Can't create a certificate


#1

Hello, we have a domain and we use already Let’sEncrypt as certificates. My colleague did all the necessary configurations for other urls. Yet, is my turn now to do some things, since he is on holidays now.

The story is, I create a new linux (OpenSuse 42.3) server and install apache and certbot separately in order to use it as a reverse proxy, so I can expose to outside world a service like gitlab that I install locally.

So, I create firstly a cname ie gitlab.domain.gr and since it didnt work i change it to an A record with the same name (gitlab.domain.gr).

I create in apache a vhost configuration, see below. My aim is to publish gitlab and been able to login remotetly outside of the local network.Yet I cannot create

I would appreciate any help, thank you

My domain is:

if its possible I dont want to write it down here, I can communicate it to you via email if there is a need

I ran this command:

certbot certonly --webroot -w /srv/www/htdocs/gitlab.domain.gr/ -d gitlab.domain.gr

It produced this output:

Saving debug log to /var/log/certbot/letsencrypt.log
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for gitlab.domain.gr
Using the webroot path /srv/www/htdocs/gitlab.domain.gr for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. gitlab.domain.gr (http-01): urn:acme:error:unauthorized :: The client lacks sufficin/acme-challenge/nRZoV3r_Loi4DcB8ntibaNu_3emGw2xUf-TirtB1g8Y: “<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<!DOCTYPE l1/D”

IMPORTANT NOTES:

My web server is (include version):

Apache 2.4

The operating system my web server runs on is (include version):

opensuse 42.3 leap

My hosting provider, if applicable, is:

papaki.gr

I can login to a root shell on my machine (yes or no, or I don’t know): yes


<VirtualHost *:80>
ServerName gitlab.domain.gr
DocumentRoot /srv/www/htdocs/gitlab.domain.gr
ErrorLog /var/log/apache2/gitlab.domain.gr-error_log
CustomLog /var/log/apache2/gitlab.domain.gr-access_log combined

<Location “/.well-known/acme-challenge/”>
Options None
AllowOverride None
ForceType text/plain
RedirectMatch 404 “^(?!/.well-known/acme-challenge/[\w-]{43}$)”
Require all granted

RewriteEngine on

Redirect all http traffic to https

RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC]
RewriteRule ^/.*$ https://%{SERVER_NAME}/ [redirect]

<VirtualHost *:443>
DocumentRoot /srv/www/htdocs/gitlab.domain.gr
ServerName gitlab.domain.gr

ErrorLog /var/log/apache2/gitlab.domain.gr-error_log
CustomLog /var/log/apache2/gitlab.domain.gr-access_log ssl_combined

SSLEngine on

SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
SSLHonorCipherOrder on
SSLCompression off

SSLCertificateFile
SSLCertificateKeyFile
SSLCertificateChainFile

ProxyPass "http://192.168.7.74"
ProxyPassReverse "http://192.168.7.74"

<Proxy “http://192.168.7.74”>
ProxySet connectiontimeout=60 timeout=300
RequestHeader set X-Forwarded-Proto “https”

<Directory “/srv/www/htdocs/gitlab.domain.gr”>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted


#2

Try creating a file:

/srv/www/htdocs/gitlab.domain.gr/.well-known/acme-challenge/test

and see if you can access it at http://gitlab.domain.gr/.well-known/acme-challenge/test from outside your network. If not, try fixing that first, then run certbot again.


#3

You may need to exclude the /.well-known/acme-challenge/ requests from being proxied.