ACME challenge catch-all for any (sub)domain in Apache

I ran this command: certbot certonly --webroot --agree-tos --email my-list@example.com --domains test-case.example.com --webroot-path /var/www/letsencrypt/.well-known/acme-challenge/

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None                                                                                                                                                                                        
Requesting a certificate for test-case.example.com         
Performing the following challenges:                                                                                   
http-01 challenge for test-case.example.com                                                                                                                                                                                                    
Using the webroot path /var/www/letsencrypt/.well-known/acme-challenge for all unmatched domains.
Waiting for verification...                                
Challenge failed for domain test-case.example.com          
http-01 challenge for test-case.example.com                                                                            
Cleaning up challenges                                     
Some challenges have failed.                               
                                                           
IMPORTANT NOTES:                                                                                                       
 - The following errors were reported by the server:       
                                                           
   Domain: test-case.example.com                                                                                                                                                                                                               
   Type:   unauthorized                                                                                                                                                                                                                        
   Detail: 1.2.3.4: Invalid response from                                                                                                                                                                                                 
   http://test-case.example.com/.well-known/acme-challenge/xjELNfkqNTen92RxwVzAA0-sdKfIL-FleojoWnNha7I:                                                                                                                                        
   404                                                                                                                                                                                                                                         
                                                                                                                                                                                                                                               
   To fix these errors, please make sure that your domain name was                                                                                                                                                                             
   entered correctly and the DNS A/AAAA record(s) for that domain                                                                                                                                                                              
   contain(s) the right IP address.  

My web server is (include version): Apache 2.4.53-1~deb11u1

The operating system my web server runs on is (include version): Debian 11

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): cerbot 1.12.0-2

My Apache config that's active, taken from here:

<virtualHost *.80>
  Alias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/
  <Directory "/var/www/letsencrypt/.well-known/acme-challenge/">
      Options None
      AllowOverride None
      ForceType text/plain
      RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
  </Directory>
</virtualHost>

Permissions of this dir are set correctly:

tree -ap /var/www/letsencrypt/
/var/www/letsencrypt/
└── [drwxr-xr-x]  .well-known
    └── [drwxr-xr-x]  acme-challenge

2 directories, 0 files

This nginx example works fine on another server. So I'm looking for something similar.

server {
  listen 80;
  listen [::]:80;
  server_name _;
  include hardening;
  
  location /.well-known/acme-challenge/ {
    root /var/www/acme-challenge/;
  }
  
  location / {
    return 301 https://$host$request_uri;
  }
}

So my question is. Is there a nice catch-all example config to use? Because I've been looking for fully described examples from official sources, i.e. Apache or Let's Encrypt and such. But can't find any.

The --webroot-path option should be before the --domains. That might be all that is wrong.

From the docs:
--webroot-path WEBROOT_PATH, -w WEBROOT_PATH
public_html / webroot path. This can be specified multiple times to handle different domains; each domain will have the webroot path that preceded it. For instance: -w /var/www/example -d example.com -d www.example.com -w /var/www/thing -d thing.net -d m.thing.net (default: Ask)

7 Likes

Thanks for your reply, but placing the --domain last didn't make a difference. Same unauthorized error.

1 Like

OK. The 404 error you get is because the Let's Encrypt server is not finding the file created by certbot.

One, you should add a ServerName value in your VirtualHost and restart Apache

Can you show the output of this? Want to see the overall structure of Apache. thanks

sudo apachectl -t -D DUMP_VHOSTS
7 Likes

The difference between your configuration and the one from the owncloud docs is that the docs from owncloud use the code in a regular <VirtualHost> section while you seem to put the Alias directive (et c.) in its own <VirtualHost> section. But that will never work, as Apache will never "trigger" (or "end up at" if you will) that specific <VirtualHost> section.

You should put the Alias (et c.) code in the global server configuration if you want to have it working globally for every VirtualHost.

5 Likes

I haven't got time yet to check this further and provide feedback. There is indeed something not right with my apache vhost file. Can maybe someone share a working example here? I would appreciate it very much. I'll probably have time this weekend to continue troubleshooting. But it would boost progress with a working example. Thanks!

1 Like

There could be any number of things wrong with your config. Looking at just a VirtualHost may not be enough. That is why I asked to see the output from the command in post #4

There are other examples in this forum of VirtualHosts like yours. But, you should add the ServerName as I already noted.

Here is one working example like yours

5 Likes

After comparing some notes around the Internet I've came up with this "catch-all" for in Apache. So not just one vhost, anything will catch it. Keeping the configs clean and simple.

Put the following in the conf-enabled directory (Debian based systems):

Alias /.well-known/acme-challenge/ "/var/www/html/.well-known/acme-challenge/"
<Directory "/var/www/html/">
      Options None
      AllowOverride None
      ForceType text/plain
      RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
</Directory>

Enable it with a2enconf, reload the Apache service. Make sure the directory /var/www/html/.well-known/acme-challenge/ is created and owned by the Apache data user, e.g. www-data. It can be any directory, as long as you keep it consistent.

Then run this command: certbot certonly --webroot --agree-tos --email youradmin@example.com --webroot-path /var/www/html/ --domain yoursite.example.com

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.