CentOS 6.8 can't create acme challenge files


#1

Hi, when using the command to creat the certificate:

./letsencrypt-auto --text --agree-tos --email contact@domain.com certonly --renew-by-default --webroot --webroot-path /home/domain/public_html/ -d domain.com -d www.domain.com

i get the error:
Domain: www.domain.com
Type: unauthorized
Detail: Invalid response from
(html showing my not found page)

Ok, so the DIR /domain/www/.well-known is created automatically, the folder acme-challenge is not. If i create the folder acme-challent inside well-known it gets deleted after i run the command.

In my httpd logs this error shows:

Caught race condition abuser. attacker: 511, victim: 0 open file owner: 0, open file: /home/domain/public_html/.well-known/acme-challenge/sd4u_0LFs_PRidRKzZAyXjWD5Tz2JVFnM7d2M3wAdig

I think this is a security setting in php or apache, how could i disable it just to create the certificates?

Thanks in advance!


#2

If you create the .well-known/acme-challenge folder, and then place a text “test” file in there. Can you then reach it in your browser ? From the error you are seeing you can’t and there is probably a redirect somewhere which gives you the “page not found” page/


#3

When i ran the command the .well-known directory gets created on the domain but not the acme-challenge, if i created via FTP and put a file i can access the file fine.

But like this:

% printf “%s” thisisthecontentoffile > /home/account/public_html/.well-known/acme-challenge/dummychallengefile

% chmod -R 755 /home/account/public_html/.well-known

% curl -i http://www.domainaccount.com/.well-known/dummychallengefile | cat -A

It gives me the page not found, not even in the browser works, so yes, its redirecting me to the page not found :frowning:

Where i can change this behavior in my server? Thanks!


#4

I’m guessing you are using apache ? anything in the .htaccess in that domain ?


#5

Actually, thinking that may be it, i tried creating a certificate for another domains in our server with the same results, even with no .htaccess file in the domain.

We have a dedicated server with full control, running centos 6.8, we paid someone to do the hardening, could this be it?

In php hardening they did:
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen, ini_set, dl, passthru, proc_close, escapeshellcmd, pcntl_exec, leak, chgrp, ini_alter

also:
Enabled symlink patch.

By applying the sylimk patch, we are making apache treat FollosymLinks as SymLinksIfOwnerMatch. SymLinksIfOwnerMatch allows only users to allow symlinks to their own files. So the below will work. By doing this even if users or applications add “Options FollosymLinks” to .htaccess file, apache will not throw error and it will treat FollosymLinks as SymLinksIfOwnerMatch.

and:

Installed mod_evasive to protect from DDOS.

Thanks for any help, really appreciated.


#6

I don’t think it will be the php hardening.

If there is nothing in the .htaccess, then I’d have a look in the apache config. In centos this is likely to be in /etc/httpd/conf ot /etc/httpd/conf.d

If you do a

grep Rewrite -R /etc/httpd/conf

and

grep Rewrite -R /etc/httpd/conf.d

do you have various Rewrite rules and conditions ?


#7

Thanks for the help, the first command gave me this output:

/etc/httpd/conf/httpd.conf:RewriteEngine on
/etc/httpd/conf/httpd.conf:RewriteEngine on
/etc/httpd/conf/httpd.conf:RewriteMap LeechProtect prg:/usr/local/cpanel/bin/leechprotect
/etc/httpd/conf/httpd.conf:RewriteLock /usr/local/apache/logs/rewrite_lock
/etc/httpd/conf/includes/account_suspensions.conf:RewriteEngine On
/etc/httpd/conf/httpd.conf.easyapache_save:RewriteEngine on
/etc/httpd/conf/httpd.conf.easyapache_save:RewriteEngine on
/etc/httpd/conf/httpd.conf.easyapache_save:RewriteMap LeechProtect prg:/usr/local/cpanel/bin/leechprotect
/etc/httpd/conf/httpd.conf.easyapache_save:RewriteLock /usr/local/apache/logs/rewrite_lock
/etc/httpd/conf/httpd.conf.ea-orig:RewriteEngine on
/etc/httpd/conf/httpd.conf.ea-orig:RewriteEngine on
/etc/httpd/conf/httpd.conf.ea-orig:RewriteMap LeechProtect prg:/usr/local/cpanel/bin/leechprotect
/etc/httpd/conf/httpd.conf.ea-orig:RewriteLock /usr/local/apache/logs/rewrite_lock
/etc/httpd/conf/httpd.conf.bak:RewriteEngine on
/etc/httpd/conf/httpd.conf.bak:RewriteEngine on
/etc/httpd/conf/httpd.conf.bak:RewriteMap LeechProtect prg:/usr/local/cpanel/bin/leechprotect
/etc/httpd/conf/httpd.conf.bak:RewriteLock /usr/local/apache/logs/rewrite_lock
/etc/httpd/conf/httpd.conf.work.lsg_7O1HzDjvg9fm:RewriteEngine
/etc/httpd/conf/httpd.conf.work.lsg_7O1HzDjvg9fm:RewriteEngine on
/etc/httpd/conf/httpd.conf.work.lsg_7O1HzDjvg9fm:RewriteMap LeechProtect prg:/usr/local/cpanel/bin/leechprotect
/etc/httpd/conf/httpd.conf.work.lsg_7O1HzDjvg9fm:RewriteLock /usr/local/apache/logs/rewrite_lock
/etc/httpd/conf/httpd.conf.work.lsg_7O1HzDjvg9fm: RewriteEngine On
/etc/httpd/conf/httpd.conf.work.lsg_7O1HzDjvg9fm: RewriteCond %{HTTP_HOST} !^localhost.localdomain$
/etc/httpd/conf/httpd.conf.work.lsg_7O1HzDjvg9fm: RewriteCond %{HTTP_HOST} ^cpanel.
/etc/httpd/conf/httpd.conf.work.lsg_7O1HzDjvg9fm: RewriteRule ^/(.) http://127.0.0.1:2082/$1 [P]
/etc/httpd/conf/httpd.conf.work.lsg_7O1HzDjvg9fm: RewriteCond %{HTTP_HOST} !^localhost.localdomain$
/etc/httpd/conf/httpd.conf.work.lsg_7O1HzDjvg9fm: RewriteCond %{HTTP_HOST} ^webmail.
/etc/httpd/conf/httpd.conf.work.lsg_7O1HzDjvg9fm: RewriteRule ^/(.
) http://127.0.0.1:2095/$1 [P]
/etc/httpd/conf/httpd.conf.work.lsg_7O1HzDjvg9fm: RewriteCond %{HTTP_HOST} !^localhost.localdomain$
/etc/httpd/conf/httpd.conf.work.lsg_7O1HzDjvg9fm: RewriteCond %{HTTP_HOST} ^whm.
/etc/httpd/conf/httpd.conf.work.lsg_7O1HzDjvg9fm: RewriteRule ^/(.) http://127.0.0.1:2086/$1 [P]
/etc/httpd/conf/httpd.conf.work.lsg_7O1HzDjvg9fm: RewriteCond %{HTTP_HOST} !^localhost.localdomain$
/etc/httpd/conf/httpd.conf.work.lsg_7O1HzDjvg9fm: RewriteCond %{HTTP_HOST} ^webdisk.
/etc/httpd/conf/httpd.conf.work.lsg_7O1HzDjvg9fm: RewriteRule ^/(.
) http://127.0.0.1:2077/$1 [P]
/etc/httpd/conf/httpd.conf.work.lsg_7O1HzDjvg9fm: RewriteEngine On
/etc/httpd/conf/httpd.conf.work.lsg_7O1HzDjvg9fm: RewriteCond %{HTTP_HOST} !^localhost.localdomain$
/etc/httpd/conf/httpd.conf.work.lsg_7O1HzDjvg9fm: RewriteCond %{HTTP_HOST} ^cpanel.
/etc/httpd/conf/httpd.conf.work.lsg_7O1HzDjvg9fm: RewriteCond %{HTTPS} on
/etc/httpd/conf/httpd.conf.work.lsg_7O1HzDjvg9fm: RewriteRule ^/(.) https://127.0.0.1:2083/$1 [P]
/etc/httpd/conf/httpd.conf.work.lsg_7O1HzDjvg9fm: RewriteCond %{HTTP_HOST} !^localhost.localdomain$
/etc/httpd/conf/httpd.conf.work.lsg_7O1HzDjvg9fm: RewriteCond %{HTTP_HOST} ^webmail.
/etc/httpd/conf/httpd.conf.work.lsg_7O1HzDjvg9fm: RewriteCond %{HTTPS} on
/etc/httpd/conf/httpd.conf.work.lsg_7O1HzDjvg9fm: RewriteRule ^/(.
) https://127.0.0.1:2096/$1 [P]
/etc/httpd/conf/httpd.conf.work.lsg_7O1HzDjvg9fm: RewriteCond %{HTTP_HOST} !^localhost.localdomain$
/etc/httpd/conf/httpd.conf.work.lsg_7O1HzDjvg9fm: RewriteCond %{HTTP_HOST} ^whm.
/etc/httpd/conf/httpd.conf.work.lsg_7O1HzDjvg9fm: RewriteCond %{HTTPS} on
/etc/httpd/conf/httpd.conf.work.lsg_7O1HzDjvg9fm: RewriteRule ^/(.) https://127.0.0.1:2087/$1 [P]
/etc/httpd/conf/httpd.conf.work.lsg_7O1HzDjvg9fm: RewriteCond %{HTTP_HOST} !^localhost.localdomain$
/etc/httpd/conf/httpd.conf.work.lsg_7O1HzDjvg9fm: RewriteCond %{HTTP_HOST} ^webdisk.
/etc/httpd/conf/httpd.conf.work.lsg_7O1HzDjvg9fm: RewriteCond %{HTTPS} on
/etc/httpd/conf/httpd.conf.work.lsg_7O1HzDjvg9fm: RewriteRule ^/(.
) https://127.0.0.1:2078/$1 [P]
/etc/httpd/conf/httpd.conf,v:RewriteEngine on
/etc/httpd/conf/httpd.conf,v:RewriteEngine on
/etc/httpd/conf/httpd.conf,v:RewriteMap LeechProtect prg:/usr/local/cpanel/bin/leechprotect
/etc/httpd/conf/httpd.conf,v:RewriteLock /usr/local/apache/logs/rewrite_lock
/etc/httpd/conf/httpd.conf,v: RewriteEngine On
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} !^server.changeme.com$
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} ^cpanel.
/etc/httpd/conf/httpd.conf,v: RewriteRule ^/(.) http://127.0.0.1:2082/$1 [P]
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} !^server.changeme.com$
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} ^webmail.
/etc/httpd/conf/httpd.conf,v: RewriteRule ^/(.
) http://127.0.0.1:2095/$1 [P]
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} !^server.changeme.com$
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} ^whm.
/etc/httpd/conf/httpd.conf,v: RewriteRule ^/(.) http://127.0.0.1:2086/$1 [P]
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} !^server.changeme.com$
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} ^webdisk.
/etc/httpd/conf/httpd.conf,v: RewriteRule ^/(.
) http://127.0.0.1:2077/$1 [P]
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} !^server.changeme.com$
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} ^cpcalendars.
/etc/httpd/conf/httpd.conf,v: RewriteRule ^/(.) http://127.0.0.1:2079/$1 [P]
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} !^server.changeme.com$
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} ^cpcontacts.
/etc/httpd/conf/httpd.conf,v: RewriteRule ^/(.
) http://127.0.0.1:2079/$1 [P]
/etc/httpd/conf/httpd.conf,v: RewriteEngine On
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} !^server.changeme.com$
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} ^cpanel.
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTPS} on
/etc/httpd/conf/httpd.conf,v: RewriteRule ^/(.) https://127.0.0.1:2083/$1 [P]
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} !^server.changeme.com$
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} ^webmail.
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTPS} on
/etc/httpd/conf/httpd.conf,v: RewriteRule ^/(.
) https://127.0.0.1:2096/$1 [P]
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} !^server.changeme.com$
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} ^whm.
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTPS} on
/etc/httpd/conf/httpd.conf,v: RewriteRule ^/(.) https://127.0.0.1:2087/$1 [P]
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} !^server.changeme.com$
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} ^webdisk.
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTPS} on
/etc/httpd/conf/httpd.conf,v: RewriteRule ^/(.
) https://127.0.0.1:2078/$1 [P]
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} !^server.changeme.com$
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} ^cpcalendars.
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTPS} on
/etc/httpd/conf/httpd.conf,v: RewriteRule ^/(.) https://127.0.0.1:2080/$1 [P]
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} !^server.changeme.com$
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} ^cpcontacts.
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTPS} on
/etc/httpd/conf/httpd.conf,v: RewriteRule ^/(.
) https://127.0.0.1:2080/$1 [P]
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} ^cpanel.
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} ^webmail.
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} ^whm.
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} ^webdisk.
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} ^cpanel.
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} ^webmail.
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} ^whm.
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} ^webdisk.
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} !^localhost.localdomain$
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} !^localhost.localdomain$
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} !^localhost.localdomain$
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} !^localhost.localdomain$
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} !^localhost.localdomain$
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} !^localhost.localdomain$
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} !^localhost.localdomain$
/etc/httpd/conf/httpd.conf,v: RewriteCond %{HTTP_HOST} !^localhost.localdomain$

The second command shows an error:

grep: /etc/httpd/conf.d: No such file or directory

the file .httaccess contains:

Options -Indexes

That line only.


#8

Those look to be all relatively standard cpanel / whm redirects so shouldn’t be causing the issue.

Are you happy to PM me the domain, and l assume that the file /.well-known/acme-challenge/dummychallengefile is still there for me to test to.


#9

The error you are getting and the fact you are receiving a “page not found” does look indeed as a symlink protection. What effectively happens is that system compares the UID of the file requested to the owner of the document root itself. In your case they don’t match (see attacker/victim). Make them match and the problem will go away :slight_smile:


#10

Hi thanks for the answer, how can i remove temporarily the symlink protection so i can install the certificates? or make them match as you suggest.

Thanks!


#11

Since you have paid someone to do the hardening, I think it might be not the best idea to give any advices regarding changing security settings on your server, especially without full understanding of your environment. The symlink protection can be setup in different ways, check this document for example - https://confluence2.cpanel.net/display/EA/Symlink+Race+Condition+Protection

Assuming that the person or the company doing the hardening provides some level of post-installation support, you could check with them regarding this particular issue you are experiencing, because it is not one-time temporary change - eventually you will have to re-verify the same or different domains.

Alternatively you might try some alternative client (not requiring root mode) or use different type of verification (such as DNS).


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.