Certbot setup throwing error for nginx + puma config

eustun · December 5, 2016, 9:07pm

I am running a rails with puma web server running as a reverse proxy off of nginx.

I just installed apache2 because it was throwing some errors about apache2ctl not found so i went ahead with that.

I am on Ubuntu 14.04 and ran ./certbot-auto certonly

I went through a few steps of the blue screen setup, i input my front end domain name. I also input my www root dir on the server (/absolute/path/rails_app/public)

I am getting this error now with my setup of certbot:
Failed authorization procedure. MY_URL (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://MY_URL/.well-known/acme-challenge/long_key_here_i_removed_it "

I would say I’m rather ignorant to the domain/web handling department not even sure what I am supposed to change/configure to get this part moving.

Any help is appreciated it, thank you.

serverco · December 6, 2016, 8:21am

You’ve removed your domain name etc which makes it slightly more difficult to help.

The basic you need to do are work out where to place a file in your so that it is displayed at your_URL/.well-known/acme-challenge/file

i.e. can you create a test file ( called test ) with plain text content “success” such that when you go to your_URL/.well-known/acme-challenge/test in a browser you get “success”

Once you have worked out that bit of information, it should be relatively straightforward to obtain a certificate.

eustun · December 6, 2016, 2:53pm

the domain name is poliok.it

would i need to place this file in ‘/.well-known’ or ‘/home/ubuntu/application/public’ ?

currently the .well-known dir is in ‘/’

serverco · December 6, 2016, 4:06pm

I suspect in your setup it would need to be /home/ubuntu/application/public/.well-known/acme-challenge/test

If you create a simple text file there, then browse to http://poliok.it/.well-known/acme-challenge/test to check it.

eustun · December 6, 2016, 7:20pm

Ok that worked. im still getting an error when running certbot-auto certonly.

I did need to ‘sudo’ when i created .well-known/acme-challenge/ and the file test

is this relevant?

serverco · December 6, 2016, 7:54pm

Since you aren’t using a standard apache config, you’ll need to use the webroot option ( https://certbot.eff.org/docs/using.html#webroot )

you know know what the webroot is ( /home/ubuntu/application/public )

so you should then be able to obtain a certificate, which you will need to install.

eustun · December 6, 2016, 8:34pm

throwing same error “urn:acme:error:unauthorized :: The client lacks sufficient authorization :” with: certbot-auto certonly --webroot -w /home/ubuntu/gpei-tk/public -d poliok.it

It’s creating a file and checking if the file exists there at this point? I am thinking perhaps the folder permissions are not allowing when i run certbot? When i had to create test i need to sudo touch test

serverco · December 6, 2016, 8:49pm

You should be running certbot as root ideally ( run it with sudo )

eustun · December 6, 2016, 9:01pm

Ran it with sudo, same error. is there logs i can check ? should i change permissions in acme-challenge folder or is that a no no?

serverco · December 7, 2016, 8:04am

You can change the permissions, yes.

What ownership / permissions does it need ? is it OK if it’s owner is root ? (that depends on your config )

eustun · December 7, 2016, 5:17pm

I dont know much about the permissions, i try not to touch little as possible on the server…pull from git and run server.

I was following a different forum post here they suggest chmod 755 for /.well-known/acme-challenge it still gives me permission issues.

serverco · December 7, 2016, 5:21pm

When you created the “test” file in /home/ubuntu/application/public/.well-known/acme-challenge/test … what was the owner of that file ? and if you change it to root ( chown root. /home/ubuntu/application/public/.well-known/acme-challenge/test ) can you still reach it on your browser ?

eustun · December 7, 2016, 5:25pm

Yes I can access it - ran chown root .well-known/acme-challenge/test . Attempted sudo certbot-auto certonly --webroot -w /home/ubuntu/application/public -d poliok.it same error

also tried chown root .well-known/acme-challenge/ still same…

serverco · December 7, 2016, 5:32pm

Is the “test” file still there - because I don’t get a plain text file response.

eustun · December 7, 2016, 5:37pm

still there - http://poliok.it/.well-known/acme-challenge/test - its an empty file. updated it with amazing test

serverco · December 7, 2016, 5:42pm

I get

$ curl -i http://poliok.it/.well-known/acme-challenge/test 
HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Wed, 07 Dec 2016 17:41:31 GMT
Content-Length: 528
Age: 0
Connection: keep-alive


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
   "http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
  <title>GPEI-TK </title>
  <META name="description" content="Global Polio Eradication Initiative Toolkit"><META name="keywords" content="GPEI-TK">
</head>
<frameset rows="100%,*" border="0">
  <frame src="http://ec2-54-83-129-10.compute-1.amazonaws.com//.well-known/acme-challenge/test" frameborder="0" />
  <frame frameborder="0" noresize />
</frameset>

<!-- pageok -->
<!-- 09 -->
<!-- -->
</html>

rather than a plain text response, which is probably why you are getting an error from certbot, as it’s not getting your file.

eustun · December 7, 2016, 8:02pm

Im going down a different rabbit hole currently I think it might involve my ssl configuration along with the forwarding from my front custom domain as https. I will circle back when i have something

MitchellK · December 8, 2016, 9:23am

Not sure if you solved this yet or not. The .well-known folder should be owned by www-data with 755 permissions that’s how I have it with Nginx. Then you need a location rule to allow access to it as follows and make sure this location rule is at the very end of all your location rules, if it sits higher up the chain of location rules something lower down can override it.

# ACME Challenge Rule
location ^~ /.well-known/acme-challenge/ {
	allow all;
    default_type "text/plain";
}

eustun · December 8, 2016, 4:17pm

How would I implement this config into my current nginx config?

upstream app {
    # Path to Puma SOCK file, as defined previously
    server unix:/home/ubuntu/application/shared/sockets/puma.sock fail_timeout=0;
}

server {
    listen 80;

    listen 443 ssl;

    server_name poliok.it;

    #ssl_certificate /etc/nginx/ssl/nginx.crt;
    #ssl_certificate_key /etc/nginx/ssl/nginx.key;

    root /home/ubuntu/application/public;

    try_files $uri/index.html $uri @app;

	
    location @app {
        proxy_pass http://app;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $proxy_host;
        proxy_redirect off; 
    }

    error_page 500 502 503 504 /500.html;
    client_max_body_size 4G;
    keepalive_timeout 10;
}

also, i did do chmod 755 recursively on .well-known folder in webroot, would I need to do the www-data? How is that done? sudo chown?

MitchellK · December 8, 2016, 4:26pm

upstream app {
    # Path to Puma SOCK file, as defined previously
    server unix:/home/ubuntu/application/shared/sockets/puma.sock fail_timeout=0;
}

server {
    listen 80;

    listen 443 ssl;

    server_name poliok.it;

    #ssl_certificate /etc/nginx/ssl/nginx.crt;
    #ssl_certificate_key /etc/nginx/ssl/nginx.key;

    root /home/ubuntu/application/public;

    try_files $uri/index.html $uri @app;

	
    location @app {
        proxy_pass http://app;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $proxy_host;
        proxy_redirect off; 
    }
	# ACME Challenge Rule
	location ^~ /.well-known/acme-challenge/ {
	allow all;
    default_type "text/plain";
	}
    error_page 500 502 503 504 /500.html;
    client_max_body_size 4G;
    keepalive_timeout 10;
}

try adding it where I have placed it and see what happens