Bitnami + Phabricator + Let's Encrypt Acme Challenge Failed

Please fill out the fields below so we can help you better.

My domain is: forge.deafmade.com

I ran this command: ./letsencrypt-auto certonly --webroot -w /opt/bitnami/apps/phabricator/htdocs/webroot -d forge.deafmade.com

It produced this output: "Failed authorization procedure. forge.deafmade.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from ~/.well-known/acme-challenge/_1eWR8y1HU_z1POvexWpohJmFCp_Mts1GVA2s6ZeJ0k: "Login to Phabricator<meta name=“viewport” content=“width=device”

My web server is (include version): Apache 2.4.25

The operating system my web server runs on is (include version): Debian 8

My hosting provider, if applicable, is: Google Compute Engine (Bitnami Phabricator Stack)

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

I added .well-known/acme-challenge/test file and it shows 404 when I try to visit it.

Followed instructions here: https://butcaru.com/lets-encrypt-phabricator-renewing-certificate/ but still not working.

Can anyone else please help with this issue? Thank you!

Hi @serialencrypter,

Did you restart Apache after adding the RewriteCond %{REQUEST_URI} !^/.well-known/ line that the tutorial asks you to add?

Could you show us the Rewrite-related directives that you have in your Apache configuration now?

Yes, I did restart Apache after each conf file rewrite. Here is the contents of my httpd-prefix.conf file:

RewriteEngine on
RewriteCond %{REQUEST_URI} !^/.well-known
RewriteRule ^(.*)$          /index.php?__path__=$1  [B,L,QSA]
DocumentRoot "/opt/bitnami/apps/phabricator/htdocs/webroot"
Include "/opt/bitnami/apps/phabricator/conf/httpd-app.conf"

And the contents of the httpd-app.conf:

<IfDefine USE_PHP_FPM>
<Proxy "unix:/opt/bitnami/php/var/run/phabricator.sock|fcgi://phabricator-fpm" timeout=300>
</Proxy>
</IfDefine>

<Directory "/opt/bitnami/apps/phabricator/htdocs/webroot">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
<IfVersion < 2.3 >
    Order allow,deny
    Allow from all
</IfVersion>
<IfVersion >= 2.3>
    Require all granted
</IfVersion>


<IfModule php5_module>
        php_admin_flag apc.stat 0
php_admin_flag apc.slam_defense 0
</IfModule>

<IfDefine USE_PHP_FPM>
   <FilesMatch \.php$>
     SetHandler "proxy:fcgi://phabricator-fpm"
   </FilesMatch>
</IfDefine>


RewriteEngine On
RewriteRule ^/rsrc/(.*)     -                       [L,QSA]
RewriteRule ^/favicon.ico   -                       [L,QSA]

RewriteCond %{QUERY_STRING} ^.*__path__.*$ [NC]
RewriteRule .* - [L,NC,QSA]
RewriteRule ^(.*)$          /index.php?__path__=/$1  [env=HTTP_AUTHORIZATION:%{HTTP:Authorization},B,L,QSA]

Include "/opt/bitnami/apps/phabricator/conf/banner.conf"
</Directory>

My thought is that maybe the one in the httpd-app.conf also needs the same exclusion (with the RewriteCond that you added to the httpd-prefix.conf). I don’t know enough about mod_rewrite to know if it will work if you just add a second

RewriteCond %{REQUEST_URI} !^/.well-known

to httpd-app.conf after the existing RewriteCond line there, but that’s my intuition. (The question is whether RewriteCond directives are cumulative and all have to be satisfied for a following rewrite to occur, or whether they’re interpreted in some other way.)

Maybe you could try that, and, if it doesn’t work, you could either contact the person who wrote the tutorial that you followed (to ask for it to be updated to include suggested changes to httpd-app.conf too), or else we can edit the subject of this forum thread to ask other people with more mod_rewrite experience to come help with their suggestions.

Hmmm I added that second /.well-known above the existing RewriteCond in the httpd-app.conf, then restarted Apache to run the certbot again. I got the same error. I guess it couldn’t hurt to contact the author of that tutorial to see if he has any thoughts.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.