No, it’s intended It’s my companies proprietary tool, im guessing it’s something I need to put into the virtual host in the httpd.conf file or if it’s something else?
Maybe you can ask someone at your company about how to fully or completely disable it. In this case the CA is trying to directly download a challenge file to check that you really control the domain name. The HackGuard too is apparently trying to first check if the visitor is a real human using a web browser instead of an automated process. But the Let's Encrypt CA is an automated process and is not a human visiting the site using a web browser. So effectively HackGuard blocks it from downloading that file.
Ok I'm talking with the Apache guru not, but it seems like if HG Server is blocking something it out to be logged somewhere. Is there another lets encrypt client that would allow this to work? Additionally, when we previously did the commands for SSL, we used gethttpsfree because we were reusing the private key.
There are other methods of proving your control of the domain name, but one of them (TLS-SNI-01) has just been eliminated because of security concerns, so as long as you're using the HTTP-01 authentication method, you'll probably have to change the HG configuration in some way regardless of what client tools you use.
I’ve been using this command : ./certbot-auto --authenticator webroot --installer apache
then I give it the root which /var/www/html/framework
That’s using the HTTP-01 method.
any time frame on the TLS-SNI being reinstated, or do you think I’d get the same result?
You might not get the same result, depending on exactly how HG works, but I don't think TLS-SNI-01 is going to be brought back. @jsha made a post about allowing some users and organizations that were already using it to continue doing so, but I believe it's going to be permanently disabled for the general public.
So If I’m reading correctly, HTTP-01 is not currently implemented for Apache plugin?
@ragediver24: it is implemented as of certbot 0.21.0. The post might not yet have been updated.
If you’re stuck with an older certbot, you can still use the method described in the post to use webroot authentication and still use the automatic Apache certificate installer.
I think I have the newest one because it’s a recent install.
start back at Step 1. { “type”: “http-01”, “status”: “invalid”, “error”: { “type”: “urn:acme:error:unauthorized”, “detail”: “The key authorization file from the server did not match this challenge [XHV87pFfnguS5AJfCvPEXNYaVs-hQ9Gs5TjJU6y4Qb4.mX5MXs2_kVoFS1UnyI_xAVdeHQgkrb6WoOqeaxgwmtg] != [YzJ_GlEhKB6WJca_-HuWOk651rXWq9ioLdERBh_s3eY.mX5MXs2_kVoFS1UnyI_xAVdeHQgkrb6WoOqeaxgwmtg]”, “status”: 403 }, “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/UxVf4VYKLzC6Z37lVfU_6rUj6cwunR6Dnv5Wfc-9MDg/3143870821”, “token”: “XHV87pFfnguS5AJfCvPEXNYaVs-hQ9Gs5TjJU6y4Qb4”, “keyAuthorization”: “XHV87pFfnguS5AJfCvPEXNYaVs-hQ9Gs5TjJU6y4Qb4.mX5MXs2_kVoFS1UnyI_xAVdeHQgkrb6WoOqeaxgwmtg”, “validationRecord”: [ { “url”: “http://my.appvision.net/.well-known/acme-challenge/XHV87pFfnguS5AJfCvPEXNYaVs-hQ9Gs5TjJU6y4Qb4”, “hostname”: “my.appvision.net”, “port”: “80”, “addressesResolved”: [ “104.154.85.250” ], “addressUsed”: “104.154.85.250”, “addressesTried”: [] } ] }
Trying to use the gethttpsfree.com website and manually generate CSRs. I get to step 5 and get an error. Anyone know what the above error means
was able to update using gethttpsfree. Good through April 2018. Hopefully certbot will be fixed by then
It would have to be a really recent install, since version 0.21.0 was only released yesterday!
Ok Now I need some help with CentOS 7. I’m using certbot-auto since the certbot packaged with CentOS7 hasn’t been provided to the repositories.
I’m getting the following error:
IMPORTANT NOTES:
-
The following errors were reported by the server:
Domain: cloud.appvision.net
<meta name=viewport content="initial-scale=1, minimum-scale=1, width=dev"
Type: unauthorized
Detail: Invalid response from
http://cloud.appvision.net/.well-known/acme-challenge/y39uiQ0Jl5oNKAmBRl-_tDICQXsyKxrqvgAjLETXFE8:
"
And I’m able to do it manually with gethttpsfree so I know it’s not my apache server that is the problem
Are you using webroot or standalone? (or still apache?)
using webroot, tried downloading certbot-auto and that didn’t work either
Can you manually create a file at http://cloud.appvision.net/.well-known/acme-challenge/test.txt that can be seen in a browser?
it’s already over https, but i will give it a shot. My Document root is /var/ww/html/framework