mod_md problem

Nick Gearls <nickgearls@xxxxxxxxx> · Mon, 21 Jun 2021 13:27:15 +0200

I'm trying to use mod_md (httpd 2.4 on CentOS 8) and, when trying to 

ceate a certificate, it complains it cannot write onto the disk (at 

least that's what I understand).

I cannot find any permission problems in /var/log/audit/audit.log,  

/var/log/messages, nor "journalctl -xe".

All connections to LetsEncrypt are correct and the certificate is, I 

think, generated.

I have the following errors:

[md:error] (20014)Internal error (specific information not available): 

AH10056: processing mysite.mycompany.com: Unable to retrive certificate 

chain.

[...]

[md:trace1] (1)Operation not permitted: mysite.mycompany.com: saving job 

props

ls -alZ /var/run/httpd/md/:

> drwxr-xr-x. 6 root apache system_u:object_r:httpd_var_run_t:s0     

120 Jun 21 11:17 staging

Same permissions for all files in it, like staging/mysite.mycompany.com/ 

md.json

In case it matters, the site is chrooted and /var/run/httpd/md points to 

the one in the chroot with exactly the same permissions.

Does anybody see where I could look for more info?
Thanks a lot

Here is the complete relevant part of the error log, in full debug:

[2021-06-21 11:17:50.488908] [md:trace1] [pid 424510:tid 

140357450503936] request --> POST 

https://acme-v02.api.letsencrypt.org/acme/new-acct

*   Trying 172.65.32.248...
* TCP_NODELAY set
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=acme-v01.api.letsencrypt.org
*  start date: Jun  3 22:30:18 2021 GMT
*  expire date: Sep  1 22:30:18 2021 GMT

*  subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's 

"acme-v02.api.letsencrypt.org"

*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
> POST /acme/new-acct HTTP/1.1
Host: acme-v02.api.letsencrypt.org
User-Agent: Apache/2.4.37 mod_md/2.0.8-git
Accept: */*
Content-Type: application/jose+json
Content-Length: 1574
Expect: 100-continue

< HTTP/1.1 100 Continue
< HTTP/1.1 201 Created
< Server: nginx
< Date: Mon, 21 Jun 2021 09:17:51 GMT
< Content-Type: application/json
< Content-Length: 733
< Connection: keep-alive
< Boulder-Requester: 127753501
< Cache-Control: public, max-age=0, no-cache
< Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"

< Link: 

<https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf>;rel="terms-of-service"

< Location: https://acme-v02.api.letsencrypt.org/acme/acct/127753501
< Replay-Nonce: 0003IWS9CGYrN6SxjrANpXAuvvX0NUfJt6pPqwOxm-qzPVs
< X-Frame-Options: DENY
< Strict-Transport-Security: max-age=604800
<
* Connection #0 to host acme-v02.api.letsencrypt.org left intact

[2021-06-21 11:17:51.275576] [md:trace1] [pid 424510:tid 

140357450503936] request <-- 201

[2021-06-21 11:17:51.275611] [md:trace1] [pid 424510:tid 

140357450503936] response: 201

[2021-06-21 11:17:51.275764] [md:trace2] [pid 424510:tid 

140357450503936] response: {\n  "key": {\n    "kty": "RSA",\n "n": 

"mn-82COwom_LwiMH_U75P7vNZpFHXEkWwDdnZI500p_9PvPwZscmu1gQQ489F8a1FhrY3iBShBN-m3kb8KRLAZ7WXwBExHLbwr9ZOrVl44ivrey0L6do7L4S3ZYhcGgKXgDmFT66vSN-Hl315AY8eVDhekRAzIYj0qh3KNYPbkn_zJJlWHOO805jUbXC21WE-02kvZ9bAhbx3L8qSmhz1E8ScrUIXpZ128lefH66YlUCAmAkbtBlsg4eMN2h_SR4U4UPRzp--2Echf7GGYMYwkLgcP-KQNZT5bnPHEByB7YvBGdic-sZ9lWYWsZGBPO-ircJqqn5hCrOfPuc0iDotF3WM0H-BkVJ9nhhII2VXnNV6jjmz1xcuIU-zcctic8iTbONmlusRY_dkzXwutm63RclnZ_SLthF51geqbdL-2_4J4wWklu6SXhidNQvg-r0PuqhZTBgan_MZ3zrqcQJfEUpqMy2IOWnNbaKRA2emwA9K3_Je73RYdOvkE9aOKJx",\n 

"e": "AQAB"\n  },\n  "contact": [\n "mailto:dnsmaster@xxxxxxxxxx"\n ; 

],\n  "initialIp": "86.39.202.101",\n  "createdAt": 

"2021-06-21T09:17:51.197951792Z",\n  "status": "valid"\n}

[2021-06-21 11:17:51.275864] [md:debug] [pid 424510:tid 140357450503936] 

updated acct https://acme-v02.api.letsencrypt.org/acme/acct/127753501

[2021-06-21 11:17:51.277869] [md:debug] [pid 424510:tid 140357450503936] 

req sent

[2021-06-21 11:17:51.277898] [md:info] [pid 424510:tid 140357450503936] 

registered new account 

https://acme-v02.api.letsencrypt.org/acme/acct/127753501

[2021-06-21 11:17:51.277975] [md:trace3] [pid 424510:tid 

140357450503936] mk_group_dir /var/run/httpd/md/staging perm set

[2021-06-21 11:17:51.277985] [md:trace3] [pid 424510:tid 

140357450503936] mk_group_dir 4 (null)

[2021-06-21 11:17:51.278004] [md:debug] [pid 424510:tid 140357450503936] 

md[mysite.mycompany.com] while[Creating new ACME account for 

mysite.mycompany.com]

[2021-06-21 11:17:51.278027] [md:info] [pid 424510:tid 140357450503936] 

mysite.mycompany.com: retrieving certificate chain

[2021-06-21 11:17:51.278036] [md:error] [pid 424510:tid 140357450503936] 

(20014)Internal error (specific information not available): 

mysite.mycompany.com: asked to retrieve chain, but no order in context

[2021-06-21 11:17:51.278057] [md:debug] [pid 424510:tid 140357450503936] 

(20014)Internal error (specific information not available): 

md[mysite.mycompany.com] while[Retrieving certificate chain for 

mysite.mycompany.com] detail[Unable to retrive certificate chain.]

[2021-06-21 11:17:51.278067] [md:debug] [pid 424510:tid 140357450503936] 

(20014)Internal error (specific information not available): 

mysite.mycompany.com: staging done

[2021-06-21 11:17:51.278081] [md:error] [pid 424510:tid 140357450503936] 

(20014)Internal error (specific information not available): AH10056: 

processing mysite.mycompany.com: Unable to retrive certificate chain.

[2021-06-21 11:17:51.278094] [md:trace1] [pid 424510:tid 

140357450503936] md(mysite.mycompany.com): check expiration

[2021-06-21 11:17:51.278120] [md:info] [pid 424510:tid 140357450503936] 

AH10057: mysite.mycompany.com: encountered error for the 1. time, next 

run in 04 seconds

[2021-06-21 11:17:51.278158] [md:trace3] [pid 424510:tid 

140357450503936] mk_group_dir /var/run/httpd/md/staging perm set

[2021-06-21 11:17:51.278167] [md:trace3] [pid 424510:tid 

140357450503936] mk_group_dir 4 (null)

[2021-06-21 11:17:51.278174] [md:trace1] [pid 424510:tid 

140357450503936] (1)Operation not permitted: mysite.mycompany.com: 

saving job props

[2021-06-21 11:17:51.278188] [md:debug] [pid 424510:tid 140357450503936] 

AH10107: next run in 04 seconds

[2021-06-21 11:17:56.289509] [md:debug] [pid 424510:tid 140357450503936] 

AH10055: md watchdog run, auto drive 1 mds

[2021-06-21 11:17:56.289624] [md:trace3] [pid 424510:tid 

140357450503936] (2)No such file or directory: loading type 1 from 

/var/run/httpd/md/staging/mysite.mycompany.com/job.json

[2021-06-21 11:17:56.289665] [md:debug] [pid 424510:tid 140357450503936] 

AH10052: md(mysite.mycompany.com): state=1, driving

[2021-06-21 11:17:56.289709] [md:trace1] [pid 424510:tid 

140357450503936] mysite.mycompany.com: init driver

[2021-06-21 11:17:56.289719] [md:debug] [pid 424510:tid 140357450503936] 

mysite.mycompany.com: init done

[2021-06-21 11:17:56.289727] [md:debug] [pid 424510:tid 140357450503936] 

mysite.mycompany.com: run staging

[2021-06-21 11:17:56.289737] [md:debug] [pid 424510:tid 140357450503936] 

mysite.mycompany.com: staging started, state=1, can_http=0, can_https=1, 

challenges='tls-alpn-01'

[2021-06-21 11:17:56.289926] [md:trace3] [pid 424510:tid 

140357450503936] loading type 1 from 

/var/run/httpd/md/staging/mysite.mycompany.com/md.json

[2021-06-21 11:17:56.290003] [md:debug] [pid 424510:tid 140357450503936] 

get directory from https://acme-v02.api.letsencrypt.org/directory

[2021-06-21 11:17:56.290937] [md:trace1] [pid 424510:tid 

140357450503936] request --> GET 

https://acme-v02.api.letsencrypt.org/directory

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx