Cannot get my domains to certify about acme-client HOT 13 CLOSED

I have set my local user (shawn) as the owner of /etc/acme and everything beneath it.
I also own the /PATH/TO/web path (except for /opt, where it starts).

I get this for acme-client status:

[shawn@web opt]$ /usr/local/bin/acme-client status

  [ ? ] Registered on https://acme-v01.api.letsencrypt.org/directory

  [ ? ] admin.complimateapp.com (the ? on this line is RED, the others are all green)
  [ ? ] admin.tolidano.com
  [ ? ] admin.complimateapp.com, complimateapp.com, www.complimateapp.com
  [ ? ] go.tolidano.com, tolidano.com, www.tolidano.com

I also attempted to use auto to make it happen - same error (I added the path and domain to acme-client.yml).

from acme-client.

Turns out it was my vhost config - I had just assigned an elastic IP and was waiting for it to take effect in Route 53. Once I updated the config and restarted apache, it worked perfectly for this domain.

from acme-client.

However, I tried to run it against one of the domains you see listed above and it failed:

[shawn@web web]$ /usr/local/bin/acme-client issue -d www.tolidano.com -p /opt/web/tolidano/frontend/web

    Providing payload at http://www.tolidano.com/.well-known/acme-challenge/rDcztll0rbdN1k_EynsW86WeUkWSul52haMAyDRegdI
selfVerify failed, please check http://www.tolidano.com/.well-known/acme-challenge/rDcztll0rbdN1k_EynsW86WeUkWSul52haMAyDRegdI.
Kelunik\Acme\AcmeException: Issuance failed, not all challenges could be solved. in phar:///usr/local/bin/acme-client/src/Commands/Issue.php:104

from acme-client.

Even running as sudo doesn't work:

[shawn@web web]$ sudo /usr/local/bin/acme-client issue -d www.tolidano.com -p /opt/web/tolidano/frontend/web

    Providing payload at http://www.tolidano.com/.well-known/acme-challenge/1upfTgZiqsavyHluxOQ91EtHDtZywc2Zg1K0j2JX_a8
selfVerify failed, please check http://www.tolidano.com/.well-known/acme-challenge/1upfTgZiqsavyHluxOQ91EtHDtZywc2Zg1K0j2JX_a8.
Kelunik\Acme\AcmeException: Issuance failed, not all challenges could be solved. in phar:///usr/local/bin/acme-client/src/Commands/Issue.php:104

from acme-client.

Another issue is that the domain above (tolidano.com) has only a single folder:
[shawn@web web]$ stat /etc/acme/certs/acme-v01.api.letsencrypt.org.directory/tolidano.com/
cert.pem chain.pem fullchain.pem key.pem

But my new domain, which I called issue on twice, has 2 folders (one with www and one without).

When I set the cert in the Apache config to a particular cert, it automatically redirects to the domain from the folder (so, if I point at the www.DOMAIN.com folder, it redirects to https://www.DOMAIN.com, but if I point at DOMAIN.com folder, it redirects to https://DOMAIN.com).

from acme-client.

@tolidano what's difference between www.domain.tld and domain.tld? Maybe you need just set up ServerAlias in Apache config and use one folder for same site!?

from acme-client.

So, the path is right because it makes a .well-known folder in the webroot, and in it is an acme-challenge folder. But I cannot catch it while the file is there before the solving fails.

If you create some random file manually within that folder, can you access it via the web server?

But my new domain, which I called issue on twice, has 2 folders (one with www and one without).

The client always takes the first name as common name, so you either tried both separately or tried it twice with mixed orders.

from acme-client.

from acme-client.

@tolidano What's your DNS provider?

from acme-client.

from acme-client.

Do you have an options timeout:n defined in your /etc/resolv.conf?

from acme-client.

No I do not.

from acme-client.

I'm closing this. I need a reproducible case so I can debug it.

from acme-client.