Can access .well-known/... from cli but not from script


#1

I am trying to install Let’s Encrypt on a server running ServerPilot under Ubuntu 18.04 server. I am using lesaff’s serverpilot script.

When it gets to the point of doing the challenge(?), it fails with the urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://tomcloud.glsys.ca/.well-known/acme-challenge error.

As was mentioned in an earlied post, I was able to create the .well-known/acme-challenge/ structure and added a file test.txt. I could access it from the browser (tomcloud.glsys.ca/.well-know/acme-challenge/test.txt) with no problems… Strange.

I have attached the log of the session. Any suggestions would be most welcome.

Thanks… Tom.

It appears that I cannot include the log file since I am a new user and exceed the 20 links limit. Let me know how I can get it to you if necessary.


#2

Hi @airstreamer,

I’ve increased your user level so you should be able to post your file. If you put ``` before and after it, it will avoid triggering forum formatting based on punctuation marks in the file contents.

Does your test file still exist? I couldn’t access it just now.


#3

Thanks for the reply.

I put the log up on GDrive. You can access it at

https://drive.google.com/file/d/1_HBGjBwFR1SY6n888eg8ClKQVSbQh4HY/view?usp=sharing

Tom.


#4

Thanks.

What is the exact directory on your system where you previously created the test.txt file? Could you recreate it now?


#5

The directory is /srv/users/serverpilot/apps/owncloud/public/.well-known/acme-challenge
and it cohtains the file test.txt.

The chain has the owner:group of serverpilot:serverpilot.

I just deleted and recreated the directories/text file.

To view it I first had to delete the owncloud.ssl.conf file from /etc/nginx-sp/vhost.d and restart nginx-sp. I could then get access to the file. (tomcloud.glsys.ca/.well-known/acme-challenge/test.txt).

Tom.


#6

Can you still see it right now? I can’t!


#7

Also, that isn’t a very good sign in terms of automatic renewal. You might instead be able to edit the nginx configuration to create an exception for /.well-known/acme-challenge so that it’s served out of the filesystem instead of via Owncloud.


#8

Yes!. Perhaps a router setting?


#9

Maybe so… or a DNS setting or something. This is probably relevant to why the certificate issuance won’t work.

Do you have access to an outside Internet connection that you could use to test how it looks from the rest of the Internet?


#10

I’ll try my phone using LTE access.


#11

Yeh, I get a file not found message.


#12

I found a setting in my router port forwards that said “Forward IPv4-tcp, udp
from any host in wan via any router IP” to “any host in lan” I don’t know where that came from but I don’t think it is right. I disabled it and now I can get the proper access using the LTE network.

I tried it with both Firefox and Chrome and its is working. Seeing the contents of the text.txt file that is.

I will rerun the script again hopefully with better results.

Tom.


#13

Well, that made a change for the better. I am now getting a “The server could
not connect to the client to verify the domain” error. Perhaps you might have some suggestions.

The log can be found here:

https://drive.google.com/file/d/1FFaVS9h5o1PY-gJg3rz7dU7TOLKPyf3T/view?usp=sharing

Thanks… Tom.


#14

If I’m reading that correctly, tomcloud.glsys.ca is now verifying correctly and it is glsys.ca that is failing.

From here, http://glsys.ca/.well-known/acme-challenge/test.txt gives me an empty response, although it resolves to the same IP address. Perhaps a misconfigured virtual host / server block for that domain?


#15

You are indeed reading it correctly. In serverpilot for the app I added glsys.ca to its valid domains, reran the script, restarted nginx-sp, and it worked. I installed the “redirect to https” coding in .htaccess and everything is working as it should.

To summarize, we deleted a mis-configured router port forward, and added a missing server block to nginx-sp.

Thank you very much for providing the guidance in setting this up. I really was at a loss as to how to proceed.

Tom.


#16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.