Creating new certificate with Win-acme for Apache and Wildfly

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:planningaccesstest.york.gov.uk

I ran this command:Manually create, validate to FS, .pem file, etc

It produced this output: 403 error during preliminary validation for well-known folder

My web server is (include version): Apache 2.4.39-1 with Wildfly 10

The operating system my web server runs on is (include version): Windows 2012r2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): wacs 2.0.9.386

The specific issue is that whereever I place the .well-known\acme-challenge folder, wacs is not able to use it or see it.

Is there another client that would work better than Win-Acme? Do I need to use a different method to set the certificate up?
I know Wildfly is going to need it adding to its certificate store separately (that’s not an issue).

If you’ve got Apache httpd setup with mod_proxy (or similar) front of Wildly, then we can forget about Wildfly: it’s non-factor for both validation and installation of the certificate. Apache covers all of that on its own.

Say, for example, your Apache setup is currently:

<VirtualHost *:80>
        ServerName planningaccesstest.york.gov.uk
        ProxyPass "/" "http://wildfly:8080/"
</VirtualHost>

You could amend this to:

<VirtualHost *:80>
        ServerName planningaccesstest.york.gov.uk
        DocumentRoot "C:/www"
        ProxyPass /.well-known/acme-challenge !
        ProxyPass "/" "http://wildfly:8080/"
</VirtualHost>

Restart Apache, and then invoke wacs with --webroot "C:\www" .

Thankls for the reply, but this make no difference.
The .well-known/acme-challenge folder throws a 403 error consitently, and gives a page not found when browsed to.

There are quite a few - ACME Client Implementations - Let's Encrypt
Please note that even though the section says Windows / IIS, that does not mean it is only for the clients specifically tailored for IIS. For example ZeroSSL (which is my client) can produce the certificate perfectly suitable for Apache, with an option to also export it into PFX (if IIS is actually used).

However, from your last post it does not seem that it is a problem with the client you are using, but with the setup of your server or the permissions on the file system. Perhaps checking Apache logs would help you to pinpoint the problem.

Post your Apache virtual host configuration. Otherwise any answers you will receive will be blind guesses.

<VirtualHost *:80>
ServerName planningaccesstest.york.gov.uk
#ServerAlias admin@i-documentsystems.com

#  Rotate logs every day
ErrorLog "|C:/IDOX/Apache/Apache-2.4.39-1/bin/rotatelogs.exe logs/error%Y%m%d.log 86400"
CustomLog "|C:/IDOX/Apache/Apache-2.4.39-1/bin/rotatelogs.exe logs/access%Y%m%d.log 86400" common

###################### START Application specific ####################################
RewriteEngine On

# RewriteEngine On must be before these lines
#Reject non-PA ARGIS Mapping URLS from HTTP requests
RewriteCond %{HTTP_HOST}@@%{HTTP_REFERER} !^([^@]*)@@http?://\1/.* [NC]
RewriteRule ^/arcgis/rest/services/(.*) [F]
RewriteCond %{HTTP_HOST}@@%{HTTP_REFERER} !^([^@]*)@@http?://\1/.* [NC]
RewriteRule ^/PublicAccessWeb/(.*) [F]

# Uncomment the following three lines to add redirect rules when using SSL.
#RewriteCond %{SERVER_PORT} !^443$
#RewriteRule ^/online-applications/(.*)$ https://planningaccesstest.york.gov.uk/online-applications/$1 [L,R]

### PA CONFIGURATION - START ###
    # This will mean that browsing to http://planningaccesstest.york.gov.uk/ will redirect to the site
    RedirectMatch ^/$ http://planningaccesstest.york.gov.uk/online-applications


	# Allow Let's encrypt to work
	DocumentRoot "C:/IDOX/Apache/Apache-2.4.39-1/htdocs"
	ProxyPass /.well-known/acme-challenge !		
	
    ProxyPass /online-applications/admin !
    ProxyPass /online-applications/junitee !

    ProxyPass /online-applications ajp://localhost:8109/online-applications
    ProxyPassReverse /online-applications ajp://localhost:8109/online-applications
    ProxyPass /online-applicationssecurity ajp://localhost:8109/online-applicationssecurity
    ProxyPassReverse /online-applicationssecurity ajp://localhost:8109/online-applicationssecurity
	


    ### ESRI MAP configuration START ###
    # DEFAULT assumes map components are available through IIS on port 80 on the application server
	ProxyPass /PublicAccessWeb http://dipservertest/PublicAccessWeb
	ProxyPassReverse /PublicAccessWeb http://dipservertest/PublicAccessWeb
	ProxyPass /idoxspatial http://dipservertest/idoxspatial
	ProxyPassReverse /idoxspatial http://dipservertest/idoxspatial
	ProxyPass /arcgis http://dipservertest/arcgis
	ProxyPassReverse /arcgis http://dipservertest/arcgis
    ### ESRI MAP configuration END ###


    # Configure skin Apache 2.4.x
    <IfModule alias_module>
        Alias /online-applications-skin/ "D:/IDOX/IDOXPA/IDOXPATEST/PAWeb/skins/online-applications-skin/"

        <Directory "D:/IDOX/IDOXPA/IDOXPATEST/PAWeb/skins/online-applications-skin/">
            Options -Indexes +MultiViews
            AllowOverride None
            Require all granted
        </Directory>
    </IfModule>

	# Configure default error pages in skin
    ErrorDocument 400 /online-applications-skin/error/apacheFail.htm
    ErrorDocument 403 /online-applications-skin/error/apacheFail.htm
    ErrorDocument 404 /online-applications-skin/error/apacheFail.htm
    ErrorDocument 500 /online-applications-skin/error/apacheFail.htm
    ErrorDocument 503 /online-applications-skin/error/apacheFail.htm
###################### END Application specific ######################################

Thanks.

I copied your config into a blank Apache server and was able to create a file at C:/IDOX/Apache/Apache-2.4.39-1/htdocs/.well-known/acme-challenge/testfile and then visit it at http://planningaccesstest.york.gov.uk/.well-known/acme-challenge/testfile.

Does C:/IDOX/Apache/Apache-2.4.39-1/htdocs/.htaccess exist at all? It’s possible that something in there could be intercepting the request.

No - there is no .htaccess file.

I’m not sure what else it could be (mod_security maybe?).

Creating the testfile and then taking @leader’s advice of looking at the Apache error log might be a helpful next step.

Thanks - I’ll have a delve. If its nothing obvious, that’s helpful!

Getting there. Turned out I needed an extra entry in httpd-core to allow the .well-known folder to be accessible.

Getting a 404 error for the validation file now, so its probably writing one place and reading somewhere else.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.