Error with certonly mode


#1

Hello,

I’m trying to use letsencrypt for the first time. I’m on CentOS 6, and I’m using cakephp as php framework.

As there is no installer for CentOS 6 I have to run ./letsencrypt-auto certonly (correct me if I’m wrong).

When I do this a screen appear, and in the end it’s returning the following error :

The client lacks sufficient authorization :: Invalid response from mywebsite.com/.well-known/acme-challenge/…: " etc…

basically it’s going on my error page.

And here I’m lost. What should I do then?

Thanks a lot for any help
Ludovic


#2

Put some file with a known name (say “test.txt”) into .well-known/acme-challenge/ and try accessing it from your browser, just like you would with any file. Watch your webserver access/error logs to see what’s happening. There might be something wrong with your server configuration preventing files from being accessed (for example some deny rule for anything starting with a dot). Once you figure what that is and fix it - continue with certbot.


#3

hello, thanks for your answer.

when I want to connect to http://meetropole.com/.well-known/acme-challenge/test.txt I can see the content of the file.

I’m still loss :confused:


#4

I get a “404 - file not found”

curl -I http://meetropole.com/.well-known/acme-challenge/test.txt
HTTP/1.1 404 Not Found
Date: Sun, 12 Jun 2016 17:21:49 GMT
Server: Apache
Set-Cookie: CAKEPHP=4c007fe99bfdd6dba49fc1d129f1b9d3; expires=Sun, 12-Jun-2016 21:21:49 GMT; Max-Age=14400; path=/; HttpOnly
Content-Length: 4424
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=UTF-8

Do you have a firewall, or some other device that is checking user type and blocking certain rquests ?


#5

weird
not that I’m aware of.
if you try to connect with a web browser you can see it no?
thanks


#6

That depends which browser I use :wink: - hence asking if you have something which is checking user type - probably to give different content to mobile compared with desktop users.

You may need to add

 <LocationMatch "/.well-known/acme-challenge/*">
        Header set Content-Type "text/plain"
 </LocationMatch>

into your apache config to ensure you just provide a plain text response (since letsencrypt will effectively be using something like curl - and hence getting a 404 error currently).


#7

you are probably right, but I try to modify /etc/httpd/conf/httpd.conf, restarted the server, but I still have the issue.
thanks


#8

Do you have anything else in your .htaccess ( or httpd.conf) which could be affecting things ?


#9

I tried to add it in .htaccess but then my web site doesn’t respond anymore :
“Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.”

> <IfModule mod_headers.c>
>     <LocationMatch "/.well-known/acme-challenge/*">
>         Header set Content-Type "text/plain"
>     </LocationMatch>
> </IfModule>


> <IfModule mod_rewrite.c>
>     RewriteEngine on
>     RewriteCond %{REQUEST_FILENAME} !-d
>     RewriteCond %{REQUEST_FILENAME} !-f
>     RewriteRule ^(.*)$ index.php?/$1 [QSA,L]
>     AddDefaultCharset UTF-8
> </IfModule>
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript

# Or, compress certain file types by extension:
<files *.html>
SetOutputFilter DEFLATE
</files>

#10

Sorry, I wasn’t suggesting that you add that to the .htaccess, it’s not in the correct format - so would give a 500 error.

I was asking if something else within your .htaccess could be causing an issue.

Is the above your complete .htaccess ? and I assume that the lines with a “>” at the start are what you have placed on here to make it visible - and not what was in the original file ? (as they shouldn’t be there )


#11

yeah I just read that it was forbidden to add it htaccess file :slight_smile:
I tried in httpd.conf with no success, maybe I’m putting it in the wrong place I’m investigating
For the “>” it’s just the editor :slight_smile:


#12

If you just temporarily rename the .htaccess file, can you then reach that test location with curl ? (that would show if it was a redirect in your htaccess causing the issue )


#13

Updated thanks to @serverco to be more specific to CentOS and not Ubuntu as I posted earlier.

You should add this into your httpd.conf file for Apache.

Add it Before the closing </VirtualHost> tag (this is how I have it on Ubuntu, should hopefully work on CentOS)

#Add Alias For Lets Encrypt WebRoot Authentication Using ACME
        AliasMatch ^/.well-known/acme-challenge/(.*)$ /var/www/html/.well-known/acme-challenge/$1
        Alias /.well-known/acme-challenge/ /var/www/html/.well-known/acme-challenge/
        <Directory "/var/www/html/.well-known/acme-challenge/">
                Options None
                AllowOverride None
                ForceType text/plain
                RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
        </Directory>

Then “systemctl restart httpd”

Then run a “test” certificate generation as follows.

./certbot-auto certonly --agree-tos --rsa-key-size 4096 --renew-by-default -m dnsadmin@mydomain.com --webroot -w /var/www/html/ -d mail.mydomain.com --renew-by-default --test-cert

Here you are calling for a certificate to be generated and it’s using that --webroot location of /var/www/html that you just created above in Apache2.

Remember it’s in test mode so you should get a response like this

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem. Your cert
   will expire on 2016-09-11. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"

Remember of course to substitute your domain name and email address above and you can also change your default RSA key size to 2048

if that then works, then simply remove --test-cert and it will generate your live key


#14

I may be wrong but that looks to me like modifying the default config on an Ubuntu system, rather than a CentOS one, so may need a little modification to work.


#15

That is right, it’s for Ubuntu, I did see OP is using CentOS but it should work for his Apache I hope. He may need to modify slightly for CentOS, the basic jist is all there.


#16

Have updated my post above, thanks @serverco


#17

thank you very very much MitchellK for the time you spent writing the answer

I tried to do what you said, I modified some things :

In the end I ran the below command with the below error
`[root@vps1128 letsencrypt]$ ./certbot-auto certonly --agree-tos --rsa-key-size 4096 --renew-by-default -m dnsadmin@meetropole.com --webroot -w /home/ludoludo/var/www/html/ -d meetropole.com --renew-by-default --test-cert
Version: 1.1-20080819
Version: 1.1-20080819
Failed authorization procedure. meetropole.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://meetropole.com/.well-known/acme-challenge/33rap6dY3k29Z7prKYjmDK8axuHiBAr6gFHI220tsE8: "

CakePHP: the rapi" `

Do you know what I did wrong?

Thanks


#18

Looks like it hits your CakePHP rewrite. Are you sure the file exists? When running the command, you can actually check what’s happening in the directory. Open another session and use something like this in the terminal:

watch -n 0.1 “ls -al /var/www/html/.well-known/acme-challenge/”


#19

I think it can’t create the acme-challenge directory. Even if I create one manually it is removed automatically when running letsencrypt


#20

That’s definitely failing on the acme challenge. Your command line to generate the cert looks all spot on, you were correct to change mail.mydomain.com to your own domain name, sorry I forgot to mention that.

Can you post your apache .conf file for this site?