Discussion:
no registration exists matching provided key
(too old to reply)
?? ??
2017-12-19 08:26:30 UTC
Permalink
Raw Message
Hello, I am very new to all these things, and wanted to have ssl for my own server (Openbsd6.2, Openbsd httpd, Openbsd acme-client), which will be my first ssl, other than previous self-signed one.

Previously, to create a website, I followed some blog posts and created self-signed ssl (http://thecyberrecce.net/2017/01/15/secure-webservers-with-openbsd-6-0-setting-up-httpd-mariadb-and-php/), and as the site was somehow ready so I wanted to have the Letsencrypt ssl on the site, replacing the existing self-signed one.
After reading man pages, documentations, and blog posts, (but I don't understand much really) I did just almost the same as others stated in their blogs (httpd.conf, acme-client.conf and then the command), using "acme-client -vvAD example.com" command. But I got an error ("provided agreement URL doesn't match" or similar), and then tried several times again while making changes (e.g deleting self-signed crt, etc...)
but I still get an error: "no registration exists matching provided key".

Could anyone help me know what the error means or give any advice to me?

Also this is my second time writing to a "mailing list", and at the first time I couln't send a reply to say thank you to the reply that sent to me as I don't know how to reply. So I'd be really grateful for kindly letting me know that as well.

Would really appreciate any help.
Scott Nicholas
2017-12-19 23:17:18 UTC
Permalink
Raw Message
Post by ?? ??
Hello, I am very new to all these things, and wanted to have ssl for my own server (Openbsd6.2, Openbsd httpd, Openbsd acme-client), which will be my first ssl, other than previous self-signed one.
Previously, to create a website, I followed some blog posts and created self-signed ssl (http://thecyberrecce.net/2017/01/15/secure-webservers-with-openbsd-6-0-setting-up-httpd-mariadb-and-php/), and as the site was somehow ready so I wanted to have the Letsencrypt ssl on the site, replacing the existing self-signed one.
After reading man pages, documentations, and blog posts, (but I don't understand much really) I did just almost the same as others stated in their blogs (httpd.conf, acme-client.conf and then the command), using "acme-client -vvAD example.com" command. But I got an error ("provided agreement URL doesn't match" or similar), and then tried several times again while making changes (e.g deleting self-signed crt, etc...)
but I still get an error: "no registration exists matching provided key".
Could anyone help me know what the error means or give any advice to me?
I just had this happen. acme-client saved an account key but since the
TOS needed updated, the account wasn't created. I imagine you updated
the agreement url? This is the new one:

agreement url "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"

Delete your account key so it makes a new one. It's in the location below:

account key "/etc/acme/letsencrypt-privkey.pem"

then run acme-client again.
Post by ?? ??
Also this is my second time writing to a "mailing list", and at the first time I couln't send a reply to say thank you to the reply that sent to me as I don't know how to reply. So I'd be really grateful for kindly letting me know that as well.
Would really appreciate any help.
Kihaguru Gathura
2017-12-20 06:10:57 UTC
Permalink
Raw Message
OpenBSD 6.2.

precisely as summarised by Scott, however to overcome some pitfalls, full
details to get TLS working for your domain www.example.com as follows.

1. Configure httpd.conf to work with your domain example.com as follows:

# vi /etc/httpd.conf
# $OpenBSD: httpd.conf,v 1.17 2017/04/16 08:50:49
ajacoutot Exp $

#
# Macros
#
ext_addr="*"

#
# Global Options
#
# prefork 3

#
# Servers
#
# A minimal default server
server "default" {
listen on $ext_addr port 80
}

# A minimal www.example.com server
server "www.example.com" {
alias "example.com"
listen on $ext_addr port 80
root "/htdocs/www.example.com"
location "/.well-known/acme-challenge/*" {
root "/acme"
root strip 2
directory no auto index
}
}

# Include MIME types instead of the built-in ones
types {
include "/usr/share/misc/mime.types"
}

2. Create root folder for the domain and start httpd server to effect
changes:

# mkdir /var/www/htdocs/www.example.com
# vi /etc/rc.conf.local
httpd_flags=
# rcctl enable httpd
# rcctl start httpd
httpd(ok)</pre>

3. Configure acme-client for your domain www.example.com domain:

# vi /etc/acme-client.conf
#
# $OpenBSD: acme-client.conf,v 1.4 2017/03/22
11:14:14 benno Exp $
#
authority letsencrypt {
agreement url "
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
api url "
https://acme-v01.api.letsencrypt.org/directory"
account key
"/etc/acme/letsencrypt-privkey.pem"
}

authority letsencrypt-staging {
agreement url "
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
api url "
https://acme-staging.api.letsencrypt.org/directory"
account key
"/etc/acme/letsencrypt-staging-privkey.pem"
}

domain www.example.com {
alternative names { example.com }
domain key "/etc/ssl/private/example.com.key"
domain certificate "/etc/ssl/example.com.crt"
domain full chain certificate
"/etc/ssl/example.com.fullchain.pem"
sign with letsencrypt
}

4. Attempt to get the certificates:

#acme-client -vvAD www.example.com
......................................................
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-reg: bad HTTP:
400
acme-client: transfer buffer: [{ "type": "urn:acme:error:malformed",
"detail": "Provided agreement URL [https://lecuments/LE-SA
-v1.2-November-15-2017.pdf]", "status": 400 }] (267 bytes)
acme-client: bad exit: netproc(71944): 1

5. The agreement URL needs to be updated(replaced) with the one provided in
the error message above:

# vi /etc/acme-client.conf
#
#
# $OpenBSD: acme-client.conf,v 1.4 2017/03/22
11:14:14 benno Exp $
#
authority letsencrypt {
# agreement url "
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
agreement url "
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
api url "
https://acme-v01.api.letsencrypt.org/directory"
account key
"/etc/acme/letsencrypt-privkey.pem"
}

authority letsencrypt-staging {
# agreement url "
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
agreement url "
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
api url "
https://acme-staging.api.letsencrypt.org/directory"
account key
"/etc/acme/letsencrypt-staging-privkey.pem"
}

domain www.example.com {
alternative names { example.com }
domain key
"/etc/ssl/private/example.com.key"
domain certificate
"/etc/ssl/example.com.crt"
domain full chain certificate
"/etc/ssl/example.com.fullchain.pem"
sign with letsencrypt
}

6. Attempt to get the certificates:

# acme-client -vvAD www.example.com
...................................................
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: bad HTTP:
403
acme-client: transfer buffer: [{ "type": "urn:acme:error:unauthorized",
"detail": "No registration exists matching
ded key", "status": 403 }] (120 bytes)
acme-client: bad exit: netproc(51628): 1

7. Remove the existing domain key and account key:

# rm /etc/ssl/private/example.com.key
# rm /etc/acme/letsencrypt-privkey.pem

8. Get the Certificates:

# acme-client -vvAD www.example.com
.................................................
acme-client: /etc/ssl/example.com.crt: created
acme-client: /etc/ssl/example.com.fullchain.pem: created

9. Verify certificates were installed
# ls -l /etc/ssl

10. Finally, configure Httpd for TLS for your domain www.example.com.

# vi /etc/httpd.conf
# $OpenBSD: httpd.conf,v 1.17 2017/04/16 08:50:49
ajacoutot Exp $

#
# Macros
#
ext_addr="*"

#
# Global Options
#
# prefork 3

#
# Servers
#
# A minimal default server
server "default" {
listen on $ext_addr port 80
}

# This block redirects port 80 traffic to port
443; all the actual
# options can go underneath the block containing
tls details.
server "www.example.com" {
alias "example.com"
listen on $ext_addr port 80
block return 301 "https://
$SERVER_NAME$REQUEST_URI"
}
server "www.example.com" {
alias "example.com"
listen on $ext_addr tls port 443
hsts
tls certificate
"/etc/ssl/example.com.fullchain.pem"
tls key "/etc/ssl/private/example.com.key"
root "/htdocs/www.example.com"
location "/.well-known/acme-challenge/*" {
root "/acme"
root strip 2
directory no auto index
}
}

# Include MIME types instead of the built-in ones
types {
include "/usr/share/misc/mime.types"
}

11. Restart the server and test on browser<pre>
# rcctl restart httpd
httpd(ok)
httpd(ok)

https://www.openbsd.org/support.html#Kenya
Post by ?? ??
Post by ?? ??
Hello, I am very new to all these things, and wanted to have ssl for my
own server (Openbsd6.2, Openbsd httpd, Openbsd acme-client), which will be
my first ssl, other than previous self-signed one.
Post by ?? ??
Previously, to create a website, I followed some blog posts and created
self-signed ssl (http://thecyberrecce.net/2017/01/15/secure-webservers-
with-openbsd-6-0-setting-up-httpd-mariadb-and-php/), and as the site was
somehow ready so I wanted to have the Letsencrypt ssl on the site,
replacing the existing self-signed one.
Post by ?? ??
After reading man pages, documentations, and blog posts, (but I don't
understand much really) I did just almost the same as others stated in
their blogs (httpd.conf, acme-client.conf and then the command), using
"acme-client -vvAD example.com" command. But I got an error ("provided
agreement URL doesn't match" or similar), and then tried several times
again while making changes (e.g deleting self-signed crt, etc...)
Post by ?? ??
but I still get an error: "no registration exists matching provided key".
Could anyone help me know what the error means or give any advice to me?
I just had this happen. acme-client saved an account key but since the
TOS needed updated, the account wasn't created. I imagine you updated
agreement url "https://letsencrypt.org/documents/LE-SA-v1.2-November-
15-2017.pdf"
account key "/etc/acme/letsencrypt-privkey.pem"
then run acme-client again.
Post by ?? ??
Also this is my second time writing to a "mailing list", and at the
first time I couln't send a reply to say thank you to the reply that sent
to me as I don't know how to reply. So I'd be really grateful for kindly
letting me know that as well.
Post by ?? ??
Would really appreciate any help.
Loading...