FreeDNS ACME issue

phobeus

Greetings, I'm totally new over here, but I've got issues with my freshly set up acme, it worked like once, or twice and suddenly stops.
It looks, there's a problem with starting up standalone http server, I'm attaching my output

Spoiler

||NK-----K22
Renewing certificate
account: NK-----K22
server: letsencrypt-staging-2

/usr/local/pkg/acme/acme.sh --issue -d 'nk----.k22.su' --standalone --listen-v4 --httpport '6666' --home '/tmp/acme/NK-----K22/' --accountconf '/tmp/acme/NK-----K22/accountconf.conf' --force --reloadCmd '/tmp/acme/NK-----K22/reloadcmd.sh' --log-level 3 --log '/tmp/acme/NK-----K22/acme_issuecert.log'

Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[port] => 6666
[ipv6] =>
)
[Fri Jul 26 09:25:59 CEST 2019] Standalone mode.
[Fri Jul 26 09:25:59 CEST 2019] Single domain='nk----.k22.su'
[Fri Jul 26 09:25:59 CEST 2019] Getting domain auth token for each domain
[Fri Jul 26 09:26:01 CEST 2019] Getting webroot for domain='nk----.k22.su'
[Fri Jul 26 09:26:01 CEST 2019] Verifying: n----.k22.su
[Fri Jul 26 09:26:01 CEST 2019] Standalone mode server
2019/07/26 09:26:03 socat[66497] E write(6, 0x80204d800, 126): Broken pipe
2019/07/26 09:26:05 socat[84851] E write(6, 0x80204d800, 126): Broken pipe
[Fri Jul 26 09:26:06 CEST 2019] nk----.k22.su:Verify error:Invalid response from http://nk----.k22.su/.well-known/acme-challenge/B-fYHCXfoUaDfP5ZmIUU4JbMH-tO_MGQkrIg0I1Y5AI [217.196.113.40]: 503
[Fri Jul 26 09:26:06 CEST 2019] Please check log file for more details: /tmp/acme/NKVDCloud-K22/acme_issuecert.log||

If anyone is willing to push me in any direction, I'll be glad. I'm using FreeDNS, so DNS verification isn't an option for me.

kiokoman

@phobeus said in ACME 0.5.8 Breaks Letencrypt webroot local folder setup:

.well-known/acme-challenge

well you forgot to completely hide it..

503 Service Unavailable
No server is available to handle this request.

socat[66497] E write(6, 0x80204d800, 126): Broken pipe

check if you have the latest version of acme maybe something as changed and acme.sh does not work anymore as standalone

phobeus

@kiokoman Yeah, you're right =) But anyway, I wasn't able to make some reasonable solution, so I've just created tiny VM guest with alpine linux, lighttpd and nfs-client, and I'm passing my .well-known challenge through "local webroot", but I'm putting there appropiate path for my NFS share + ballast ( </path/to/share>/.well-known/acme-challenge/ ). pfSense comes already preloaded with nfs, all I needed was just enable it through /etc/rc.d.local. HAProxy does rest of the job ( frontend for path match looks like that ---v )

HAProxy Frontend rules ( I've got it implemented with http->https redirect, except for .well-known =3 I was pretty suprised it came on my mind )

Spoiler

So that's my hotfix solution, but I'm curious for any other ideas ))