Cerbot not creating web link correctly for domain verification


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
epyc.org
I ran this command:
certbot
It produced this output:
Domain: epyc.org
Type: connection
Detail: Fetching https://epyc.org.well-known/acme-challenge/pnmhjm8AB9ojWsYSFq1fgrrZ_7noiyKKyFVH3KqsSJc: dns :: DNS problem: NXDOMAIN looking up A for epyc.org.well-known

My web server is (include version):
Apache 2.4.25 (Debian)

The operating system my web server runs on is (include version):
Debian Stretch, patched to current

My hosting provider, if applicable, is:
Linode

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.28.0

I can see what the problem is, I just have no idea how to fix it. If you look at the URL above, certbot is attempting to verify at https://epyc.org.well-known/acme… instead of https://epyc.org/well-known/acme… It’s a simple matter of a “.” that should be a “/”. I’ve tried both the Debian packaged certbot, and the certbot-auto installed version. No difference. Is there a parameter that I can pass to force the generated URL to be correct?


#2

The bad redirect comes from Apache. You need to add a trailing slash.

https://letsdebug.net/epyc.org/26299

It appears that a redirect was generated by your web server that is missing a trailing slash after your domain name: https://epyc.org.well-known/acme-challenge/letsdebug-test. Check your web server configuration and .htaccess for Redirect/RedirectMatch/RewriteRule.


#3

Thank you for the hint, and the pointer to letsdebug. Fixed the slash, now have managed to acquire a permissions problem. Sigh.

And Developers wonder why people don’t update working code very often… :slight_smile:


#4

Figured out the permissions issue - it may be Debian specific.
Certbot creates the necessary config entries, pointing them at .well-known/acme-challenge. Unfortunately, certbot then creates the verification files in /var/lib/letsencrypt/http_challenges. Which isn’t in the web root, and not where the url rewrite rules point. Which is pretty useless.

Quick & Dirty solution: remove the acme-challenges subdirectory, and create a link there that points back to the dir in /var/lib, with the necessary permissions. Voila! Certbot creates the rewrite rules, creates the verification file in the wrong place, and serves it up properly via the link. Fixed now, and hopefully for future renewals.


#5

The idea in the Apache authenticator/plugin is that it injects temporary configuration that directs the challenge requests towards that other, non-web root directory. This is the simplest approach because otherwise it would have to also go hunting for .htaccess files etc that might be interfering.

Occasionally it has been known to be incompatible with certain exotic or incorrect configurations (mod_jk, mod_uwsgi, duplicate virtualhost names), but it mostly “just works”.

If you can post the full Apache config where it didn’t work for you, that could form the basis for a bug report.

The changes you made shouldn’t be necessary, but i’m happy to hear that it’s working for you now.


#7

Hmmm. Not sure what you want in the way of “full Apache config”, but this is the site .conf file contents Note the date at top - that’s how long ago I first setup LetsEncrypt SSL certs on this server. Had been working fine until this year. I deleted the # at the beginning of the line, as the forum was insisting on BOLDing that line.

Blockquote
JDB 06/17/2016
<VirtualHost *:443>
DocumentRoot /var/www/epyc.org
ServerName epyc.org
ServerAlias *.epyc.org
ErrorLog /var/log/apache2/epyc.org/error_log
CustomLog /var/log/apache2/epyc.org/access_log combined

AllowOverride None
Order Deny,Allow
Require all denied

<Directory /var/www/epyc.org/tt-rss/cache>
Require all denied

<Directory /var/www/epyc.org/tt-rss>
<Files “config.php”>
Require all denied


<Directory /var/www/epyc.org>
Options FollowSymLinks MultiViews
Options -Indexes
AllowOverride None
Require all granted

<Directory /var/www/epyc.org/tt-rss>
Options FollowSymLinks MultiViews
Options -Indexes
AllowOverride None
Require all granted

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/epyc.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/epyc.org/privkey.pem


#8

It’s the port 80 virtual hosts that can help diagnose this - since that’s where the validation occurs. Because the malfunctions sometimes are caused by the way that the entire Apache configuration combines together, the best way is to create an archive of the entire /etc/apache2/ directory (excluding any log or other sensitive directories).


#9

Ah. Well, here’s the port 80 config:

<VirtualHost *:80>
    ServerName epyc.org
    ServerAlias *.epyc.org
    ErrorLog /var/log/apache2/epyc.org/error_log 
    CustomLog /var/log/apache2/epyc.org/access_log combined
    <Location /> 
         Redirect permanent / https://epyc.org/
    </Location>
</VirtualHost>

#10

Hi @a9db0

there is a redirect to https. And your /.well-known/acme-challenge subdirectory is redirected to https (checked via https://check-your-website.server-daten.de/?q=epyc.org ):

Domainname Http-Status redirect Sec. G
http://epyc.org/
50.116.44.159 301 https://epyc.org/ 0.244 A
http://www.epyc.org/
50.116.44.159 301 https://epyc.org/ 0.247 E
https://epyc.org/
50.116.44.159 200 1.460 I
https://www.epyc.org/
50.116.44.159 200 1.207 N
Certificate error: RemoteCertificateNameMismatch
http://epyc.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
50.116.44.159 301 https://epyc.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.247 A
Visible Content: Moved Permanently The document has moved here . Apache/2.4.25 (Debian) Server at epyc.org Port 80
http://www.epyc.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
50.116.44.159 301 https://epyc.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.240 E
Visible Content: Moved Permanently The document has moved here . Apache/2.4.25 (Debian) Server at www.epyc.org Port 80
https://epyc.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 1.013 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server. Apache/2.4.25 (Debian) Server at epyc.org Port 443

Your 443 vHost has

DocumentRoot /var/www/epyc.org

as DocumentRoot. So use this to create a new certificate:

certbot run -a webroot -i apache -w /var/www/epyc.org -d  epyc.org -d www.epyc.org

Both versions (non-www and www) have an A-record:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
epyc.org A 50.116.44.159 yes 2 0
AAAA yes
www.epyc.org C epyc.org yes 1 0
A 50.116.44.159 yes

So you should create one certificate with both domain names.


#11

I gave that command a shot, and it worked nicely. We’ll see if the renewal in June is as clean.

Thanks all for your help!
Dave


#12

Yep, now you have a new certificate with both domain names:

CN=epyc.org
	16.03.2019
	14.06.2019
expires in 90 days	epyc.org, www.epyc.org - 2 entries

But you have Grade I - content problems.

style-attribute
	
	file:///H:/Web/graphics/bg511.jpg
	404
	Not Found
	1
	missing file

That’s a local file, not a file from your webserver.


#13

In the grand scheme of things, that was a really low priority item. But since you pointed it out, I fixed it. :slight_smile:
Thanks!