 20:08:55 CEST 2017] skip dns.
[Wed Jun 28 20:08:55 CEST 2017] _on_issue_err
[Wed Jun 28 20:08:55 CEST 2017] Please check log file for more details: /home/emil/.acme.sh/acme.sh.log
[Wed Jun 28 20:08:55 CEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/challenge/ljmr62iV5T1ox1b9ivhIZVNQt6bKf3DuSfGXNrLFpAc/45993524'
[Wed Jun 28 20:08:55 CEST 2017] payload='{"resource": "challenge", "keyAuthorization": "eGb_6B7q_E8D_Wa9zENneoWeK3tke8GjT7NZvSnHzoI.MI66LH_G45PI8hHN3vk0-OE8eKpGIgqRdN11-9Za6Vc"}'
[Wed Jun 28 20:08:55 CEST 2017] POST
[Wed Jun 28 20:08:55 CEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/challenge/ljmr62iV5T1ox1b9ivhIZVNQt6bKf3DuSfGXNrLFpAc/45993524'
[Wed Jun 28 20:08:55 CEST 2017] _CURL='curl -L --silent --dump-header /home/emil/.acme.sh/http.header  --trace-ascii /tmp/tmp.CtnkZ7RqEA '
[Wed Jun 28 20:08:56 CEST 2017] _ret='0'
[Wed Jun 28 20:08:56 CEST 2017] code='400'
[Wed Jun 28 20:08:57 CEST 2017] Diagnosis versions:
openssl:openssl
OpenSSL 1.0.1e-fips 11 Feb 2013
apache:
apache doesn't exists.
nginx:
nginx doesn't exists.
nc:
Ncat 6.40 ( http://nmap.org/ncat )
Usage: ncat [options] [hostname] [port]

Options taking a time assume seconds. Append 'ms' for milliseconds,
's' for seconds, 'm' for minutes, or 'h' for hours (e.g. 500ms).
  -4                         Use IPv4 only
  -6                         Use IPv6 only
  -U, --unixsock             Use Unix domain sockets only
  -C, --crlf                 Use CRLF for EOL sequence
  -c, --sh-exec <command>    Executes the given command via /bin/sh
  -e, --exec <command>       Executes the given command
      --lua-exec <filename>  Executes the given Lua script
  -g hop1[,hop2,...]         Loose source routing hop points (8 max)
  -G <n>                     Loose source routing hop pointer (4, 8, 12, ...)
  -m, --max-conns <n>        Maximum <n> simultaneous connections
  -h, --help                 Display this help screen
  -d, --delay <time>         Wait between read/writes
  -o, --output <filename>    Dump session data to a file
  -x, --hex-dump <filename>  Dump session data as hex to a file
  -i, --idle-timeout <time>  Idle read/write timeout
  -p, --source-port port     Specify source port to use
  -s, --source addr          Specify source address to use (doesn't affect -l)
  -l, --listen               Bind and listen for incoming connections
  -k, --keep-open            Accept multiple connections in listen mode
  -n, --nodns                Do not resolve hostnames via DNS
  -t, --telnet               Answer Telnet negotiations
  -u, --udp                  Use UDP instead of default TCP
      --sctp                 Use SCTP instead of default TCP
  -v, --verbose              Set verbosity level (can be used several times)
  -w, --wait <time>          Connect timeout
      --append-output        Append rather than clobber specified output files
      --send-only            Only send data, ignoring received; quit on EOF
      --recv-only            Only receive data, never send anything
      --allow                Allow only given hosts to connect to Ncat
      --allowfile            A file of hosts allowed to connect to Ncat
      --deny                 Deny given hosts from connecting to Ncat
      --denyfile             A file of hosts denied from connecting to Ncat
      --broker               Enable Ncat's connection brokering mode
      --chat                 Start a simple Ncat chat server
      --proxy <addr[:port]>  Specify address of host to proxy through
      --proxy-type <type>    Specify proxy type ("http" or "socks4")
      --proxy-auth <auth>    Authenticate with HTTP or SOCKS proxy server
      --ssl                  Connect or listen with SSL
      --ssl-cert             Specify SSL certificate file (PEM) for listening
      --ssl-key              Specify SSL private key (PEM) for listening
      --ssl-verify           Verify trust and domain name of certificates
      --ssl-trustfile        PEM file containing trusted SSL certificates
      --version              Display Ncat's version information and exit

See the ncat(1) manpage for full options, descriptions and usage examples
frjaraur commented 6 years ago

Same here :| ./acme.sh --log --issue -d visualize.duckdns.org -w /var/www/ ..... ...... ...... [Sun 20 Aug 21:10:17 CEST 2017] writing token:U9DH4sQV6x5x9UG_1Chxrysc-NpOWvfuX7DSGXH4nhc to /var/www//.well-known/acme-challenge/U9DH4sQV6x5x9UG_1Chxrysc-NpOWvfuX7DSGXH4nhc [Sun 20 Aug 21:10:17 CEST 2017] Changing owner/group of .well-known to root:root [Sun 20 Aug 21:10:17 CEST 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/v6qee4_5w3ZpQhbottWbsdGLRxuS5INEdgyOWVWBRNM/1797336937' [Sun 20 Aug 21:10:17 CEST 2017] payload='{"resource": "challenge", "keyAuthorization": "U9DH4sQV6x5x9UG_1Chxrysc-NpOWvfuX7DSGXH4nhc.Vn8sxnekBFCMRvbcn1ll7vzM98V1VITTBn5F1bxO5ko"}' [Sun 20 Aug 21:10:17 CEST 2017] POST [Sun 20 Aug 21:10:17 CEST 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/v6qee4_5w3ZpQhbottWbsdGLRxuS5INEdgyOWVWBRNM/1797336937' [Sun 20 Aug 21:10:17 CEST 2017] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header ' [Sun 20 Aug 21:10:18 CEST 2017] _ret='0' [Sun 20 Aug 21:10:18 CEST 2017] code='202' [Sun 20 Aug 21:10:19 CEST 2017] sleep 2 secs to verify [Sun 20 Aug 21:10:21 CEST 2017] checking [Sun 20 Aug 21:10:21 CEST 2017] GET [Sun 20 Aug 21:10:21 CEST 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/v6qee4_5w3ZpQhbottWbsdGLRxuS5INEdgyOWVWBRNM/1797336937' [Sun 20 Aug 21:10:21 CEST 2017] timeout [Sun 20 Aug 21:10:21 CEST 2017] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header ' [Sun 20 Aug 21:10:23 CEST 2017] ret='0' [Sun 20 Aug 21:10:23 CEST 2017] visualize.duckdns.org:Verify error:Invalid response from http://visualize.duckdns.org/.well-known/acme-challenge/U9DH4sQV6x5x9UG_1Chxrysc-NpOWvfuX7DSGXH4nhc: [Sun 20 Aug 21:10:23 CEST 2017] pid [Sun 20 Aug 21:10:23 CEST 2017] No need to restore nginx, skip. [Sun 20 Aug 21:10:23 CEST 2017] _clearupdns [Sun 20 Aug 21:10:23 CEST 2017] skip dns. [Sun 20 Aug 21:10:23 CEST 2017] _on_issue_err [Sun 20 Aug 21:10:23 CEST 2017] Please check log file for more details: /root/.acme.sh/acme.sh.log [Sun 20 Aug 21:10:23 CEST 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/v6qee4_5w3ZpQhbottWbsdGLRxuS5INEdgyOWVWBRNM/1797336937' [Sun 20 Aug 21:10:23 CEST 2017] payload='{"resource": "challenge", "keyAuthorization": "U9DH4sQV6x5x9UG_1Chxrysc-NpOWvfuX7DSGXH4nhc.Vn8sxnekBFCMRvbcn1ll7vzM98V1VITTBn5F1bxO5ko"}' [Sun 20 Aug 21:10:23 CEST 2017] POST [Sun 20 Aug 21:10:23 CEST 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/v6qee4_5w3ZpQhbottWbsdGLRxuS5INEdgyOWVWBRNM/1797336937' [Sun 20 Aug 21:10:23 CEST 2017] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header ' [Sun 20 Aug 21:10:24 CEST 2017] _ret='0' [Sun 20 Aug 21:10:24 CEST 2017] code='400' root@alnitak:~/.acme.sh# cat /root/.acme.sh/http.header HTTP/1.1 100 Continue Expires: Sun, 20 Aug 2017 19:10:24 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache

HTTP/1.1 400 Bad Request Server: nginx Content-Type: application/problem+json Content-Length: 132 Boulder-Request-Id: 28ahyGyNsfYa8ooJ0AZ-CwcIYAn3OZ3CUNy4GJAy_SE Boulder-Requester: 20200828 Replay-Nonce: pXXzc_o9K6rqo4U0rzuXnVkaoNJDm2IzBvDedD9xDvc Expires: Sun, 20 Aug 2017 19:10:24 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 20 Aug 2017 19:10:24 GMT Connection: close

Can't get any valid request. Thanks, Javier R.

PocketSam commented 6 years ago

Get the same error in standalone mode.

finwe commented 6 years ago

Same here, acme upgraded yesterday. Neither issue or renewal working, the .well-known URL responds OK in the browser.

https://gist.github.com/finwe/4cb8c41b4682750e154704df6b5d14c3

Neilpang commented 6 years ago

@finwe please try again, and just paste the output with --debug 2

finwe commented 6 years ago

Actually, the gist contains exactly the output, the redirection from the first line didn't do any good.

finwe commented 6 years ago

Updated with a current attempt, just for a good measure.

Neilpang commented 6 years ago

@frjaraur Can you please try again without redirection.

Neilpang commented 6 years ago

@frjaraur I tried on my server, it just works. from your log, I don't find any error yet.

Neilpang commented 6 years ago

@finwe What is your webserver? nginx or apache ? Can you try with --nginx or --apache mode ?

finwe commented 6 years ago

Nginx. But I set up the certificate to the "virtualhost" manually.

The outcome is the same with --nginx.

Neilpang commented 6 years ago

@finwe --nginx mode is only to issue a cert, it will not change your nginx conf at all. you will need to configure virtualhost by yourself.

finwe commented 6 years ago

Solved. The server was not listening on IPV6 for HTTP to HTTPS redirection (which was not an issue on initial certificate setup).