Hello! I'm having an unknown issue when trying to issue a LE certificate to my client's website. Here is the --debug result:
[root@oipnetwork ~]# acme.sh --issue -d azeare.com -w /home/silje/azeare.com/ --debug --force [Tue Sep 12 20:05:16 UTC 2017] Lets find script dir. [Tue Sep 12 20:05:16 UTC 2017] _SCRIPT_='/root/.acme.sh/acme.sh' [Tue Sep 12 20:05:16 UTC 2017] _script='/root/.acme.sh/acme.sh' [Tue Sep 12 20:05:16 UTC 2017] _script_home='/root/.acme.sh' [Tue Sep 12 20:05:16 UTC 2017] Using config home:/root/.acme.sh https://github.com/Neilpang/acme.sh v2.7.4 [Tue Sep 12 20:05:16 UTC 2017] Using config home:/root/.acme.sh [Tue Sep 12 20:05:16 UTC 2017] DOMAIN_PATH='/root/.acme.sh/azeare.com' [Tue Sep 12 20:05:16 UTC 2017] Using ACME_DIRECTORY: https://acme-v01.api.letsencrypt.org/directory [Tue Sep 12 20:05:16 UTC 2017] _init api for server: https://acme-v01.api.letsencrypt.org/directory [Tue Sep 12 20:05:16 UTC 2017] ACME_KEY_CHANGE='https://acme-v01.api.letsencrypt.org/acme/key-change' [Tue Sep 12 20:05:16 UTC 2017] ACME_NEW_AUTHZ='https://acme-v01.api.letsencrypt.org/acme/new-authz' [Tue Sep 12 20:05:16 UTC 2017] ACME_NEW_ORDER='https://acme-v01.api.letsencrypt.org/acme/new-cert' [Tue Sep 12 20:05:16 UTC 2017] ACME_NEW_ACCOUNT='https://acme-v01.api.letsencrypt.org/acme/new-reg' [Tue Sep 12 20:05:16 UTC 2017] ACME_REVOKE_CERT='https://acme-v01.api.letsencrypt.org/acme/revoke-cert' [Tue Sep 12 20:05:16 UTC 2017] Le_NextRenewTime [Tue Sep 12 20:05:16 UTC 2017] _on_before_issue [Tue Sep 12 20:05:16 UTC 2017] Le_LocalAddress [Tue Sep 12 20:05:16 UTC 2017] Check for domain='azeare.com' [Tue Sep 12 20:05:16 UTC 2017] _currentRoot='/home/silje/azeare.com/' [Tue Sep 12 20:05:17 UTC 2017] _saved_account_key_hash is not changed, skip register account. [Tue Sep 12 20:05:17 UTC 2017] Read key length:2048 [Tue Sep 12 20:05:17 UTC 2017] Creating domain key [Tue Sep 12 20:05:17 UTC 2017] Use DEFAULT_DOMAIN_KEY_LENGTH=2048 [Tue Sep 12 20:05:17 UTC 2017] Using config home:/root/.acme.sh [Tue Sep 12 20:05:17 UTC 2017] Use length 2048 [Tue Sep 12 20:05:17 UTC 2017] Using RSA: 2048 [Tue Sep 12 20:05:17 UTC 2017] The domain key is here: /root/.acme.sh/azeare.com/azeare.com.key [Tue Sep 12 20:05:17 UTC 2017] _createcsr [Tue Sep 12 20:05:17 UTC 2017] Single domain='azeare.com' [Tue Sep 12 20:05:17 UTC 2017] Getting domain auth token for each domain [Tue Sep 12 20:05:17 UTC 2017] Getting webroot for domain='azeare.com' [Tue Sep 12 20:05:17 UTC 2017] _w='/home/silje/azeare.com/' [Tue Sep 12 20:05:17 UTC 2017] _currentRoot='/home/silje/azeare.com/' [Tue Sep 12 20:05:17 UTC 2017] Getting new-authz for domain='azeare.com' [Tue Sep 12 20:05:17 UTC 2017] _init api for server: https://acme-v01.api.letsencrypt.org/directory [Tue Sep 12 20:05:17 UTC 2017] ACME_KEY_CHANGE='https://acme-v01.api.letsencrypt.org/acme/key-change' [Tue Sep 12 20:05:17 UTC 2017] ACME_NEW_AUTHZ='https://acme-v01.api.letsencrypt.org/acme/new-authz' [Tue Sep 12 20:05:17 UTC 2017] ACME_NEW_ORDER='https://acme-v01.api.letsencrypt.org/acme/new-cert' [Tue Sep 12 20:05:17 UTC 2017] ACME_NEW_ACCOUNT='https://acme-v01.api.letsencrypt.org/acme/new-reg' [Tue Sep 12 20:05:17 UTC 2017] ACME_REVOKE_CERT='https://acme-v01.api.letsencrypt.org/acme/revoke-cert' [Tue Sep 12 20:05:17 UTC 2017] Try new-authz for the 0 time. [Tue Sep 12 20:05:17 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/new-authz' [Tue Sep 12 20:05:17 UTC 2017] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "azeare.com"}}' [Tue Sep 12 20:05:17 UTC 2017] RSA key [Tue Sep 12 20:05:18 UTC 2017] GET [Tue Sep 12 20:05:18 UTC 2017] url='https://acme-v01.api.letsencrypt.org/directory' [Tue Sep 12 20:05:18 UTC 2017] timeout [Tue Sep 12 20:05:18 UTC 2017] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header ' [Tue Sep 12 20:05:19 UTC 2017] ret='0' [Tue Sep 12 20:05:19 UTC 2017] POST [Tue Sep 12 20:05:19 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/new-authz' [Tue Sep 12 20:05:19 UTC 2017] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header ' [Tue Sep 12 20:05:20 UTC 2017] _ret='0' [Tue Sep 12 20:05:21 UTC 2017] code='201' [Tue Sep 12 20:05:21 UTC 2017] The new-authz request is ok. [Tue Sep 12 20:05:21 UTC 2017] entry='"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/wtSNtYyhBNyQ7NRdT19J9j16GtXAORlIphUnzWEG8Io/1971093650","token":"q1klwI_FdNBwVgLHsKuWFPRTccKDqqsyNI7No45-uPU"' [Tue Sep 12 20:05:21 UTC 2017] token='q1klwI_FdNBwVgLHsKuWFPRTccKDqqsyNI7No45-uPU' [Tue Sep 12 20:05:21 UTC 2017] uri='https://acme-v01.api.letsencrypt.org/acme/challenge/wtSNtYyhBNyQ7NRdT19J9j16GtXAORlIphUnzWEG8Io/1971093650' [Tue Sep 12 20:05:21 UTC 2017] keyauthorization='q1klwI_FdNBwVgLHsKuWFPRTccKDqqsyNI7No45-uPU.i00LHMDnYRtMOEreMesw-GXWjk5RFYLMQpnGXflbp_0' [Tue Sep 12 20:05:21 UTC 2017] dvlist='azeare.com#q1klwI_FdNBwVgLHsKuWFPRTccKDqqsyNI7No45-uPU.i00LHMDnYRtMOEreMesw-GXWjk5RFYLMQpnGXflbp_0#https://acme-v01.api.letsencrypt.org/acme/challenge/wtSNtYyhBNyQ7NRdT19J9j16GtXAORlIphUnzWEG8Io/1971093650#http-01#/home/silje/azeare.com/' [Tue Sep 12 20:05:21 UTC 2017] vlist='azeare.com#q1klwI_FdNBwVgLHsKuWFPRTccKDqqsyNI7No45-uPU.i00LHMDnYRtMOEreMesw-GXWjk5RFYLMQpnGXflbp_0#https://acme-v01.api.letsencrypt.org/acme/challenge/wtSNtYyhBNyQ7NRdT19J9j16GtXAORlIphUnzWEG8Io/1971093650#http-01#/home/silje/azeare.com/,' [Tue Sep 12 20:05:21 UTC 2017] ok, let's start to verify [Tue Sep 12 20:05:21 UTC 2017] Verifying:azeare.com [Tue Sep 12 20:05:21 UTC 2017] d='azeare.com' [Tue Sep 12 20:05:21 UTC 2017] keyauthorization='q1klwI_FdNBwVgLHsKuWFPRTccKDqqsyNI7No45-uPU.i00LHMDnYRtMOEreMesw-GXWjk5RFYLMQpnGXflbp_0' [Tue Sep 12 20:05:21 UTC 2017] uri='https://acme-v01.api.letsencrypt.org/acme/challenge/wtSNtYyhBNyQ7NRdT19J9j16GtXAORlIphUnzWEG8Io/1971093650' [Tue Sep 12 20:05:21 UTC 2017] _currentRoot='/home/silje/azeare.com/' [Tue Sep 12 20:05:22 UTC 2017] wellknown_path='/home/silje/azeare.com//.well-known/acme-challenge' [Tue Sep 12 20:05:22 UTC 2017] writing token:q1klwI_FdNBwVgLHsKuWFPRTccKDqqsyNI7No45-uPU to /home/silje/azeare.com//.well-known/acme-challenge/q1klwI_FdNBwVgLHsKuWFPRTccKDqqsyNI7No45-uPU [Tue Sep 12 20:05:22 UTC 2017] Changing owner/group of .well-known to silje:apache [Tue Sep 12 20:05:22 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/wtSNtYyhBNyQ7NRdT19J9j16GtXAORlIphUnzWEG8Io/1971093650' [Tue Sep 12 20:05:22 UTC 2017] payload='{"resource": "challenge", "keyAuthorization": "q1klwI_FdNBwVgLHsKuWFPRTccKDqqsyNI7No45-uPU.i00LHMDnYRtMOEreMesw-GXWjk5RFYLMQpnGXflbp_0"}' [Tue Sep 12 20:05:22 UTC 2017] POST [Tue Sep 12 20:05:22 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/wtSNtYyhBNyQ7NRdT19J9j16GtXAORlIphUnzWEG8Io/1971093650' [Tue Sep 12 20:05:22 UTC 2017] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header ' [Tue Sep 12 20:05:23 UTC 2017] _ret='0' [Tue Sep 12 20:05:23 UTC 2017] code='202' [Tue Sep 12 20:05:23 UTC 2017] sleep 2 secs to verify [Tue Sep 12 20:05:25 UTC 2017] checking [Tue Sep 12 20:05:25 UTC 2017] GET [Tue Sep 12 20:05:25 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/wtSNtYyhBNyQ7NRdT19J9j16GtXAORlIphUnzWEG8Io/1971093650' [Tue Sep 12 20:05:25 UTC 2017] timeout [Tue Sep 12 20:05:25 UTC 2017] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header ' [Tue Sep 12 20:05:26 UTC 2017] ret='0' [Tue Sep 12 20:05:26 UTC 2017] azeare.com:Verify error:Invalid response from http://azeare.com/.well-known/acme-challenge/q1klwI_FdNBwVgLHsKuWFPRTccKDqqsyNI7No45-uPU: [Tue Sep 12 20:05:26 UTC 2017] Debug: get token url. [Tue Sep 12 20:05:26 UTC 2017] GET [Tue Sep 12 20:05:26 UTC 2017] url='http://azeare.com/.well-known/acme-challenge/q1klwI_FdNBwVgLHsKuWFPRTccKDqqsyNI7No45-uPU' [Tue Sep 12 20:05:26 UTC 2017] timeout='1' [Tue Sep 12 20:05:26 UTC 2017] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --connect-timeout 1' [Tue Sep 12 20:05:27 UTC 2017] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60 [Tue Sep 12 20:05:27 UTC 2017] ret='60' [Tue Sep 12 20:05:27 UTC 2017] Debugging, skip removing: /home/silje/azeare.com//.well-known [Tue Sep 12 20:05:27 UTC 2017] pid [Tue Sep 12 20:05:27 UTC 2017] No need to restore nginx, skip. [Tue Sep 12 20:05:27 UTC 2017] _clearupdns [Tue Sep 12 20:05:27 UTC 2017] skip dns. [Tue Sep 12 20:05:27 UTC 2017] _on_issue_err [Tue Sep 12 20:05:27 UTC 2017] Please add '--debug' or '--log' to check more details. [Tue Sep 12 20:05:27 UTC 2017] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh [Tue Sep 12 20:05:27 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/wtSNtYyhBNyQ7NRdT19J9j16GtXAORlIphUnzWEG8Io/1971093650' [Tue Sep 12 20:05:27 UTC 2017] payload='{"resource": "challenge", "keyAuthorization": "q1klwI_FdNBwVgLHsKuWFPRTccKDqqsyNI7No45-uPU.i00LHMDnYRtMOEreMesw-GXWjk5RFYLMQpnGXflbp_0"}' [Tue Sep 12 20:05:27 UTC 2017] POST [Tue Sep 12 20:05:27 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/wtSNtYyhBNyQ7NRdT19J9j16GtXAORlIphUnzWEG8Io/1971093650' [Tue Sep 12 20:05:27 UTC 2017] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header ' [Tue Sep 12 20:05:29 UTC 2017] _ret='0' [Tue Sep 12 20:05:29 UTC 2017] code='400' [Tue Sep 12 20:05:29 UTC 2017] socat doesn't exists. [Tue Sep 12 20:05:29 UTC 2017] Diagnosis versions: openssl:openssl OpenSSL 1.0.1e-fips 11 Feb 2013 apache: apache doesn't exists. nginx: nginx version: nginx/1.13.5 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC) built with OpenSSL 1.0.1e-fips 11 Feb 2013 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' socat:
Firstly, the error from libcurl, error 60 reads:
CURLE_SSL_CACERT (60)
Peer certificate cannot be authenticated with known CA certificates.
No idea how this is resolved.
Finally, I know that you need the debug from Server, Log Manager, LE (acme.sh) and it is below:
[Tue Sep 12 20:00:24 UTC 2017] Creating domain key [Tue Sep 12 20:00:25 UTC 2017] The domain key is here: /root/.acme.sh/azeare.com/azeare.com.key [Tue Sep 12 20:00:25 UTC 2017] Multi domain='DNS:www.azeare.com,DNS:cp.azeare.com,DNS:stats.azeare.com,DNS:webmail.azeare.com,DNS:mail.azeare.com' [Tue Sep 12 20:00:25 UTC 2017] Getting domain auth token for each domain [Tue Sep 12 20:00:25 UTC 2017] Getting webroot for domain='azeare.com' [Tue Sep 12 20:00:25 UTC 2017] Getting new-authz for domain='azeare.com' [Tue Sep 12 20:00:27 UTC 2017] The new-authz request is ok. [Tue Sep 12 20:00:28 UTC 2017] Getting webroot for domain='www.azeare.com' [Tue Sep 12 20:00:28 UTC 2017] Getting new-authz for domain='www.azeare.com' [Tue Sep 12 20:00:32 UTC 2017] The new-authz request is ok. [Tue Sep 12 20:00:32 UTC 2017] Getting webroot for domain='cp.azeare.com' [Tue Sep 12 20:00:32 UTC 2017] Getting new-authz for domain='cp.azeare.com' [Tue Sep 12 20:00:33 UTC 2017] The new-authz request is ok. [Tue Sep 12 20:00:34 UTC 2017] Getting webroot for domain='stats.azeare.com' [Tue Sep 12 20:00:34 UTC 2017] Getting new-authz for domain='stats.azeare.com' [Tue Sep 12 20:00:35 UTC 2017] The new-authz request is ok. [Tue Sep 12 20:00:35 UTC 2017] Getting webroot for domain='webmail.azeare.com' [Tue Sep 12 20:00:35 UTC 2017] Getting new-authz for domain='webmail.azeare.com' [Tue Sep 12 20:00:37 UTC 2017] The new-authz request is ok. [Tue Sep 12 20:00:37 UTC 2017] Getting webroot for domain='mail.azeare.com' [Tue Sep 12 20:00:37 UTC 2017] Getting new-authz for domain='mail.azeare.com' [Tue Sep 12 20:00:38 UTC 2017] The new-authz request is ok. [Tue Sep 12 20:00:38 UTC 2017] Verifying:azeare.com [Tue Sep 12 20:00:42 UTC 2017] azeare.com:Verify error:Fetching http://azeare.com/.well-known/acme-challenge/6znOG0Y5qUOD9zgSAC1cZHKMSx8Bt4I5ziQroGGwLjg: Connection refused [Tue Sep 12 20:00:42 UTC 2017] Please add '--debug' or '--log' to check more details. [Tue Sep 12 20:00:42 UTC 2017] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
To round out the report, I would like to ask a question of if I can use, rather than the acme.sh, the certbot. If so, how do I go about doing this automatically and without the command line (through the web GUI).
Many thanks,
Joseph