Can't re-obtain cert in Laravel Forge

HartleySan · April 29, 2019, 4:22pm

I’m using Laravel Forge to host a site on AWS using NGINX 1.15.8 and PHP 7.3.4. The domain is ceto-cms-staging.360water.com, and the DNS A-record is properly registered in Rackspace.

I was able to use Laravel Forge to obtain a LetsEncrypt cert for the domain. It’s correctly set up at the moment.

However, after setting it up, I tried to then add multiple subdomains via the Forge UI, which didn’t work, so when I used the UI to revert back to the one, original subdomain, I got the following error:

ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "Invalid response from https://ceto-cms-staging.360water.com/.well-known/acme-challenge/l3jIbrjJVBJ88EVnythOrE7E46D_G3DUL2M21Xz5ReU [18.218.162.107]: \"\u003chtml\u003e\\r\\n\u003chead\u003e\u003ctitle\u003e404 Not Found\u003c/title\u003e\u003c/head\u003e\\r\\n\u003cbody\u003e\\r\\n\u003ccenter\u003e\u003ch1\u003e404 Not Found\u003c/h1\u003e\u003c/center\u003e\\r\\n\u003chr\u003e\u003ccenter\u003enginx/1.15.8\u003c/ce\"",
    "status": 403
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/9YtzdPXLm9QuwCsrk2a9yMiMwsfq7razwadQHOJCvzI/15301925435",
  "token": "l3jIbrjJVBJ88EVnythOrE7E46D_G3DUL2M21Xz5ReU",
  "validationRecord": [
    {
      "url": "http://ceto-cms-staging.360water.com/.well-known/acme-challenge/l3jIbrjJVBJ88EVnythOrE7E46D_G3DUL2M21Xz5ReU",
      "hostname": "ceto-cms-staging.360water.com",
      "port": "80",
      "addressesResolved": [
        "18.218.162.107"
      ],
      "addressUsed": "18.218.162.107"
    },
    {
      "url": "https://ceto-cms-staging.360water.com/.well-known/acme-challenge/l3jIbrjJVBJ88EVnythOrE7E46D_G3DUL2M21Xz5ReU",
      "hostname": "ceto-cms-staging.360water.com",
      "port": "443",
      "addressesResolved": [
        "18.218.162.107"
      ],
      "addressUsed": "18.218.162.107"
    }
  ]
})

I SSH’ed into the server and created a .well-known directory under the site-root/public directory, and I then created an acme-challenge directory within that .well-known directory.

All the permissions seem fine, and if I create a test.txt in the .well-known directory, I can properly access it from the following URL:
https://ceto-cms-staging.360water.com/.well-known/test.txt

However, if I create the same test.txt file in the acme-challenge directory and try to access it, I get a 404 Not Found.
Just for testing purposes, I created an acmechallenge directory (no hyphen) under the .well-known directory and placed a test.txt file in there and I was able to access the file just fine.
Lastly, I have confirmed that the file and directory permissions for all of these directories are the same.

What could possibly be causing this issue and what are some possible things I could do to fix the problem? Thank you.

cpu · April 30, 2019, 12:43pm

Hi @HartleySan, welcome to the community forum

Thanks for providing the results from this experimentation. I think you're narrowing in on what your problem is.

There should be an acme-challenge directory under .well-known. The protocol that powers Let's Encrypt doesn't allow any flexibility in the naming of these directories so unfortunately a acmechallenge directory won't work.

I'm not at all familiar with Laravel unfortunately so my help may be limited! Can you perhaps create the acme-challenge directory manually, confirm that the permissions are set appropriately (maybe match them to the existing .well-known directory) and then see if certificate issuance works as expected?

Is there perhaps an error log from the Laravel certificate generation that would show it failing to write the HTTP-01 key authorization file to the .well-known/acme-challenge directory in your webroot?

HartleySan · April 30, 2019, 1:28pm

cpu, thank you much for the welcome and prompt reply.

The naming can be a bit confusing, but I don’t think this is a Laravel issue so much as a Laravel Forge issue. Forge is a web-based product put out by the Laravel team that allows you to easily handle all the various DevOps tasks required to run web sites/apps, including the generation/registration of SSL certs.

I probably should have mentioned this in my original post, but I already manually created an acme-challenge (with the hyphen) directory under the .well-known directory, and I’m still getting the same error noted in my original post.

All the permissions are the same for all the directories and files, and I can access the .well-known/test.txt and .well-known/acmechallenge/test.txt files just fine, but I can’t access the .well-known/acme-challenge/test.txt file.

Please hit up the following URLs to see what I mean:
https://ceto-cms-staging.360water.com/.well-known/test.txt
https://ceto-cms-staging.360water.com/.well-known/acmechallenge/test.txt
https://ceto-cms-staging.360water.com/.well-known/acme-challenge/test.txt

I looked through all the NGINX conf files for anything related to “acme”, and there’s only the following instance in the following file:

/etc/nginx/forge-conf/ceto-cms-staging.360water.com/server/letsencrypt_challenge.conf

location /.well-known/acme-challenge {
auth_basic off;
allow all;
alias /home/forge/.letsencrypt;
}

I’m not an expert on SSL certs (thus why I’m using Laravel Forge and LetsEncrypt to help me), so I’m not really sure how to even diagnose or debug the problem. All I can say is that the Googling I have done over the past few days and the similar topics I have looked at on this forum have not solved my problem. Thank you again for your help.

cpu · April 30, 2019, 5:59pm

Aha! Thanks for explaining that

Ok, that's valuable to know.

HartleySan:

I looked through all the NGINX conf files for anything related to “acme”, and there’s only the following instance in the following file:

/etc/nginx/forge-conf/ceto-cms-staging.360water.com/server/letsencrypt_challenge.conf
location /.well-known/acme-challenge {
auth_basic off;
allow all;
alias /home/forge/.letsencrypt;
}

Can you try creating a test.txt file in the /home/forge/.letsencrypt directory and then accessing https://ceto-cms-staging.360water.com/.well-known/acme-challenge/test.txt? Are the permissions on that directory sensible looking?

It seems like Nginx is perhaps configured to handle the /.well-known/acme-challenge path using a different directory than your normal site-root.

HartleySan · April 30, 2019, 6:17pm

cpu, thanks for the prompt reply and suggestions.

I created a test.txt file in the /home/forge/.letsencrypt directory, but I still couldn’t access the file from the URL https://ceto-cms-staging.360water.com/.well-known/acme-challenge/test.txt.

I didn’t notice it before, but it’s worth noting that Laravel Forge automatically put a file in that directory called test, and I was able to access that file just fine. Or rather, when I went to https://ceto-cms-staging.360water.com/.well-known/acme-challenge/test, it automatically downloaded the file, and I was able to confirm that it was the file I was looking at on the server by loading it up into my text editor and seeing the same content.

I have no clue why I can access and download the test file, but not the test.txt file I created in the same directory. The permissions were almost the same too. In fact, test is only 644, but test.txt is 664, and yet I can access test, but not test.txt. I even made them the same permissions just in case, but it didn’t matter.

I also tried commenting out the contents of the LetsEncrypt NGINX conf file and restarting NGINX, but I still can’t access test.txt (and I can still access test; what?!).

Wish I could provide you with more info, but I’m not even really sure where to look at this point.
What confuses me more than anything is that there’s literally only one button I can press in Laravel Forge to do all of this, and when I pressed it the first time, it worked fine, but it hasn’t worked for any subsequent presses.

Please let me know if you have any other ideas. Otherwise, I may need to ask a similar question on the Laravel Forge forum and see if they can help there, as this may be more a Forge issue than a LetsEncrypt issue. Thank you.

cpu · May 1, 2019, 12:10pm

That is pretty strange! I don't have a good theory to explain that behaviour either.

I'm afraid I don't have any great ideas for next debugging steps. Trying to pursue this with a Laravel Forge specific forum sounds like a good idea. I'm confident the problem is with the HTTP-01 challenge response and webserver configuration on your server and not something I can help address from the Let's Encrypt side.

Good luck! I wish we had better luck figuring it out in this thread but perhaps someone on the forum with more Laravel Forge expertise will see it and jump in.

HartleySan · May 7, 2019, 3:37pm

Finally figured out the issue, and I’m embarrassed to admit it: I was trying to add the cert to the web server directly, when I needed to add it to the load balancer that was set up through Forge. Once I did that, it solved my problem.

Sorry for the runaround and headaches.

cpu · May 7, 2019, 3:55pm

Glad to hear you were able to figure it out! Your solution makes sense. I didn’t realize there was a load-balancer in the mix

Thanks for reporting back!

system · June 6, 2019, 3:55pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Error get certificate let's encrypt laravel forge on subdomain Help	13	627	November 25, 2023
Unable to obtain certificates for root domains Help	3	216	February 18, 2024
Challenge Error 403 on Forge LE SSL Installation Server	15	5127	August 10, 2018
Can't get certs - 404 not found, status 403 returned Help	2	1252	May 15, 2017
Installing issues Help	16	3113	February 2, 2017

Can't re-obtain cert in Laravel Forge

Related topics