Apache, CentOS 6.x failures with --apache and with --weboot


#1

My domain is: www.piboxproject.com
My operating system is (include version): CentOS 6.8
My web server is (include version): Apache 2.2.15
My hosting provider, if applicable, is: my personal colo. I have full Linux admin control of this host.
I can login to a root shell on my machine (yes or no, or I don’t know):yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no
I ran this command: sudo certbot-auto, sudo certbot-auto certonly --webroot

Without args to certbot-auto I get this:
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for www.piboxproject.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.piboxproject.com (tls-sni-01): urn:acme:error:connection :: The server could
not connect to the client to verify the domain :: Failed to connect to 66.35.39.9:443 for TLS-SNI-01 challenge

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.piboxproject.com
    Type: connection
    Detail: Failed to connect to 66.35.39.9:443 for TLS-SNI-01
    challenge

With the --webroot arg I get this:
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.piboxproject.com (http-01): urn:acme:error:unauthorized :: The client lacks
sufficient authorization :: Invalid response from
http://www.piboxproject.com/.well-known/acme-challenge/UwffOaP-jo2Vs4NB-JceCq6UlspsD1KI3A6ZFveCuHA: "

403 Forbidden

Forbidden

<p"

IMPORTANT NOTES:

I have a number of NameVirtualHosts setup on my server. I have an Apache config file in /etc/httpd/conf.d with this:
NameVirtualHost 66.35.39.9

I tried certbot but it failed as shown. I changed all my virtual host configs (one per conf.d file) to use :443 and changed the above to
NameVirtualHost 66.35.39.9:443

I tried again, but it failed the same way. I can telnet to port 443. With the :443 config I get an Apache default page, not my domain web site. Curl reports:

$ curl -I www.piboxproject.com:443
HTTP/1.1 301 Moved Permanently
Date: Thu, 30 Mar 2017 17:55:32 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Location: https://www.piboxproject.com/
Connection: close
Content-Type: text/html; charset=UTF-8

After failing to make any progress with the default certbot command I tried the --webroot option. I discovered it wanted access to something called .well-known/acme-challenge. I’ve never heard of that but maybe it’s an apache thing? Anyway, I created the directory and gave it permissions so the apache user could read/write that directory. I still get the 403 Forbidden response.

I’ve run out of ideas here. I’m guessing it’s something to do with the way I configured my virtual hosts. Right now I have returned to not using :443 on the virtualhost configs or in the NameVirtualHosts configuration just so the sites remain working.

Any pointers on what I can try next?


#2

Good choice, many times the http-01 challenge works better than the tls-sni-01 challenge.

It’s an ACME thing (which is the protocol used for the automated validating of domains and issuing certificates for it). The http-01 challenge requires the client (in this case certbot-auto) to provide a challenge token as a file with a specific name in the directory /.well-known/acme-challenge/ in the (web)root directory of the site corresponding to the domain which is requested.

Apache has to read files from that dir, but the file is actually written to the dir by certbot-auto. So if certbot-auto writes the token as root:root without read permissions for Apache, you might get a 403 error.

You can try to manually put a testfile in the webroot, i.e., echo "Test" > /path/to/your/webroot/.well-known/acme-challenge/test/ and try to access it with http://www.piboxproject.com/.well-known/acme-challenge/test

Note: a redirect is fine, even to HTTPS or a whole different site: the Let’s Encrypt server will follow it. However, if you redirect from http:// to https://, the file has to be in the webroot of the https:// virtualhost.


#3

Interesting. I created the directory .well-known/acme-challenge and made sure it had read perms for u/g/o. I also added this to the vhost config and restarted httpd.

<Directory /.well-known/acme-challenge/ >
    Order Deny,Allow
    Allow from All
</Directory>

This worked! I got a key in /etc/letsencrypt/keys/0000_key-certbot.pem and a CSR in /etc/letsencrypt/csr/0000_csr-certbot.pem. I love progress.

Then I ran without webroot to see if the auto-install, which I assumed would update my vhost config, would work. It didn’t. I got “Unable to install the certificate” and the log file just gives a bunch of python errors, none of which are particularly enlightening.

2017-03-30 19:17:54,943:DEBUG:certbot.error_handler:Calling registered functions
2017-03-30 19:17:54,944:DEBUG:certbot.reporter:Reporting to user: Unable to install the certificate
2017-03-30 19:17:54,945:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
File “/root/.local/share/letsencrypt/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/main.py”, line 896, in main
return config.func(config, plugins)
File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/main.py”, line 613, in run
_install_cert(config, le_client, domains, new_lineage)
File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/main.py”, line 478, in _install_cert
path_provider.cert_path, path_provider.chain_path, path_provider.fullchain_path)
File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/client.py”, line 389, in deploy_certificate
fullchain_path=fullchain_path)
File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot_apache/configurator.py”, line 231, in deploy_cert
vhost = self.choose_vhost(domain)
File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot_apache/configurator.py”, line 325, in choose_vhost
vhost = self.make_vhost_ssl(vhost)
File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot_apache/configurator.py”, line 795, in make_vhost_ssl
self._copy_create_ssl_vhost_skeleton(avail_fp, ssl_fp)
File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot_apache/configurator.py”, line 935, in _copy_create_ssl_vhost_skeleton
line = next(orig_file)
StopIteration

Okay, so let’s skip the auto-install for now. I now have a cert for this domain and an idea of how to get one for each domain one at a time. So now I have two questions:

  1. How do I include the cert (CSR?) in my vhost configuration?
  2. How do I create a single cert for all my domains, so I don’t have a separate cert for each (or would having separate certs be better)?

Also, I have an ssl.conf file that appears to allow use of port 443. Do I need to specify use of :443 for each vhost configuration or does this ssl.conf handle that for me?

Thanks for the pointers!


#4

Hi @mjhammel,

The CSR is a certificate signing request, which is used to request a certificate from the CA. It’s not the same as the resulting certificate. Effectively the keys and csr directories are just for backup purposes and aren’t meant to be referred to by most users.

If you got successful cert issuance for your domains using Certbot, the intended place for you to look for the files you’ll need is inside /etc/letsencrypt/live. Certbot should also have mentioned this to you at the time the certificate was issued.


#5

This suggests you’re using / as the webroot? :scream: Most of the time, people will use /var/www/ or something like that. Normally, it would be the same directory as the DocumentRoot in the appropriate virtualhost section of the Apache configuration file.

That’s just half way. The private key and CSR are both created by certbot and aren’t issued by Let’s Encrypt. Neither is a certificate by the way.

A CSR is not a certificate: https://en.wikipedia.org/wiki/Certificate_signing_request

Select all the domains you want in the certificate when asked by certbot or with multiple -d switches on the command line.

That ssl.conf is probably a part of Apache?

In a normal (as far as “normal” goes) situation, Apache has multiple configuration files, one per site, with a single <VirtualHost *:80> section inside them. certbot will copy that VirtualHost section, but now with <VirtualHost *:443> and some extra SSL options into a new file: the source configuration file with le-ssl appended to the file name (before the .conf).


#6

You’re right. I missed it:
Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.piboxproject.com/fullchain.pem.

So yes, there is the cert. Now I need to figure out how the vhost config references that.


#7

Yes, but I did that wrong. All of my vhosts have their own DocumentRoot under /home/httpd, so that they are on their own partition (not the system partition) and separated from each other. The default webroot (/var/www) is not used.

Yes. I didn’t install it. I just create my own .conf’s for each domain, with one vhost per file. However, they all look like this:

 <VirtualHost domainname>

There is no wildcard VirtualHost entry and none of the VirtualHost entries use a port number. That’s why I was wondering if I need to specifically have one for :80 and one for :443 or if the ssl.conf handled that automatically for me.

I can make new .conf’s for each domain manually and use the port numbers in each (one for :80 and one for :443). It’s the brute force method but I think it should work.


#8

Success! Found the last piece of the puzzle. After adding :80 ports to existing vhost configs and changing the conf with the NameVirtualHost to include references for both :80 and :443, I copied the existing piboproject.conf to piboxproject-ssl.conf and changed :80 to :443. Then I added this to the vhost config:

SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/<domain>/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/keys/0000_key-certbot.pem

At least this works for a single domain. I expect the path to the fullchain.pem will change if I do a multiple-domain cert generation. Not sure if the key will change or not. But I can experiment to find out. As of right now, https://www.piboxproject.com works.

Thanks for the help!!


#9

If you use :80 in the virtualhost directive, certbot will generate a :443 for you when not using certonly.


#10

The file you’re using here is static. certbot however will generate a new key for every new certificate, so I’d suggest using the privkey.pem symlink in the /live/ directory, just like you did with fullchain.pem.


#11

Ah. THAT was the last piece of the puzzle. Done. Now all my domains are updated and using SSL. Very cool. I can be a good web citizen again.

I should redirect all the :80 to :443 but that’s enough fiddling for one day.

Thanks again!


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.