Certbot with Apache on Red Hat - Custom Apache Paths Need To Be Specified for Challenges to Work

My domain is: londrina.net

I ran this command: ./certbot-auto --apache certonly -d londrina.net

It produced this output:

root@cxs-02-web01l [/opt/certbot]# ./certbot-auto --apache certonly -d londrina.net
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/init.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for londrina.net
Cleaning up challenges
File:

  • Could not be found to be deleted /etc/httpd/conf.d/le_tls_sni_01_cert_challenge.conf - Certbot probably shut down unexpectedly
    An unexpected error occurred:
    IOError: [Errno 2] No such file or directory: '/etc/httpd/conf.d/le_tls_sni_01_cert_challenge.conf’
    Please see the logfiles in /var/log/letsencrypt for more details.

My operating system is (include version): CentOS release 6.9 (Final)

My web server is (include version): Apache/2.2.29

I can login to a root shell on my machine (yes or no, or I don’t know): YES

It’s a cPanel server.

Someone can help me?

Hi @paulo_silvaa, could you post your log file from /var/log/letsencrypt?

Hello @schoen

2017-05-09 19:56:39,973:DEBUG:acme.client:Storing nonce: Kabe0jPHw8Iv2QUzdj503pggcBAzteey4UVc7QE6jHQ
2017-05-09 19:56:39,975:INFO:certbot.auth_handler:Performing the following challenges:
2017-05-09 19:56:39,976:INFO:certbot.auth_handler:tls-sni-01 challenge for londrina.net
2017-05-09 19:56:42,304:DEBUG:certbot_apache.tls_sni_01:Adding Include /etc/httpd/conf.d/le_tls_sni_01_cert_challenge.conf to /files/etc/httpd/conf/httpd.conf
2017-05-09 19:56:42,305:DEBUG:certbot_apache.tls_sni_01:writing a config file with text:

<VirtualHost [2804:0084:0000:0451:0000:0000:0000:004b]:443 189.14.255.250:443>
ServerName a3d5ae199a0fd5fa7231e745d75af30a.de79ce28bc92930007b517fe907070c3.acme.invalid
UseCanonicalName on
SSLStrictSNIVHostCheck on

LimitRequestBody 1048576

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /var/lib/letsencrypt/LEeuN9FCT9JEs8ynaMFAWaNYhg5x54ZRZ8siU6mZBZU.crt
SSLCertificateKeyFile /var/lib/letsencrypt/LEeuN9FCT9JEs8ynaMFAWaNYhg5x54ZRZ8siU6mZBZU.pem

DocumentRoot /var/lib/letsencrypt/tls_sni_01_page/

2017-05-09 19:56:42,328:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/auth_handler.py”, line 115, in _solve_challenges
resp = self.auth.perform(self.achalls)
File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot_apache/configurator.py”, line 1862, in perform
sni_response = chall_doer.perform()
File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot_apache/tls_sni_01.py”, line 79, in perform
addrs = self._mod_config()
File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot_apache/tls_sni_01.py”, line 113, in _mod_config
with open(self.challenge_conf, “w”) as new_conf:
IOError: [Errno 2] No such file or directory: ‘/etc/httpd/conf.d/le_tls_sni_01_cert_challenge.conf’

2017-05-09 19:56:42,328:DEBUG:certbot.error_handler:Calling registered functions
2017-05-09 19:56:42,328:INFO:certbot.auth_handler:Cleaning up challenges
2017-05-09 19:56:42,329:WARNING:certbot.reverter:File:

  • Could not be found to be deleted /etc/httpd/conf.d/le_tls_sni_01_cert_challenge.conf - Certbot probably shut down unexpectedly
    2017-05-09 19:56:43,672:DEBUG:certbot.log:Exiting abnormally:
    Traceback (most recent call last):
    File “/root/.local/share/letsencrypt/bin/letsencrypt”, line 11, in
    sys.exit(main())
    File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/main.py”, line 742, in main
    return config.func(config, plugins)
    File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/main.py”, line 682, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
    File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/main.py”, line 82, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
    File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/client.py”, line 344, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
    File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/client.py”, line 313, in obtain_certificate
    self.config.allow_subset_of_names)
    File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/auth_handler.py”, line 74, in get_authorizations
    resp = self._solve_challenges()
    File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/auth_handler.py”, line 115, in _solve_challenges
    resp = self.auth.perform(self.achalls)
    File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot_apache/configurator.py”, line 1862, in perform
    sni_response = chall_doer.perform()
    File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot_apache/tls_sni_01.py”, line 79, in perform
    addrs = self._mod_config()
    File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot_apache/tls_sni_01.py”, line 113, in _mod_config
    with open(self.challenge_conf, “w”) as new_conf:
    IOError: [Errno 2] No such file or directory: ‘/etc/httpd/conf.d/le_tls_sni_01_cert_challenge.conf’

@bmw, could you take a look at this? I’m not sure of the reason for the error. (But maybe it tried to default to /etc/httpd incorrectly because maybe Apache is in fact in /etc/apache2 on this system?)

@schoen I think that’s important remeber that this server is a cPanel. :slight_smile: I don’t know if this change something… I know that there are some plugins to do that, but I want to issue a certificate manually. I want to change the default certificate od Dovecot with Let’sEncript certificate.

Thank you very much!

We’ve seen this issue before on Red Hat systems where your Apache configuration is different than Certbot expects. The GitHub issue for this is #3362.

How did you install Apache on this system? You can work around the problem by including --apache-challenge-location <path> on the command line where <path> is a valid file system path.

2 Likes

Thank you very much friend! It worked! :smiley:

But I have just one more question… Do I have to open a new topic?

Now, I want to issue one certificate multi domains to configure on my Dovecot that reponds by multiple domains.

In this case, do I have to set more than one webroot-path? For example:

./certbot-auto --webroot-path /home/alasagri/public_html/ --webroot /home/persistelecom/public_html/ --webroot /home/persisinternet/public_html/ certonly -d alasagri.com.br -d persistelecom.com.br -d persisinternet.com.br

Best Regards!

hi @paulo_silvaa

A review of the documentation would answer this as it is a problem others have encourntered :smiley:

Andrei

1 Like

Thank you very much Andrei!

Friends, just one more question… I’m having this problem now when I try to issue the certificate for some subdomains…

root@cxs-02-web01l [/opt/certbot]# ./certbot-auto --webroot-path /home/persistelecom/ certonly -d persistelecom.com.br -d www.persistelecom.com.br -d cxs-02-web01l.persistelecom.com.br -d mail.persistelecom.com.br
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/init.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)

Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 3
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for persistelecom.com.br
http-01 challenge for www.persistelecom.com.br
http-01 challenge for cxs-02-web01l.persistelecom.com.br
http-01 challenge for mail.persistelecom.com.br
Using the webroot path /home/persistelecom for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. cxs-02-web01l.persistelecom.com.br (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://cxs-02-web01l.persistelecom.com.br/.well-known/acme-challenge/lWnXAXc6HeoEyIAaVSfPLC4lTtPPiCwdayYCSBrT9C0: "

<htm", mail.persistelecom.com.br (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mail.persistelecom.com.br/.well-known/acme-challenge/cO5u1AoSkp8niE2qDQrOCIh1T6t1piwaCF4_sv9AYRU: "

<htm"

IMPORTANT NOTES:

What I have to do to issue the certificate to mail.* and others subdomains?

Best regards

It seems like those subdomains probably don’t have the same webroot directory. When you specify a directory with -w, that has to be a directory where the web server can serve content for each of the following domains. That is, if you say -w /var/www/html and then -d foo.example.com, creating a file /var/www/html/test.txt must result in that file’s being served at http://foo.example.com/test.txt. If this is not so, the webrooot doesn’t match and the webroot validation method won’t succeed.

If each subdomain does have a web server but the content is served from a different directory, you can specify an additional webroot directory, like -w /var/www/html1 -d example.com -w /var/www/html2 -d subdomain.example.com, which uses /var/www/html1 for serving content to validate control of example.com and /var/www/html2 for serving content to validate control of subdomain.example.com.

Indeed, actually looking at those sites shows that http://cxs-02-web01l.persistelecom.com.br/ and http://mail.persistelecom.com.br/ have different content from http://persistelecom.com.br/; therefore, they must have different webroot directories!

1 Like

Hello my friends! Thank you very much for help me! Everything is working fine now. :wink:

Best regards

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.