2 minutes
Acme-Client Bad Exit on OpenBSD
Recently I have tried to update the acme-client certificate on my OpenBSD web server, and somehow, suddenly, I got acme-client: bad exit with 404 error message:
...
acme-client: order.status -1
...
Invalid response from https://domain.tld/.well-known/acme-challenge/YoGUzPEL-7mRiVsXfIn0UNP9SQhTTYyxnEJ3-TZon04: 404
...
acme-client: bad exit: netproc(53146): 1
It was quirky because I had recently used the same acme-client on another subdomain, and it succeeded without hiccups.
The Bad
This problem arose when using the wrong position in the ‘httpd.conf’ configuration:
server "domain.tld" {
listen on * port 443
...
...
location * {
root "/htdocs/domain.tld/somedir/"
}
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
}
It is not the case when using this configuration:
server "domain.tld" {
listen on * port 443
root "/htdocs/domain.tld"
...
location "/.well-known/acme-challenge/*" {
root "acme"
request strip 2
}
}
The Good
After checking everything and re-read the httpd.conf(5) manpage, I found out that the configuration should be positioned like this:
server "domain.tld" {
listen on * port 443
...
...
location "/.well-known/acme-challenge/*" {
root "acme"
request strip 2
}
location * {
root "/htdocs/domain.tld/somedir/"
}
}
The positions order when using the ’location’ option are mandatory inside ‘httpd.conf’ configuration. Only after the re-positioned – acme-client can renew the TLS certificate.
httpd.conf(5) manpage already pointed out the issue:
location [[not] found] path {...}
[...]
In case of multiple location statements in the same context, the first matching location statement will be put into effect, while all later ones will be ignored. Therefore it is advisable to match for more specific paths first and for generic ones later on..
[...]
It got a 404 error message in the log simply because it was ignored.