Is every intermediate directory down to /home/acme/challenges/ accessible for :www? This has nothing to do with acme_tiny.py. This is UNIX permissions 101. Edit: Alternatively, Apache 101. In any case, debugging this is Admin 101.
Try to add a file (e.g. foobar) to challenges (chown/chmod it) and try to download it (e.g. http://foo.u/.well-known/acme-challenges/foobar). If this does not work already then there’s something wrong in your apache configuration or something else. Try to fix that first, before attempting to run acme-tiny.
Maybe it would help if you could post a snippet of your configuration that covers that part. Normally you would need something like this in your config
Alias /.well-known/acme-challenges /home/acme/challenges
Maybe you have something in your config active, that forbids serving pages in hidden directories. I’m not an apache specialist so I can’t give you a hint for what to search for.
I had the same problem yesterday when i’d installed acme_tiny.
After switching off the delete command, using a #, in line 127 i saw, that the files had been created, but due to ip-tables my local machine wasn’t allowed to connect to it’s local http-domains using the outbound interface.
Simply check if the files are created, comment out line 127, and then check your firewall-settings.
<VirtualHost _default_:80>
ServerName foo.u
DocumentRoot "/home/acme/challenges"
<Directory "/home/acme/challenges">
AllowOverride FileInfo AuthConfig Limit Indexes
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Require all granted
Allow from all
</Directory>
Alias /.well-known/acme-challenge "/home/acme/challenges"
</VirtualHost>
i believe the problem is indeed perms for write, as the log message is
[Sun Dec 06 14:01:06.684373 2015] [core:error] [pid 759] (13)Permission denied: [client 42.28.0.666:35964] AH00132: file permissions deny server access: /home/acme/challenges/zeiHTeaxu_Uk-QT6-OTcjB6G6p3V_X5DGGh-EtNe11I
but i suspect the apache config more than file perms/owners, but acme user can write to a file in challenges, and a web browser can read that file. so i feel more stupid than usual.
the log output shows me that the file was created probably (i assume the log entry is from apache). Did you uncomment the line as suggested it should be something about os.remove? It may also be a problem with your umask that is set to restrictive, so that the files created by acme-tiny are only readable by the acme user.
yes, the log entry was from apache; sorry for being unclear. i did as suggested by px3 and #ed out the os.remove; the file was indeed in the challenges dir. but, whoopsie, look at the perms
-rw------- 1 acme www 87 Dec 6 18:31 pschiu1Dftv2xYjC37L7LmXD23PPw040CO3nWKsmRSY
this hack at around line 116 fixed my problem
with open(wellknown_path, "w") as wellknown_file:
wellknown_file.write(keyauthorization)
os.chmod(wellknown_path,0644)
thanks for the unremove, px3. i might not remove the file if the urlopen fails.
So it looks like a problem with your umask. You could also set it less restrictive (like umask 0022) so that it gets a least read rights. Since you will probably have a script for cron (as suggested by acme-tiny) then you could put this at the top. But of course your solution works also (but might get lost on the next update of the script)