Apache2 Lets enrypt .well-known/acme-challenge directory not accessible

Hi, I can not get a certificate running the certbot command below.
It is obvious to me, that I can not access the certbot created file, so I tried
to put a index.html file into that directory, but I can not access it either.
So in "/var/www/html/.well-known/acme-challenge" I can not access any file, but
I can access "/var/www/html/.well-known/acme-challeng" via http://x-econ.org/.well-known/acme-challenge/index.html (does not work) or Apache2 Ubuntu Default Page: It works for letsenrcypt (works).

Any help would be appriciated

My domain is: x-econ.org

I ran this command:
certbot certonly -a webroot -w /var/www/html/.well-known/acme-challenge -d x-econ.org --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Simulating a certificate request for x-econ.org

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: x-econ.org
Type: unauthorized
Detail: Invalid response from http://x-econ.org/.well-known/acme-challenge/Tk_tPwlChMTBQH1_BuZfn03fctMpY53JYyLq4E483kg [193.175.238.14]: "\n\n404 Not Found\n\n

Not Found

\n<p"

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache 2.4.29-1ubuntu4.21

The operating system my web server runs on is (include version): Ubuntu 18

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.22.0

regards,
Peter

2 Likes

Should be just:

-w /var/www/html
3 Likes

Hi, that was not the problem. Certbot logfile always created the credentials in the correct directory, e.g. /var/www/html/.well-known/acme-challenge/5rKp***

My problem is, that the DocumentRoot Path /var/www/html/.well-known/acme-challenge is not accessible, but e.g. "/var/www/html/.well-known/{acme-challeng|foo} etc is accessible.
And I do not know why apache2 is making such a fuzz out of the "acme-challenge" directory name.

2 Likes

Sounds odd. What does this show:

apachectl -S

Also, do you have an alias statement somewhere?

2 Likes

That is NOT likely the document root.

Don't append "/.well-known/acme-challenge/" to anything.
The ACME client will do that automatically.
Otherwise, the ACME client will try using:
/var/www/html/.well-known/acme-challenge/.well-known/acme-challenge/

3 Likes

Sure, DocumentRoot is /var/www/html ...

1 Like

This is: apachectl -S
AH00112: Warning: DocumentRoot [/var/www/htdocs-cewswiki] does not exist
AH00112: Warning: DocumentRoot [/var/www/htdocs-ecir] does not exist
AH00112: Warning: DocumentRoot [/var/www/htdocs-sowiport] does not exist
AH00112: Warning: DocumentRoot [/var/www/htdocs-cewswiki] does not exist
AH00112: Warning: DocumentRoot [/var/www/htdocs-ecir] does not exist
AH00112: Warning: DocumentRoot [/var/www/htdocs-sowiport] does not exist
AH00112: Warning: DocumentRoot [/var/www/htdocs-xhub] does not exist
VirtualHost configuration:
*:443 is a NameVirtualHost
default server multiweb.gesis.org (/etc/apache2/sites-enabled/default-ssl.conf:2)
port 443 namevhost multiweb.gesis.org (/etc/apache2/sites-enabled/default-ssl.conf:2)
port 443 namevhost cewswiki.gesis.org (/etc/apache2/sites-enabled/ssl-cewswiki-gesis-org.conf:1)
port 443 namevhost ecir2019.org (/etc/apache2/sites-enabled/ssl-ecir-org.conf:1)
alias www.ecir2019.org
port 443 namevhost leibnizopen.de (/etc/apache2/sites-enabled/ssl-leib.izopen-de.conf:1)
alias www.leibnizopen.de
port 443 namevhost maven.gesis.org (/etc/apache2/sites-enabled/ssl-maven-gesis-org.conf:1)
port 443 namevhost sowiport.gesis.org (/etc/apache2/sites-enabled/ssl-sowiport-gesis-org.conf:1)
port 443 namevhost x-science.org (/etc/apache2/sites-enabled/ssl-x-science-org.conf:1)
port 443 namevhost x-econ.org (/etc/apache2/sites-enabled/x-econ-org.conf:16)
alias www.x-econ.org
*:80 is a NameVirtualHost
default server svko-multiweb2.gesis.intra (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost svko-multiweb2.gesis.intra (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost cewswiki.gesis.org (/etc/apache2/sites-enabled/cewswiki-gesis-org.conf:1)
port 80 namevhost ecir2019.org (/etc/apache2/sites-enabled/ecir-org.conf:1)
alias www.ecir2019.org
port 80 namevhost leibnizopen.de (/etc/apache2/sites-enabled/leib.izopen-de.conf:2)
alias www.leibnizopen.de
port 80 namevhost maven.gesis.org (/etc/apache2/sites-enabled/maven-gesis-org.conf:2)
port 80 namevhost sowiport.gesis.org (/etc/apache2/sites-enabled/sowiport-gesis-org.conf:1)
port 80 namevhost x-econ.org (/etc/apache2/sites-enabled/x-econ-org.conf:1)
alias www.x-econ.org
port 80 namevhost x-hub.org (/etc/apache2/sites-enabled/x-hub-org.conf:1)
alias www.x-hub.org
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

3 Likes

We are talking at the moment only about
port 80 namevhost x-econ.org (/etc/apache2/sites-enabled/x-econ-org.conf:1)
alias www.x-econ.org

3 Likes
<VirtualHost *:80>
   
    ServerName x-econ.org
    ServerAlias www.x-econ.org

    Header edit Set-Cookie ^(.*)$ "$1; HTTPOnly; Secure"

    #RewriteEngine On
    #RewriteRule ^/$ http://www.x-econ.org/xecon/#!Upload [NE,R]
    ErrorLog ${APACHE_LOG_DIR}/x-econ-errors.log
    CustomLog ${APACHE_LOG_DIR}/x-econ-access.log common

</VirtualHost>

<VirtualHost *:443>
   
    ServerName x-econ.org
    ServerAlias www.x-econ.org
    Header edit Set-Cookie ^(.*)$ "$1; HTTPOnly; Secure"
    ErrorLog ${APACHE_LOG_DIR}/x-econ-errors.log
    CustomLog ${APACHE_LOG_DIR}/x-econ-access.log common
        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/XX.pem
        SSLCertificateKeyFile /etc/ssl/private/XX.pem
        SSLCertificateChainFile /etc/apache2/ssl.crt/XX.pem
        SSLProxyEngine On

        RewriteEngine On
        RewriteRule ^/$ https://x-econ.org/xecon/#!Home [NE,R]

        #ho
        ProxyPass /xecon http://IP:9090/xecon
        ProxyPassReverse /xecon http://IP:9090/xecon

        ProxyPass /xecon-test http://IP:9090/xecon-test
        ProxyPassReverse /xecon-test http://IP:9090/xecon-test

</VirtualHost>
2 Likes

Can you do this:

mkdir -p /var/www/html/.well-known/acme-challenge
echo testdata1234 > /var/www/html/.well-known/acme-challenge/Test-1234

Then show result of this:

curl -I http://x-econ.org/.well-known/acme-challenge/Test-1234

Leave test file after so we can look too

Note: I would feel better if DocumentRoot was defined in the VirtualHost for x-econ.org port 80 and 443 rather than defaulting to the value inherited from the server level. Especially given all the other error messages about missing DocumentRoot folders. Mind, should work but when odd things are happening best to be as clean as possible.

UPDATE: @peterklas I had omitted the curl -I from the 'result of this' command.

3 Likes

There is no DocumentRoot.
And no redirection either.

There is no sure fire way to know exactly where it will default to.

2 Likes

There is already an index.html
file in that directory, so at /var/www/html, at /var/www/html/.well-known, and ../.well-known/acme-challange

Afk until tomorrow...
Thx
Peter

Von meinem/meiner Galaxy gesendet

3 Likes

There is not. See:

curl -I http://x-econ.org/.well-known/acme-challenge/index.html

HTTP/1.1 404 Not Found
Date: Wed, 12 Jan 2022 22:37:06 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1

Was this a typo? Because it should be challenge - with an e

As I noted earlier, you should define a DocumentRoot in the VHosts for x-econ.org. There is clearly something wrong with your server config or your understanding of it. We need to simplify and remove possible issues.

3 Likes

Hi,
I added
DocumentRoot "/var/www/html" to the *:80 section

The result is the following:
curl -I http://x-econ.org/.well-known/index.html -> delivers
curl -I http://x-econ.org/.well-known/acme-challeng/index.html -> delivers
curl -I http://x-econ.org/.well-known/foo/index.html -> delivers
curl -I http://x-econ.org/.well-known/acme-challenge/index.html -> it does not deliver

That is exactly my problem, and I believe, that this also hinders me to get the letsencrypt started.

thx for your questions/support so far.

3 Likes

Please show the output of:
grep -Ri challenge /etc/apache2/

2 Likes

grep -Ri challenge /etc/apache2/ -> no output

2 Likes

And, what about output of this:

ls -lR /var/www/html
3 Likes

Hello everybody,
we found out, why it did not work:
We had an old apache mod_md installed.

Thx for your support!
Peter

5 Likes