The client should probably follow permanent redirects while downloading the full chain from the issuer

[tobez]

It looks like letsencrypt has changed something, so now acme-client (0.1.16, FreeBSD) croaks with

acme-client: http://cert.int-x3.letsencrypt.org/: bad HTTP: 301

If one tries to access the URL in question by hand, the redirect is towards

https://letsencrypt.org/cert.int-x3/

I am surprized that acme-client does not follow redirects already, was it coded like that for security reasons?

[darkguy2008]

Issue still going on

[zibebe]

same here....

[arclabch]

acme-client takes its instructions from the X509 certificate, CA issuer (1.3.6.1.5.5.7.48.2), which directs to http://cert.int-x3.letsencrypt.org/. However, http://cert.int-x3.letsencrypt.org/ redirects to https://cert.int-x3.letsencrypt.org/ now:

$ curl --head "http://cert.int-x3.letsencrypt.org/"
HTTP/1.1 301 Moved Permanently
Server: AkamaiGHost
Content-Length: 0
Location: https://cert.int-x3.letsencrypt.org/
Cache-Control: max-age=0
Expires: Sun, 11 Mar 2018 11:55:48 GMT
Date: Sun, 11 Mar 2018 11:55:48 GMT
Connection: keep-alive

dofullchain in netproc.c would need updating to follow the redirect, if I'm not mistaken.

[phicoh]

Quick hack to solve this problem:

[phicoh]

netproc.c.log

[arclabch]

@phicoh thank you!

[arclabch]

For those using acme-client on FreeBSD, and until a more permanent fix is made, use patch-netproc.c.log and place its content in the new file /usr/ports/security/acme-client/files/patch-netproc.c to make it work from the ports. Then do the usual make and make install.