Certbot with Apache on Red Hat - Custom Apache Paths Need To Be Specified for Challenges to Work


#1

My domain is: londrina.net

I ran this command: ./certbot-auto --apache certonly -d londrina.net

It produced this output:

root@cxs-02-web01l [/opt/certbot]# ./certbot-auto --apache certonly -d londrina.net
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/init.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for londrina.net
Cleaning up challenges
File:

  • Could not be found to be deleted /etc/httpd/conf.d/le_tls_sni_01_cert_challenge.conf - Certbot probably shut down unexpectedly
    An unexpected error occurred:
    IOError: [Errno 2] No such file or directory: '/etc/httpd/conf.d/le_tls_sni_01_cert_challenge.conf’
    Please see the logfiles in /var/log/letsencrypt for more details.

My operating system is (include version): CentOS release 6.9 (Final)

My web server is (include version): Apache/2.2.29

I can login to a root shell on my machine (yes or no, or I don’t know): YES

It’s a cPanel server.


#2

Someone can help me?


#3

Hi @paulo_silvaa, could you post your log file from /var/log/letsencrypt?


#4

Hello @schoen

2017-05-09 19:56:39,973:DEBUG:acme.client:Storing nonce: Kabe0jPHw8Iv2QUzdj503pggcBAzteey4UVc7QE6jHQ
2017-05-09 19:56:39,975:INFO:certbot.auth_handler:Performing the following challenges:
2017-05-09 19:56:39,976:INFO:certbot.auth_handler:tls-sni-01 challenge for londrina.net
2017-05-09 19:56:42,304:DEBUG:certbot_apache.tls_sni_01:Adding Include /etc/httpd/conf.d/le_tls_sni_01_cert_challenge.conf to /files/etc/httpd/conf/httpd.conf
2017-05-09 19:56:42,305:DEBUG:certbot_apache.tls_sni_01:writing a config file with text:

<VirtualHost [2804:0084:0000:0451:0000:0000:0000:004b]:443 189.14.255.250:443>
ServerName a3d5ae199a0fd5fa7231e745d75af30a.de79ce28bc92930007b517fe907070c3.acme.invalid
UseCanonicalName on
SSLStrictSNIVHostCheck on

LimitRequestBody 1048576

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /var/lib/letsencrypt/LEeuN9FCT9JEs8ynaMFAWaNYhg5x54ZRZ8siU6mZBZU.crt
SSLCertificateKeyFile /var/lib/letsencrypt/LEeuN9FCT9JEs8ynaMFAWaNYhg5x54ZRZ8siU6mZBZU.pem

DocumentRoot /var/lib/letsencrypt/tls_sni_01_page/

2017-05-09 19:56:42,328:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/auth_handler.py”, line 115, in _solve_challenges
resp = self.auth.perform(self.achalls)
File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot_apache/configurator.py”, line 1862, in perform
sni_response = chall_doer.perform()
File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot_apache/tls_sni_01.py”, line 79, in perform
addrs = self._mod_config()
File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot_apache/tls_sni_01.py”, line 113, in _mod_config
with open(self.challenge_conf, “w”) as new_conf:
IOError: [Errno 2] No such file or directory: ‘/etc/httpd/conf.d/le_tls_sni_01_cert_challenge.conf’

2017-05-09 19:56:42,328:DEBUG:certbot.error_handler:Calling registered functions
2017-05-09 19:56:42,328:INFO:certbot.auth_handler:Cleaning up challenges
2017-05-09 19:56:42,329:WARNING:certbot.reverter:File:

  • Could not be found to be deleted /etc/httpd/conf.d/le_tls_sni_01_cert_challenge.conf - Certbot probably shut down unexpectedly
    2017-05-09 19:56:43,672:DEBUG:certbot.log:Exiting abnormally:
    Traceback (most recent call last):
    File “/root/.local/share/letsencrypt/bin/letsencrypt”, line 11, in
    sys.exit(main())
    File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/main.py”, line 742, in main
    return config.func(config, plugins)
    File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/main.py”, line 682, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
    File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/main.py”, line 82, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
    File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/client.py”, line 344, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
    File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/client.py”, line 313, in obtain_certificate
    self.config.allow_subset_of_names)
    File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/auth_handler.py”, line 74, in get_authorizations
    resp = self._solve_challenges()
    File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/auth_handler.py”, line 115, in _solve_challenges
    resp = self.auth.perform(self.achalls)
    File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot_apache/configurator.py”, line 1862, in perform
    sni_response = chall_doer.perform()
    File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot_apache/tls_sni_01.py”, line 79, in perform
    addrs = self._mod_config()
    File “/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot_apache/tls_sni_01.py”, line 113, in _mod_config
    with open(self.challenge_conf, “w”) as new_conf:
    IOError: [Errno 2] No such file or directory: ‘/etc/httpd/conf.d/le_tls_sni_01_cert_challenge.conf’

#5

@bmw, could you take a look at this? I’m not sure of the reason for the error. (But maybe it tried to default to /etc/httpd incorrectly because maybe Apache is in fact in /etc/apache2 on this system?)


#6

@schoen I think that’s important remeber that this server is a cPanel. :slight_smile: I don’t know if this change something… I know that there are some plugins to do that, but I want to issue a certificate manually. I want to change the default certificate od Dovecot with Let’sEncript certificate.

Thank you very much!


#7

We’ve seen this issue before on Red Hat systems where your Apache configuration is different than Certbot expects. The GitHub issue for this is #3362.

How did you install Apache on this system? You can work around the problem by including --apache-challenge-location <path> on the command line where <path> is a valid file system path.


#8

Thank you very much friend! It worked! :smiley:

But I have just one more question… Do I have to open a new topic?

Now, I want to issue one certificate multi domains to configure on my Dovecot that reponds by multiple domains.

In this case, do I have to set more than one webroot-path? For example:

./certbot-auto --webroot-path /home/alasagri/public_html/ --webroot /home/persistelecom/public_html/ --webroot /home/persisinternet/public_html/ certonly -d alasagri.com.br -d persistelecom.com.br -d persisinternet.com.br

Best Regards!


#9

hi @paulo_silvaa

A review of the documentation would answer this as it is a problem others have encourntered :smiley:

Andrei


#10

Thank you very much Andrei!

Friends, just one more question… I’m having this problem now when I try to issue the certificate for some subdomains…

root@cxs-02-web01l [/opt/certbot]# ./certbot-auto --webroot-path /home/persistelecom/ certonly -d persistelecom.com.br -d www.persistelecom.com.br -d cxs-02-web01l.persistelecom.com.br -d mail.persistelecom.com.br
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/init.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)

Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 3
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for persistelecom.com.br
http-01 challenge for www.persistelecom.com.br
http-01 challenge for cxs-02-web01l.persistelecom.com.br
http-01 challenge for mail.persistelecom.com.br
Using the webroot path /home/persistelecom for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. cxs-02-web01l.persistelecom.com.br (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://cxs-02-web01l.persistelecom.com.br/.well-known/acme-challenge/lWnXAXc6HeoEyIAaVSfPLC4lTtPPiCwdayYCSBrT9C0: "

<htm", mail.persistelecom.com.br (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mail.persistelecom.com.br/.well-known/acme-challenge/cO5u1AoSkp8niE2qDQrOCIh1T6t1piwaCF4_sv9AYRU: "

<htm"

IMPORTANT NOTES:

What I have to do to issue the certificate to mail.* and others subdomains?

Best regards


#11

It seems like those subdomains probably don’t have the same webroot directory. When you specify a directory with -w, that has to be a directory where the web server can serve content for each of the following domains. That is, if you say -w /var/www/html and then -d foo.example.com, creating a file /var/www/html/test.txt must result in that file’s being served at http://foo.example.com/test.txt. If this is not so, the webrooot doesn’t match and the webroot validation method won’t succeed.

If each subdomain does have a web server but the content is served from a different directory, you can specify an additional webroot directory, like -w /var/www/html1 -d example.com -w /var/www/html2 -d subdomain.example.com, which uses /var/www/html1 for serving content to validate control of example.com and /var/www/html2 for serving content to validate control of subdomain.example.com.

Indeed, actually looking at those sites shows that http://cxs-02-web01l.persistelecom.com.br/ and http://mail.persistelecom.com.br/ have different content from http://persistelecom.com.br/; therefore, they must have different webroot directories!


#12

Hello my friends! Thank you very much for help me! Everything is working fine now. :wink:

Best regards


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.