# Cannot generate SSL certificate acme-client



## fred974 (May 10, 2017)

Hi,

I use Nginx as a reverse proxy to some workpress backend in jails..
I added a new configuration file in /usr/local/etc/nginx/acme.conf with the following text.

```
# acme.conf
server{
 location ^~ /.well-known/acme-challenge/ {
 proxy_redirect off;
 default_type "text/plain";
 root usr/local/www/acme;
 allow all;
 }
}
```
In my /usr/local/etc/nginx/nginx.conf I added

```
include acme.conf;
```
When I run `acme-client -vNn mydomain.co.uk www.mydomain.co.uk` I get the following error..

```
acme-client: /usr/local/etc/ssl/acme/private/privkey.pem: generating RSA domain key
acme-client: /usr/local/etc/acme/privkey.pem: generating RSA account key
acme-client: adding SAN: www.mydomain.co.uk
acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
acme-client: acme-v01.api.letsencrypt.org: DNS: 2.22.101.48
acme-client: acme-v01.api.letsencrypt.org: DNS: 2a02:26f0:f6:182::3d5
acme-client: acme-v01.api.letsencrypt.org: DNS: 2a02:26f0:f6:19c::3d5
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-reg: new-reg
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: mydomain.co.uk
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: www.mydomain.co.uk
acme-client: /usr/local/www/acme/adEW0NBAaqLBMWOSCl5k8VuhjoN1n4cHvo-1KjjR720: created
acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/ig79jl6QZIOiG3Pl8h1Pd8-6yZH5OSg0ar_3Ien3Lrg/1156401055: challenge
acme-client: /usr/local/www/acme/gO55mf1y0haZJdni6nKqxm-4Gt1y38QmMhsSDK7N7Ls: created
acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/0EjiUAM4Kvi47YJLVuLyEDkrJ4e5lGYdEKGZdCtYBx8/1156401093: challenge
acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/ig79jl6QZIOiG3Pl8h1Pd8-6yZH5OSg0ar_3Ien3Lrg/1156401055: status
acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/ig79jl6QZIOiG3Pl8h1Pd8-6yZH5OSg0ar_3Ien3Lrg/1156401055: bad response
acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid", "error": { "type": "urn:acme:error:unauthorized", "detail": "Invalid response from http://mydomain.co.uk/.well-known/acme-challenge/adEW0NBAaqLBMWOSCl5k8VuhjoN1n4cHvo-1KjjR720: \"\u003c!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\"\u003e\n\u003chtml\u003e\n\u003chead\u003e\n\u003cmeta http-equiv=\"Conte\"", "status": 403 }, "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/ig79jl6QZIOiG3Pl8h1Pd8-6yZH5OSg0ar_3Ien3Lrg/1156401055", "token": "adEW0NBAaqLBMWOSCl5k8VuhjoN1n4cHvo-1KjjR720", "keyAuthorization": "adEW0NBAaqLBMWOSCl5k8VuhjoN1n4cHvo-1KjjR720.X27W--dmGHBPPsWJ0fyHGHZrihc-_VyEM-SRQsmgvRU", "validationRecord": [ { "url": "http://mydomain.co.uk/.well-known/acme-challenge/adEW0NBAaqLBMWOSCl5k8VuhjoN1n4cHvo-1KjjR720", "hostname": "mydomain.co.uk", "port": "80", "addressesResolved": [ "194.10.13.xxx" ], "addressUsed": "194.10.13.xxx" }, { "url": "https://mydomain.co.uk/.well-known/acme-challenge/adEW0NBAaqLBMWOSCl5k8VuhjoN1n4cHvo-1KjjR720", "hostname": "mydomain.co.uk", "port": "443", "addressesResolved": [ "194.10.13.xxx" ], "addressUsed": "194.10.13.xxx" } ] }] (1313 bytes)
acme-client: bad exit: netproc(29623): 1
```
Could anyone please help?
mydomain.co.uk

```
# This template redirects traffic to https://mydomain.co.uk.

# Domain redirect
server {
        listen     80;
        server_name mydomain.co.uk;

# Redirect to ssl domain
        return 301 https://$host$request_uri;
}

# Domain redirect
server {
        listen     80;
        server_name www.mydomain.co.uk;

# Redirect to ssl domain
        return 301 https://$host$request_uri;
}

# HTTPS redirect
server {
        listen      443 ssl http2;
        server_name www.mydomain.co.uk;

# Setup SSL
        ssl on;
        ssl_certificate         /etc/ssl/mydomain/mydomain.co.uk.crt;
        ssl_certificate_key     /etc/ssl/mydomain/mydomain.co.uk.key;
        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

# Redirect to www
        return 301 https://$host$request_uri;
}

# SSL site
server {
        listen   443 ssl http2;
        server_name mydomain.co.uk;

# Setup SSL
        ssl on;
        ssl_certificate         /etc/ssl/mydomain/mydomain.co.uk.crt;
        ssl_certificate_key     /etc/ssl/mydomain/mydomain.co.uk.key;
        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

# Variables

# Set the backend server, as defined in backends.conf. Ex: apache, nginx, nginx-ssl
        set $backend http://mydomain;

# Uncomment to disable proxy cache.
#       set $nocache 1;

# Set referers
        valid_referers none blocked server_names;

# Include Letsencrypt acme-client
#       include /usr/local/etc/nginx/acme.conf;

# Include the standard security template. (nginx/security/standard-template)
        include /usr/local/etc/nginx/security/standard-template;

# Uncomment to block search engines
#       include /usr/local/etc/nginx/security/block-search.conf;

# Uncomment and change CMS to your actual CMS, as listed under nginx/cms/. For example, Drupal, Wordpress, Horde, Nextcloud, etc.
        include /usr/local/etc/nginx/cms/static;

# Include hotlink protection
        include /usr/local/etc/nginx/proxy/hotlink;

# Pass all remaining requests to the backend server.
        include /usr/local/etc/nginx/proxy/backend;

}
```


----------



## Remington (May 11, 2017)

Your nginx.conf is a little bit messy.  Here is my cleaner conf file as an example.


```
server {
    listen               80;
    server_name          www.acme.ru acme.ru;
    rewrite              ^(.*) https://acme.ru$1 permanent;
}

server {
    listen               443;
    server_name          www.acme.ru acme.ru;
    set  $document_user  "www";
    set  $document_name  "acme_ru";
    root                 /usr/local/www/domains/$document_name;

    if ($host !~* ^(www)) {
        rewrite          ^(.*) https://www.acme.ru$1 permanent;
    }

    # SSL Certificate
    ssl                  on;
    ssl_certificate      /usr/local/etc/nginx/ssl/acme_ru.crt;
    ssl_certificate_key  /usr/local/etc/nginx/ssl/acme_ru.key;

    access_log           /var/log/nginx/acme_ru-nginx-access.log main buffer=32k;
    error_log            /var/log/nginx/acme_ru-nginx-error.log;

    limit_req            zone=gulag burst=200 nodelay;

    # SSL parameters
    include /usr/local/etc/nginx/global/ssl.conf;

    # Deny access to server files
    include /usr/local/etc/nginx/global/security.conf;

    # Support Clean (aka Search Engine Friendly) URLs
    include /usr/local/etc/nginx/global/seo.conf;

    # Pass the PHP scripts to FastCGI server listening on unix socket
    include /usr/local/etc/nginx/global/fastcgi56.conf;

    # Caching of files
    include /usr/local/etc/nginx/global/cache.conf;

}
```


----------



## SirDice (May 11, 2017)

Don't set root multiple times, that's bad form. Use an alias:

```
location /.well-known/acme-challenge {
                alias /usr/local/www/acme;
                autoindex off;
        }
```

I also recommend looking at /var/log/nginx/access.log and /var/log/nginx/error.log (or where you directed the logs to). It looks like nginx is throwing an error during the challenge.


----------



## fred974 (May 11, 2017)

Remington 
The file I pasted above is my /usr/local/etc/nginx/shared-sites/mydomain.conf file.
Here is my /usr/local/etc/nginx/nginx.conf file

```
load_module /usr/local/libexec/nginx/ngx_http_brotli_filter_module.so;
load_module /usr/local/libexec/nginx/ngx_http_brotli_static_module.so;
load_module /usr/local/libexec/nginx/ngx_http_geoip_module.so;
load_module /usr/local/libexec/nginx/ngx_http_headers_more_filter_module.so;
load_module /usr/local/libexec/nginx/ngx_http_redis_module.so;
load_module /usr/local/libexec/nginx/ngx_mail_module.so;
load_module /usr/local/libexec/nginx/ngx_stream_module.so;

# Worker proccess
worker_processes  auto;
worker_priority     15;

# Event settings
events {
        worker_connections  4096;
        use kqueue;
        accept_mutex  on;
}

# HTTP section
http {
        include         mime.types;
        default_type    application/octet-stream;

# Nginx core configuration
        aio                       on;
        more_set_headers          Server;
        ignore_invalid_headers    on;
        max_ranges                0;
        reset_timedout_connection on;
        server_tokens             off;
        source_charset            utf-8;
        tcp_nodelay               on;
        tcp_nopush                off;
        etag                      off;

# Include Letsencrypt acme-client
       include /usr/local/etc/nginx/acme.conf;


# Server hash and name sizes
        server_names_hash_max_size 8192;
        server_names_hash_bucket_size 8192;

# Timeouts
        client_body_timeout       60s;
        client_header_timeout     60s;
        send_timeout              60s;
        keepalive_timeout       75s;





# Body size limit
        client_max_body_size      40m;

# Request limiting
        limit_req_zone $server_name zone=perserver:10m rate=20r/m;
        limit_req_status 444;

# Brotli Compression
        brotli on;
        brotli_types *;

# Gzip compression
        gzip on;
        gzip_disable "msie6";
        gzip_vary on;
        gzip_proxied any;
        gzip_comp_level 9;
        gzip_buffers 16 8k;
        gzip_http_version 1.1;
        gzip_types text/plain text/css application/javascript text/xml application/xml+rss;

# Logging
        log_format  main  '$host $remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"' "$request_time" '- ' "$upstream_cache_status";
        access_log /var/log/nginx.log  main;
        error_log /var/log/nginx-error.log;

# Set system wide SSL settings
        ssl_prefer_server_ciphers on;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
        ssl_dhparam /etc/ssl/dh4096.pem;
        ssl_buffer_size 4k;

# Mozilla intermediate ciphers - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility
        ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA
:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-E
CDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";

# Use a SSL/TLS cache for SSL session resume
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 24h;

# Enable ocsp stapling
        resolver 8.8.8.8; # Enter the IP of your caching resolver
        #resolver 8.8.4.4 8.8.8.8 valid=300s;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /usr/local/etc/ssl/cert.pem;

# Proxy settings
        proxy_redirect          off;
        proxy_set_header        Host             $host;
        proxy_set_header        X-Real-IP        $remote_addr;
        proxy_set_header        X-Forwarded-For  $remote_addr;
        proxy_set_header        X-Forwarded-Proto $scheme;
        proxy_set_header        HTTP_AUTHORIZATION $http_authorization;
        proxy_set_header Proxy  "";
        proxy_hide_header       X-Powered-By;
        proxy_intercept_errors  on;
        proxy_read_timeout      90;
        proxy_send_timeout      90;
        proxy_connect_timeout   90;
        proxy_http_version      1.1;

# Proxy buffer settings
        proxy_buffer_size          4k;
        proxy_buffers              4 32k;
        proxy_busy_buffers_size    64k;
        proxy_temp_file_write_size 64k;

# Setup the proxy cache. Note: The path /tmp/cache should be mounted with TMPFS.
        proxy_cache_path  /tmp/cache levels=1:2 keys_zone=STATIC:25m inactive=4h max_size=850m use_temp_path=off;
        proxy_cache_key "$host$request_uri";

# Activate the proxy cache.
        proxy_cache            STATIC;
        proxy_cache_revalidate on;
        proxy_cache_valid      200  1d;
        proxy_cache_use_stale  error timeout invalid_header updating http_500 http_502 http_503 http_504;
        proxy_cache_lock        on;
        proxy_cache_bypass  $http_cache_control $http_pragma $http_authorization $nocache $cookie_nocache;
        proxy_no_cache $http_cache_control $http_pragma $http_authorization $nocache $cookie_nocache;
        include /usr/local/etc/nginx/cache-bypass.conf;

# Include GeoIP database.
        geoip_country /usr/local/share/GeoIP/GeoLiteCountry.dat;
        geoip_city    /usr/local/share/GeoIP/GeoLiteCity.dat;
        geoip_org     /usr/local/share/GeoIP/GeoIPASNum.dat;

# Include the backend servers.
        include /usr/local/etc/nginx/backends.conf;

# Include the default servers.
#       include /usr/local/etc/nginx/default_servers.conf;

# Include individual website configurations.
        include /usr/local/etc/nginx/ip-sites/*.conf;
        include /usr/local/etc/nginx/shared-sites/*.conf;

# Include map lists.
        include /usr/local/etc/nginx/maps/*.conf;

#End configuration file
}
```
So, should I change my /usr/local/etc/nginx/acme.conf with the info you gave me above?
Also not really sure how to create the 
	
	



```
ssl_trusted_certificate /usr/local/etc/ssl/cert.pem;
```
SirDice in the log I have 
	
	



```
2017/05/11 06:12:09 [error] 83440#100789: OCSP_check_validity() failed (SSL: error:2707307E:OCSP routines:OCSP_check_validity:status not yet valid) while requesting certificate status, responder: ocsp2.globalsign.com, peer: 104.16.27.216:80, certificate: "/etc/ssl/mydomain/mydomain.co.uk.crt"
```
 /etc/ssl/mydomain/mydomain.co.uk.crt is bough certificate from globalsign.


----------



## fred974 (May 11, 2017)

hi,

Are /usr/local/etc/nginx/ssl/acme_ru.crt and /usr/local/etc/nginx/ssl/acme_ru.key self signed certificate?


----------



## Remington (May 11, 2017)

fred974 said:


> hi,
> 
> Are /usr/local/etc/nginx/ssl/acme_ru.crt and /usr/local/etc/nginx/ssl/acme_ru.key self signed certificate?



I use the SSL certificate from Comodo but it's not free.  You can install security/py-certbot and it'll generate genuine SSL certificate every 3 months so you don't need to pay for anything but you'll need to create a cron job to run the script to regenerate the certs since its only valid for 3 months.  You can follow instruction how to set it up and create SSL certs at https://certbot.eff.org/#freebsd-nginx


----------



## drhowarddrfine (May 11, 2017)

I don't use LetsEncrypt directly anymore but you cannot redirect acme from port 80 on first use if I recall correctly.


----------



## SirDice (May 11, 2017)

Remington said:


> You can install security/py-certbot and it'll generate genuine SSL certificate every 3 months


That's just a different script for LetsEncrypt, security/acme-client does exactly the same.


----------



## sidetone (May 11, 2017)

I read that a 3rd party certificate makes it unreasonably difficult for a man in the middle to copy public keys and imitate both sides of the communication. While some cryptography is nearly impossible to hack, the cryptography is not broken into directly. The publicly available key is what imitators use to compromise that handshake.

I think of it as, the 3rd party certificate is the referee making sure both sides of the encryption are who they say they are. Or an iron triangle, where 3 points would have to be broken into instead of 1.

If a communication's encryption is verified and secured from the beginning, with all related keys inaccessible to unintended parties, I'm not completely sure, but I don't think it can be broken into as well.


----------



## fred974 (May 12, 2017)

Hi Guys,

Not sure if I shoudl post this in a new post or not...
Whether it is via paid provider or letsencrypt.. what is the command to generate the ocsp stapling certificate?

```
# Enable ocsp stapling
        resolver 8.8.8.8; # Enter the IP of your caching resolver
        #resolver 8.8.4.4 8.8.8.8 valid=300s;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /usr/local/etc/ssl/cert.pem;
```
I have paid certificate for all my domain but is the ocsp stapling certificate self sign base on the webserver IP?


----------

