Apache challenge file / redirection issue

Help
1

Thanks everybody for suggesting acme.sh.

We installed it on our server and starting issuing certificates but we have a problem with the /.well-known redirect.

This is the 000-default.conf file we have but it only redirects the urls using the ip address, not our subdomains.

Do we need to modify our .htaccess on our subdomains as well ? We tried but without success

<VirtualHost *:80>
        # Put this in 000-default.conf
        Alias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/
    <Directory "/var/www/letsencrypt/.well-known/acme-challenge/">
        Options None
        AllowOverride None
        ForceType text/plain
        RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
    </Directory>
    RewriteEngine On
    RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC]
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>
2

Try testing your domain at https://letsdebug.net/ for clues

3

If you only changed the ACME client, then how did this path work before?
Are you using Apache?
Are the challenge request being redirect to HTTPS?

4

Yes, we are using apache.
We had a 000-default.conf and conf file for each subdomain.
I don't understand the question about challenge request being redirect to HTTPS.

5

Please provide the FQDN that is having trouble.
and the output of:
sudo apachectl -t -D DUMP_VHOSTS

In the error message shown by the ACME client; Does it show that it failed to retrieve the challenge file from HTTP://YOUR.SITE/... or HTTPS://YOUR.SITE/... ?

6

FQDN

All our subdomains work similarly by replacing naceo

sudo apachectl -t -D DUMP_VHOSTS

VirtualHost configuration:
51.255.95.18:80        is a NameVirtualHost
         default server auboudoirdautrefois.yumi-software.com (/etc/apache2/sites-enabled/auboudoirdautrefois.conf:11)
         port 80 namevhost auboudoirdautrefois.yumi-software.com (/etc/apache2/sites-enabled/auboudoirdautrefois.conf:11)
         port 80 namevhost auxdoubsoeurs.yumi-software.com (/etc/apache2/sites-enabled/auxdoubsoeurs.conf:11)
         port 80 namevhost evalacheray.yumi-software.com (/etc/apache2/sites-enabled/evalacheray.conf:11)
         port 80 namevhost formefficience.yumi-software.com (/etc/apache2/sites-enabled/formefficience.conf:11)
         port 80 namevhost naceo.yumi-software.com (/etc/apache2/sites-enabled/naceo.conf:11)
         port 80 namevhost nlpaysage.yumi-software.com (/etc/apache2/sites-enabled/nlpaysage.conf:11)
         port 80 namevhost regalpanier.yumi-software.com (/etc/apache2/sites-enabled/regalpanier.conf:11)
         port 80 namevhost www.yumi-software.com (/etc/apache2/sites-enabled/www.conf:11)
         port 80 namevhost www.yumi-software.com (/etc/apache2/sites-enabled/www.yumi-software.com.conf:1)
         port 80 namevhost yudev.yumi-software.com (/etc/apache2/sites-enabled/yudev.conf:11)
51.255.95.18:443       is a NameVirtualHost
         default server auboudoirdautrefois.yumi-software.com (/etc/apache2/sites-enabled/auboudoirdautrefois.conf:23)
         port 443 namevhost auboudoirdautrefois.yumi-software.com (/etc/apache2/sites-enabled/auboudoirdautrefois.conf:23)
         port 443 namevhost auxdoubsoeurs.yumi-software.com (/etc/apache2/sites-enabled/auxdoubsoeurs.conf:23)
         port 443 namevhost evalacheray.yumi-software.com (/etc/apache2/sites-enabled/evalacheray.conf:23)
         port 443 namevhost formefficience.yumi-software.com (/etc/apache2/sites-enabled/formefficience.conf:23)
         port 443 namevhost naceo.yumi-software.com (/etc/apache2/sites-enabled/naceo.conf:36)
         port 443 namevhost nlpaysage.yumi-software.com (/etc/apache2/sites-enabled/nlpaysage.conf:23)
         port 443 namevhost regalpanier.yumi-software.com (/etc/apache2/sites-enabled/regalpanier.conf:23)
         port 443 namevhost www.yumi-software.com (/etc/apache2/sites-enabled/www.conf:23)
         port 443 namevhost www.yumi-software.com (/etc/apache2/sites-enabled/www.yumi-software.com.conf:13)
         port 443 namevhost yudev.yumi-software.com (/etc/apache2/sites-enabled/yudev.conf:23)
*:80                   localhost.localdomain (/etc/apache2/sites-enabled/000-default.conf:1)

In the error message shown by the ACME client; Does it show that it failed to retrieve the challenge file from HTTP://YOUR.SITE/... or HTTPS://YOUR.SITE/... ?

This is the url that fails : https://naceo.yumi-software.com/.well-known/acme-challenge/zJL1jTf88cfwdv7193e8KtnfZWjK8m2KVsjVMjM8xNk

The redirect does not work, and instead our cakephp sends an error

7

Ok, then we only need to look at one file:

Actually that error shows that the redirect did work - the link is for HTTPS.
What failed was the contents (404).
But that implies that all code to avoid the challenge path missed their target.

8

/etc/apache2/sites-enabled/naceo.conf

<IfModule mod_fastcgi.c>
	AddHandler php7-fcgi-naceo .php
    	Action php7-fcgi-naceo /php7-fcgi-naceo
    	Alias /php7-fcgi-naceo /usr/lib/cgi-bin/php7-fcgi-naceo
	FastCgiExternalServer /usr/lib/cgi-bin/php7-fcgi-naceo -socket /run/php/php7.0-naceo-fpm.sock -idle-timeout 90 -pass-header Authorization
    	<Directory "/usr/lib/cgi-bin">
    		Require all granted
        </Directory>
</IfModule>

<VirtualHost naceo.yumi-software.com:80>
	ServerAdmin webmaster@localhost
	ServerName naceo.yumi-software.com
	DocumentRoot /var/www/html/naceo
	Redirect permanent / https://naceo.yumi-software.com/

        Alias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/
    <Directory "/var/www/letsencrypt/.well-known/acme-challenge/">
        Options None
        AllowOverride None
        ForceType text/plain
        RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
    </Directory>
    RewriteEngine On
    RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC]
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]


	ErrorLog ${APACHE_LOG_DIR}/error_naceo.log
	CustomLog ${APACHE_LOG_DIR}/access_naceo.log combined

</VirtualHost>

<IfModule mod_ssl.c>
        <VirtualHost naceo.yumi-software.com:443>
                ServerAdmin webmaster@localhost
		ServerName naceo.yumi-software.com
                DocumentRoot /var/www/html/naceo

                SSLEngine on
                SSLCertificateFile  /etc/letsencrypt/live/naceo.yumi-software.com/fullchain.pem
                SSLCertificateKeyFile /etc/letsencrypt/live/naceo.yumi-software.com/privkey.pem

                ErrorLog ${APACHE_LOG_DIR}/error_naceo.log
                CustomLog ${APACHE_LOG_DIR}/access_naceo.log combined
		<IfModule mod_fastcgi.c>
    		<FilesMatch ".+\.php$">
        		SetHandler php7-fcgi-naceo
    		</FilesMatch>
		</IfModule>
        </VirtualHost>
</IfModule>
9

This seems to happen before anything else:
Redirect permanent / https://naceo.yumi-software.com/

Either:

  • remove that line and let the ReWrite condition handle the redirections

OR

  • add the alias line and location sections to the 443(TLS/SSL/HTTPS) block
10

Thanks, second solution worked !

But now, we have the following issue :

Create new order error. Le_OrderFinalize not found. {
  "type": "urn:ietf:params:acme:error:rateLimited",
  "detail": "Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: nlpaysage.yumi-software.com: see https://letsencrypt.org/docs/rate-limits/",
  "status": 429
}

We had too many errors before this, so now we can't issue the certificates. Is there any way to bypass the rate limit for failures ? It seems to be 5 per domain per hour, but it doesn't seem to reset.

1 Like
11

Not for that exact same set of names.

No read the error:

Which ACME client are you using?

12

We are using acme.sh

Yes sorry, it's a different error now.
5 per hour is the limit for failures.
5 per week is for issues of certificates.

But all of our attempts failed, so I don't understand how we reached the limit for certificates.

Also, we have more than 5 subdomains, how will this work ?

13

@Yumi
Please show the output of:
/root/.acme.sh/acme.sh --list
[or from whichever path it is at]

14 
Main_Domain                    KeyLength  SAN_Domains  CA               Created                                    Renew
naceo.yumi-software.com        ""         no           LetsEncrypt.org  lundi 4 octobre 2021, 09:09:23 (UTC+0000)  vendredi 3 décembre 2021, 09:09:23 (UTC+0000)
nlpaysage.yumi-software.com    ""         no           LetsEncrypt.org  lundi 4 octobre 2021, 09:15:28 (UTC+0000)  vendredi 3 décembre 2021, 09:15:28 (UTC+0000)
regalpanier.yumi-software.com  ""         no           LetsEncrypt.org  lundi 4 octobre 2021, 09:12:53 (UTC+0000)  vendredi 3 décembre 2021, 09:12:53 (UTC+0000)
15

There is already a valid cert there:
find /root/.acme/ -name naceo.yumi*

16 
/root/.acme.sh/naceo.yumi-software.com
/root/.acme.sh/naceo.yumi-software.com/naceo.yumi-software.com.cer
/root/.acme.sh/naceo.yumi-software.com/naceo.yumi-software.com.csr
/root/.acme.sh/naceo.yumi-software.com/naceo.yumi-software.com.csr.conf
/root/.acme.sh/naceo.yumi-software.com/naceo.yumi-software.com.conf
/root/.acme.sh/naceo.yumi-software.com/naceo.yumi-software.com.key

We also have a folder in /etc/letsencrypt/live that was generated when we used certbot.
Maybe our website is still pointing to the old certbot certificates ?

17

@Yumi Now that we know where the latest cert files are:
/root/.acme.sh/naceo.yumi-software.com/fullchain.cer
/root/.acme.sh/naceo.yumi-software.com/naceo.yumi-software.com.key

The next step is to view/edit the website config that uses the cert.

18

I feel we are close !

Now, we have access problem to the key

Error: EACCES: permission denied, open '/root/.acme.sh/naceo.yumi-software.com/naceo.yumi-software.com.key'

Here's the access list for that folder

-rwxrwxrwx  1 root root 1827 oct.   4 11:09 ca.cer
-rwxrwxrwx  1 root root 3689 oct.   4 11:09 fullchain.cer
-rwxrwxrwx  1 root root 1862 oct.   4 11:09 naceo.yumi-software.com.cer
-rwxrwxrwx  1 root root  754 oct.   4 11:10 naceo.yumi-software.com.conf
-rwxrwxrwx  1 root root  980 oct.   4 11:10 naceo.yumi-software.com.csr
-rwxrwxrwx  1 root root  158 oct.   4 11:10 naceo.yumi-software.com.csr.conf
-rwxrwxrwx  1 root root 1679 oct.   4 09:26 naceo.yumi-software.com.key
19

Yes.
But you skipped a step - I did not see the config file:

20

Yes, sorry

Our config.json

	"cert" : "/root/.acme.sh/naceo.yumi-software.com/fullchain.cer",
	"key" : "/root/.acme.sh/naceo.yumi-software.com/naceo.yumi-software.com.key",

Our js side

    var config = require('./config.json'),
        fs = require('fs'),
        privateKey = fs.readFileSync( config.key, 'utf-8'),
        certificate = fs.readFileSync( config.cert, 'utf-8'),
        credentials = { key : privateKey, cert : certificate },
        jwt = require('jsonwebtoken');

    var request = require('request'),
        async = require('async'),
        app = require('express')(),
        https = require('https').createServer( credentials, app ),
        io = require('socket.io')(https, {
            pingInterval: 25000,
            pingTimeout: 60000,
            upgradeTimeout: 30000
        });

We didn't have problem accessing keys when they were in /etc/letsencrypt