403 Unauthorized with uWSGI


#21

If you want to use PLAN B: update this to match:

If that fails (apache doesn’t like), use something more traditional:
replace that location block with:

<IfModule alias_module>
 Alias /.well-known/acme-challenge/ /etc/ACMEchallenge/
</IfModule>

[and ensure the alias module is loaded]
[look for something like:
LoadModule alias_module modules/mod_alias.so
in file /etc/apache2/apache2.conf]


#22

If apache can LIKE either of those methods, then.
Place a file in that new dedicated challenge folder:
mkdir /etc/ACMEchallenge/.well-known
mkdir /etc/ACMEchallenge/.well-known/acme-challenge
echo "testingX" > /etc/ACMEchallenge/.well-known/acme-challenge/1234567
and also (for sanity checking)
echo "testingY" > /etc/ACMEchallenge/123456789

Then we test for both new files with:
http://s.irminger.org/.well-known/acme-challenge/1234567
http://s.irminger.org/.well-known/acme-challenge/123456789
[one should be reachable]


#23

Apache liked the second option in Plan B, and the alias_module is loaded.

$ sudo apachectl -t -D DUMP_MODULES
lists - alias_module (shared)

I created the directories.

$ pwd
/etc/ACMEchallenge/.well-known/acme-challenge

The echo commands as specified above came back with a permission denied.

$ echo “testingX” > /etc/ACMEchallenge/.well-known/acme-challenge/1234567
-bash: /etc/ACMEchallenge/.well-known/acme-challenge/1234567: Permission denied

So I referenced this-

and did this -

$ sudo bash -c ‘echo “hello” >/etc/ACMEchallenge/.well-known/acme-challenge/1234’

then

$ ls -a -l
total 16
drwxr-xr-x 2 root root 4096 Jan 24 10:39 .
drwxr-xr-x 3 root root 4096 Jan 24 10:32 …
-rw-r–r-- 1 root root 6 Jan 24 10:39 1234

and inaccessible online - 403 Forbidden

so I changed ownership

$ ls -a -l
total 16
drwxr-xr-x 2 www-data www-data 4096 Jan 24 10:39 .
drwxr-xr-x 3 www-data www-data 4096 Jan 24 10:32 …
-rw-r–r-- 1 www-data www-data 6 Jan 24 10:39 1234

restarted apache, still 403. http://s.irminger.org/.well-known/acme-challenge/1234

edit:

vhost

GNU nano 2.9.3 /etc/apache2/sites-available/s.irminger.org.conf

<VirtualHost *:80>

   ServerAdmin
    ServerName s.irminger.org
    ServerAlias www.s.irminger.org

DocumentRoot /var/www/s.irminger.org/
#<Location /.well-known/acme-challenge>

DocumentRoot /etc/ACMEchallenge

Options FollowSymLinks Includes

AllowOverride None

Require all granted

#

Alias /.well-known/acme-challenge/ /etc/ACMEchallenge/

<Directory /var/www/s.irminger.org/searx>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted

    <Location />
        Options FollowSymLinks Indexes
        SetHandler uwsgi-handler
        uWSGISocket /run/uwsgi/app/searx/socket
    </Location>


    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

also:

if I add

<Directory /etc/ACMEchallenge>
Options FollowSymLinks Includes
AllowOverride None
Require all granted

below the alias or in apache2.conf it shows the Searx page not found page.


#24

the port 80 virtual host was fine.
the port 443 virtual host was where the changes were to be made.

Please add three backticks on a separate line before and also after the “mangled” text.
Like:

```
test goes here
```

#25

I haven’t created anything 443-related since that would be generated through the certbot process. I should do a 443 virtual host? Which test do you mean?

>  GNU nano 2.9.3                                                   /etc/apache2/sites-available/s.irminger.org.conf                                                             
> 
> <VirtualHost *:80>
> 
>        ServerAdmin
>         ServerName s.irminger.org
>         ServerAlias www.s.irminger.org
> 
> DocumentRoot /var/www/s.irminger.org/
> #<Location /.well-known/acme-challenge>
> #    DocumentRoot /etc/ACMEchallenge
> #       Options FollowSymLinks Includes
> #    AllowOverride None 
> #    Require all granted
> #</Location>
> 
> <IfModule alias_module>
>  Alias /.well-known/acme-challenge/ /etc/ACMEchallenge/
> </IfModule>
> 
> 
>  <Directory /var/www/s.irminger.org/searx>
>             Options Indexes FollowSymLinks
>            AllowOverride All
>             Require all granted
>         </Directory>
> 
>         <Location />
>             Options FollowSymLinks Indexes
>             SetHandler uwsgi-handler
>             uWSGISocket /run/uwsgi/app/searx/socket
>         </Location>
> 
> 
>         ErrorLog ${APACHE_LOG_DIR}/error.log
>         CustomLog ${APACHE_LOG_DIR}/access.log combined
> 
> </VirtualHost>	> </VirtualHost>

#26

Sorry, that should have read TEXT (not TEST).
I may have gotten my wires crossed at some point (mixed this thread with another).

This section can remain in the port 80 vhost file (/etc/apache2/sites-available/s.irminger.org.conf):
[to help with the challenge requests]

<Location /.well-known/acme-challenge>
    DocumentRoot /etc/ACMEchallenge
       Options FollowSymLinks Includes
    AllowOverride None 
    Require all granted
</Location>

#27

Ok after reading this over we can move forward with testing “Plan B”.
Please reenable the “<Location /.well-known/acme-challenge>” and restart Apache.
Then lets place a file in that new dedicated challenge folder:
sudo bash -c 'echo "testingX" > /etc/ACMEchallenge/.well-known/acme-challenge/1234X'
and also (for sanity checking) in the challenge “root”:
sudo bash -c 'echo "testingY" > /etc/ACMEchallenge/1234Y'

Check that both files are there (and they are bigger than zero bytes)::
ls -l /etc/ACMEchallenge/.well-known/acme-challenge/1234X
ls -l /etc/ACMEchallenge/1234Y

If both OK, then we test access to them with:
http://s.irminger.org/.well-known/acme-challenge/1234X
http://s.irminger.org/.well-known/acme-challenge/1234Y
[one should be reachable]


#28

I let this issue rest while I did other things.

I decided to spin up another VPS to try nginx. I was having the same exact problem trying to get certbot to run for www.s.irminger.org for searx on the nginx VPS.

I think this solution applies to the nginx server and would also resolve my original post about apache.

I referenced this post

and this question

the wsgi wasn’t allowing static pages.

this worked for nginx and I think something similar (for apache) would’ve resolved my issue before. I needed to let it serve static pages under /.well-known/acme-challenge

location ^~ /.well-known/acme-challenge/ {
include /etc/nginx/mime.types;
root /var/www/searx/;
}


#29

Glad to hear this :slight_smile:


closed #30

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.