Apache challenge file / redirection issue

Thanks everybody for suggesting acme.sh.

We installed it on our server and starting issuing certificates but we have a problem with the /.well-known redirect.

This is the 000-default.conf file we have but it only redirects the urls using the ip address, not our subdomains.

Do we need to modify our .htaccess on our subdomains as well ? We tried but without success

<VirtualHost *:80>
        # Put this in 000-default.conf
        Alias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/
    <Directory "/var/www/letsencrypt/.well-known/acme-challenge/">
        Options None
        AllowOverride None
        ForceType text/plain
        RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
    </Directory>
    RewriteEngine On
    RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC]
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>

Try testing your domain at https://letsdebug.net/ for clues

If you only changed the ACME client, then how did this path work before?
Are you using Apache?
Are the challenge request being redirect to HTTPS?

Yes, we are using apache.
We had a 000-default.conf and conf file for each subdomain.
I don't understand the question about challenge request being redirect to HTTPS.

Please provide the FQDN that is having trouble.
and the output of:
sudo apachectl -t -D DUMP_VHOSTS

In the error message shown by the ACME client; Does it show that it failed to retrieve the challenge file from HTTP://YOUR.SITE/... or HTTPS://YOUR.SITE/... ?

FQDN

naceo.yumi-software.com
All our subdomains work similarly by replacing naceo

sudo apachectl -t -D DUMP_VHOSTS

VirtualHost configuration:
51.255.95.18:80        is a NameVirtualHost
         default server auboudoirdautrefois.yumi-software.com (/etc/apache2/sites-enabled/auboudoirdautrefois.conf:11)
         port 80 namevhost auboudoirdautrefois.yumi-software.com (/etc/apache2/sites-enabled/auboudoirdautrefois.conf:11)
         port 80 namevhost auxdoubsoeurs.yumi-software.com (/etc/apache2/sites-enabled/auxdoubsoeurs.conf:11)
         port 80 namevhost evalacheray.yumi-software.com (/etc/apache2/sites-enabled/evalacheray.conf:11)
         port 80 namevhost formefficience.yumi-software.com (/etc/apache2/sites-enabled/formefficience.conf:11)
         port 80 namevhost naceo.yumi-software.com (/etc/apache2/sites-enabled/naceo.conf:11)
         port 80 namevhost nlpaysage.yumi-software.com (/etc/apache2/sites-enabled/nlpaysage.conf:11)
         port 80 namevhost regalpanier.yumi-software.com (/etc/apache2/sites-enabled/regalpanier.conf:11)
         port 80 namevhost www.yumi-software.com (/etc/apache2/sites-enabled/www.conf:11)
         port 80 namevhost www.yumi-software.com (/etc/apache2/sites-enabled/www.yumi-software.com.conf:1)
         port 80 namevhost yudev.yumi-software.com (/etc/apache2/sites-enabled/yudev.conf:11)
51.255.95.18:443       is a NameVirtualHost
         default server auboudoirdautrefois.yumi-software.com (/etc/apache2/sites-enabled/auboudoirdautrefois.conf:23)
         port 443 namevhost auboudoirdautrefois.yumi-software.com (/etc/apache2/sites-enabled/auboudoirdautrefois.conf:23)
         port 443 namevhost auxdoubsoeurs.yumi-software.com (/etc/apache2/sites-enabled/auxdoubsoeurs.conf:23)
         port 443 namevhost evalacheray.yumi-software.com (/etc/apache2/sites-enabled/evalacheray.conf:23)
         port 443 namevhost formefficience.yumi-software.com (/etc/apache2/sites-enabled/formefficience.conf:23)
         port 443 namevhost naceo.yumi-software.com (/etc/apache2/sites-enabled/naceo.conf:36)
         port 443 namevhost nlpaysage.yumi-software.com (/etc/apache2/sites-enabled/nlpaysage.conf:23)
         port 443 namevhost regalpanier.yumi-software.com (/etc/apache2/sites-enabled/regalpanier.conf:23)
         port 443 namevhost www.yumi-software.com (/etc/apache2/sites-enabled/www.conf:23)
         port 443 namevhost www.yumi-software.com (/etc/apache2/sites-enabled/www.yumi-software.com.conf:13)
         port 443 namevhost yudev.yumi-software.com (/etc/apache2/sites-enabled/yudev.conf:23)
*:80                   localhost.localdomain (/etc/apache2/sites-enabled/000-default.conf:1)

In the error message shown by the ACME client; Does it show that it failed to retrieve the challenge file from HTTP://YOUR.SITE/... or HTTPS://YOUR.SITE/... ?

This is the url that fails : https://naceo.yumi-software.com/.well-known/acme-challenge/zJL1jTf88cfwdv7193e8KtnfZWjK8m2KVsjVMjM8xNk

The redirect does not work, and instead our cakephp sends an error

Ok, then we only need to look at one file:

Actually that error shows that the redirect did work - the link is for HTTPS.
What failed was the contents (404).
But that implies that all code to avoid the challenge path missed their target.

/etc/apache2/sites-enabled/naceo.conf

<IfModule mod_fastcgi.c>
	AddHandler php7-fcgi-naceo .php
    	Action php7-fcgi-naceo /php7-fcgi-naceo
    	Alias /php7-fcgi-naceo /usr/lib/cgi-bin/php7-fcgi-naceo
	FastCgiExternalServer /usr/lib/cgi-bin/php7-fcgi-naceo -socket /run/php/php7.0-naceo-fpm.sock -idle-timeout 90 -pass-header Authorization
    	<Directory "/usr/lib/cgi-bin">
    		Require all granted
        </Directory>
</IfModule>

<VirtualHost naceo.yumi-software.com:80>
	ServerAdmin webmaster@localhost
	ServerName naceo.yumi-software.com
	DocumentRoot /var/www/html/naceo
	Redirect permanent / https://naceo.yumi-software.com/

        Alias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/
    <Directory "/var/www/letsencrypt/.well-known/acme-challenge/">
        Options None
        AllowOverride None
        ForceType text/plain
        RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
    </Directory>
    RewriteEngine On
    RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC]
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]


	ErrorLog ${APACHE_LOG_DIR}/error_naceo.log
	CustomLog ${APACHE_LOG_DIR}/access_naceo.log combined

</VirtualHost>

<IfModule mod_ssl.c>
        <VirtualHost naceo.yumi-software.com:443>
                ServerAdmin webmaster@localhost
		ServerName naceo.yumi-software.com
                DocumentRoot /var/www/html/naceo

                SSLEngine on
                SSLCertificateFile  /etc/letsencrypt/live/naceo.yumi-software.com/fullchain.pem
                SSLCertificateKeyFile /etc/letsencrypt/live/naceo.yumi-software.com/privkey.pem

                ErrorLog ${APACHE_LOG_DIR}/error_naceo.log
                CustomLog ${APACHE_LOG_DIR}/access_naceo.log combined
		<IfModule mod_fastcgi.c>
    		<FilesMatch ".+\.php$">
        		SetHandler php7-fcgi-naceo
    		</FilesMatch>
		</IfModule>
        </VirtualHost>
</IfModule>

This seems to happen before anything else:
Redirect permanent / https://naceo.yumi-software.com/

Either:

  • remove that line and let the ReWrite condition handle the redirections

OR

  • add the alias line and location sections to the 443(TLS/SSL/HTTPS) block

Thanks, second solution worked !

But now, we have the following issue :

Create new order error. Le_OrderFinalize not found. {
  "type": "urn:ietf:params:acme:error:rateLimited",
  "detail": "Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: nlpaysage.yumi-software.com: see https://letsencrypt.org/docs/rate-limits/",
  "status": 429
}

We had too many errors before this, so now we can't issue the certificates. Is there any way to bypass the rate limit for failures ? It seems to be 5 per domain per hour, but it doesn't seem to reset.

1 Like

Not for that exact same set of names.

No read the error:

Which ACME client are you using?

We are using acme.sh

Yes sorry, it's a different error now.
5 per hour is the limit for failures.
5 per week is for issues of certificates.

But all of our attempts failed, so I don't understand how we reached the limit for certificates.

Also, we have more than 5 subdomains, how will this work ?

@Yumi
Please show the output of:
/root/.acme.sh/acme.sh --list
[or from whichever path it is at]

Main_Domain                    KeyLength  SAN_Domains  CA               Created                                    Renew
naceo.yumi-software.com        ""         no           LetsEncrypt.org  lundi 4 octobre 2021, 09:09:23 (UTC+0000)  vendredi 3 décembre 2021, 09:09:23 (UTC+0000)
nlpaysage.yumi-software.com    ""         no           LetsEncrypt.org  lundi 4 octobre 2021, 09:15:28 (UTC+0000)  vendredi 3 décembre 2021, 09:15:28 (UTC+0000)
regalpanier.yumi-software.com  ""         no           LetsEncrypt.org  lundi 4 octobre 2021, 09:12:53 (UTC+0000)  vendredi 3 décembre 2021, 09:12:53 (UTC+0000)

There is already a valid cert there:
find /root/.acme/ -name naceo.yumi*

/root/.acme.sh/naceo.yumi-software.com
/root/.acme.sh/naceo.yumi-software.com/naceo.yumi-software.com.cer
/root/.acme.sh/naceo.yumi-software.com/naceo.yumi-software.com.csr
/root/.acme.sh/naceo.yumi-software.com/naceo.yumi-software.com.csr.conf
/root/.acme.sh/naceo.yumi-software.com/naceo.yumi-software.com.conf
/root/.acme.sh/naceo.yumi-software.com/naceo.yumi-software.com.key

We also have a folder in /etc/letsencrypt/live that was generated when we used certbot.
Maybe our website is still pointing to the old certbot certificates ?

@Yumi Now that we know where the latest cert files are:
/root/.acme.sh/naceo.yumi-software.com/fullchain.cer
/root/.acme.sh/naceo.yumi-software.com/naceo.yumi-software.com.key

The next step is to view/edit the website config that uses the cert.

I feel we are close !

Now, we have access problem to the key

Error: EACCES: permission denied, open '/root/.acme.sh/naceo.yumi-software.com/naceo.yumi-software.com.key'

Here's the access list for that folder

-rwxrwxrwx  1 root root 1827 oct.   4 11:09 ca.cer
-rwxrwxrwx  1 root root 3689 oct.   4 11:09 fullchain.cer
-rwxrwxrwx  1 root root 1862 oct.   4 11:09 naceo.yumi-software.com.cer
-rwxrwxrwx  1 root root  754 oct.   4 11:10 naceo.yumi-software.com.conf
-rwxrwxrwx  1 root root  980 oct.   4 11:10 naceo.yumi-software.com.csr
-rwxrwxrwx  1 root root  158 oct.   4 11:10 naceo.yumi-software.com.csr.conf
-rwxrwxrwx  1 root root 1679 oct.   4 09:26 naceo.yumi-software.com.key

Yes.
But you skipped a step - I did not see the config file:

Yes, sorry

Our config.json

	"cert" : "/root/.acme.sh/naceo.yumi-software.com/fullchain.cer",
	"key" : "/root/.acme.sh/naceo.yumi-software.com/naceo.yumi-software.com.key",

Our js side

    var config = require('./config.json'),
        fs = require('fs'),
        privateKey = fs.readFileSync( config.key, 'utf-8'),
        certificate = fs.readFileSync( config.cert, 'utf-8'),
        credentials = { key : privateKey, cert : certificate },
        jwt = require('jsonwebtoken');

    var request = require('request'),
        async = require('async'),
        app = require('express')(),
        https = require('https').createServer( credentials, app ),
        io = require('socket.io')(https, {
            pingInterval: 25000,
            pingTimeout: 60000,
            upgradeTimeout: 30000
        });

We didn't have problem accessing keys when they were in /etc/letsencrypt