Acme_tiny.py perms prob with challenges dir

randy · December 6, 2015, 2:27am

FreeBSD foo.u 10.1-RELEASE-p24 FreeBSD 10.1-RELEASE-p24 #0: Mon Nov 2 12:17:28 UTC 2015 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64
apache24-2.4.17

if challenge dir has default ownership, apache can not see it

# ls -ld challenges
drwx--x---  2 acme  staff  512 Dec  6 01:42 challenges/

browser gets (of course)

You don't have permission to access /.well-known/acme-challenge/ on this server

so i hack it to www:www

# ls -ld challenges
drwx--x---  2 www  www  512 Dec  6 01:42 challenges/

and a browser can see the challenges dir, e.g.

Index of /.well-known/acme-challenge

but i run script as user acme and

foo.u:/home/acme> python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /home/acme/challenges > .signed.crt
    Parsing account key...
    Parsing CSR...
    Registering account...
    Already registered!
    Verifying cache0.sea.rpki.net...
    Traceback (most recent call last):
      File "acme_tiny.py", line 195, in <module>
        signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, LOGGER)
      File "acme_tiny.py", line 125, in get_crt
        wellknown_path, wellknown_url))
    ValueError: Wrote file to /home/acme/challenges/rSy_-pozern-II3T2jbHeclPoqvfxy7pQF1AeOCj6v8, but couldn't download http://foo.u/.well-known/acme-challenge/rSy_-pozern-II3T2jbHeclPoqvfxy7pQF1AeOCj6v8

no help in apache error log. clue bat please

TCM · December 6, 2015, 5:21am

acme_tiny.py has no error handling for writing the challenge, causing you to miss the failed write due to lack of permissions.

Try setting the challenge dir to acme:www rwxr-x—

randy · December 6, 2015, 8:20am

/home/acme# ls -ld challenges
drwxr-x---  2 acme  www  512 Dec  6 08:17 challenges/

/home/acme> python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /home/acme/challenges > .signed.crt
Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying foo.u...
Traceback (most recent call last):
  File "acme_tiny.py", line 195, in <module>
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, LOGGER)
  File "acme_tiny.py", line 125, in get_crt
    wellknown_path, wellknown_url))
ValueError: Wrote file to /home/acme/challenges/3jOa9omhhPtlVS4MlDpKGrHstCbWn7eIutuDOCffBLg, but couldn't download http://foo.u/.well-known/acme-challenge/3jOa9omhhPtlVS4MlDpKGrHstCbWn7eIutuDOCffBLg

px3 · December 6, 2015, 10:25am

Check if the files are created in the challenges dir.
if so: check your webserver-config.
if this is ok too: check your ip-tables settings

TCM · December 6, 2015, 12:14pm

Is every intermediate directory down to /home/acme/challenges/ accessible for :www? This has nothing to do with acme_tiny.py. This is UNIX permissions 101. Edit: Alternatively, Apache 101. In any case, debugging this is Admin 101.

drtoful · December 6, 2015, 12:14pm

Try to add a file (e.g. foobar) to challenges (chown/chmod it) and try to download it (e.g. http://foo.u/.well-known/acme-challenges/foobar). If this does not work already then there’s something wrong in your apache configuration or something else. Try to fix that first, before attempting to run acme-tiny.

Maybe it would help if you could post a snippet of your configuration that covers that part. Normally you would need something like this in your config

 Alias /.well-known/acme-challenges /home/acme/challenges

Maybe you have something in your config active, that forbids serving pages in hidden directories. I’m not an apache specialist so I can’t give you a hint for what to search for.

px3 · December 6, 2015, 2:02pm

I had the same problem yesterday when i’d installed acme_tiny.
After switching off the delete command, using a #, in line 127 i saw, that the files had been created, but due to ip-tables my local machine wasn’t allowed to connect to it’s local http-domains using the outbound interface.

Simply check if the files are created, comment out line 127, and then check your firewall-settings.

randy · December 6, 2015, 2:08pm

no files in challenges other than i test one

a browse to http://foo.u/.well-known/acme-challenge/foo
does display the content of the file foo

<VirtualHost _default_:80>
    ServerName foo.u
    DocumentRoot "/home/acme/challenges"
    <Directory "/home/acme/challenges">
        AllowOverride FileInfo AuthConfig Limit Indexes
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        Require all granted
        Allow from all
        </Directory>
    Alias /.well-known/acme-challenge "/home/acme/challenges"
    </VirtualHost>

i believe the problem is indeed perms for write, as the log message is

[Sun Dec 06 14:01:06.684373 2015] [core:error] [pid 759] (13)Permission denied: [client 42.28.0.666:35964] AH00132: file permissions deny server access: /home/acme/challenges/zeiHTeaxu_Uk-QT6-OTcjB6G6p3V_X5DGGh-EtNe11I

but i suspect the apache config more than file perms/owners, but acme user can write to a file in challenges, and a web browser can read that file. so i feel more stupid than usual.

drtoful · December 6, 2015, 4:15pm

the log output shows me that the file was created probably (i assume the log entry is from apache). Did you uncomment the line as suggested it should be something about os.remove? It may also be a problem with your umask that is set to restrictive, so that the files created by acme-tiny are only readable by the acme user.

randy · December 6, 2015, 6:55pm

yes, the log entry was from apache; sorry for being unclear. i did as suggested by px3 and #ed out the os.remove; the file was indeed in the challenges dir. but, whoopsie, look at the perms

-rw------- 1 acme www 87 Dec 6 18:31 pschiu1Dftv2xYjC37L7LmXD23PPw040CO3nWKsmRSY

this hack at around line 116 fixed my problem

with open(wellknown_path, "w") as wellknown_file:
    wellknown_file.write(keyauthorization)

os.chmod(wellknown_path,0644)

thanks for the unremove, px3. i might not remove the file if the urlopen fails.

drtoful · December 6, 2015, 7:02pm

So it looks like a problem with your umask. You could also set it less restrictive (like umask 0022) so that it gets a least read rights. Since you will probably have a script for cron (as suggested by acme-tiny) then you could put this at the top. But of course your solution works also (but might get lost on the next update of the script)

randy · December 6, 2015, 7:07pm

as you note, my umask is that of a paranoid; not by accident; character cast i will hack in some way, thanks.

ameeno · June 4, 2016, 9:22am

tried this change in my acme_tiny.py

no help, still not working

serverco · June 4, 2016, 9:35am

You may be better asking / raising an issue at the site for that client - acme-tiny issues