Error with certonly mode

ludo2608 · June 14, 2016, 9:21am

Hello again and thanks for your help.

Here is my complete httpd.conf file. The virtualhost concerned is the one called "meetropole.com"httpd.txt (22.5 KB)

And my htaccess files (there are 3 in cakephp)
htaccess.txt (2.4 KB)

MitchellK · June 14, 2016, 9:41am

Please quickly try this as a replacement for your config of meetropole.com in your httpd.conf file.

<VirtualHost 85.236.155.48:80>
  ServerName meetropole.com
  ServerAlias www.meetropole.com
  DocumentRoot /home/ludoludo/public_html
  ServerAdmin webmaster@meetropole.com
  UseCanonicalName Off
  CustomLog /usr/local/apache/domlogs/meetropole.com combined
#Add Alias For Lets Encrypt WebRoot Authentication Using ACME
        AliasMatch ^/.well-known/acme-challenge/(.*)$ /home/ludoludo/public_html/.well-known/acme-challenge/$1
        Alias /.well-known/acme-challenge//home/ludoludo/public_html/.well-known/acme-challenge/
        <Directory "/home/ludoludo/public_html/.well-known/acme-challenge/">
                Options None
                AllowOverride None
                ForceType text/plain
                RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
        </Directory>
  <IfModule log_config_module>
    <IfModule logio_module>
      CustomLog /usr/local/apache/domlogs/meetropole.com-bytes_log "%{%s}t %I .\n%{%s}t %O ."
    </IfModule>
  </IfModule>
  ## User ludoludo # Needed for Cpanel::ApacheConf
  <IfModule userdir_module>
    <IfModule !mpm_itk.c>
      <IfModule !ruid2_module>
        UserDir disabled
        UserDir enabled ludoludo
      </IfModule>
    </IfModule>
  </IfModule>

ludo2608 · June 14, 2016, 10:06am

I still have the same error message

leader · June 14, 2016, 10:19am

Check the Apache error log - I wonder if you might have the same “symlink protection” interfering here similar to what was happening in another thread.

Also it helps to enable rewrite logging when you have any rewrites and suspect that they are getting triggered (for example if file/dir is immediately deleted or not created, you’d be hitting the framework handler).

http://httpd.apache.org/docs/2.4/mod/mod_rewrite.html#logging

MitchellK · June 14, 2016, 10:27am

Yes, that was my next suggestion, check your logs. Something is blocking ./ or /. … could be your rewrite rules in your .htaccess as @leader has suggested.

You could also, as suggested earlier on by @serverco is to disable your .htaccess file by renaming it for a little bit to old.htaccess or something like that.

Cut things out of the equation that may be causing interference with the apache config.

Also, if you are on apache 2.4 you could try and change this section of the config I sent you, just add the one line.

<Directory "/home/ludoludo/public_html/.well-known/acme-challenge/">
Options None
AllowOverride None
Require all granted
ForceType text/plain
RedirectMatch 404 “^(?!/.well-known/acme-challenge/[\w-]{43}$)”
</Directory>

ludo2608 · June 14, 2016, 8:07pm

i tried to disable the htaccess, the error is now a 406 instead of 404
[root@vps1128 letsencrypt]$ curl -I http://meetropole.com/.well-known/acme-challenge/test.txt HTTP/1.1 406 Not Acceptable Date: Tue, 14 Jun 2016 19:56:48 GMT Server: Apache Content-Type: text/html; charset=iso-8859-1
I tried “Require all granted”, no effect

I will investigate the logs, need to see how it works

thanks

ludo2608 · June 14, 2016, 9:26pm

the logs are not generated, maybe because there is this virtualhost thing with a different user than the root one. grrrr I’m getting mad, I guess I will have to pay someone from my webhosting company

leader · June 14, 2016, 9:26pm

Include "/usr/local/apache/conf/modsec2.conf"
...
HTTP/1.1 406 Not Acceptable

406 is usually returned by mod_security.

ModSec is a good thing by itself but you need to check its rules. You could temporarily disable it like shown below, but I'd really recommend you to check the rules before doing something like that.

<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>

Also check this - http://www.mickgenie.com/cpanel-how-to-disable-mod_security2-for-account-or-path/

ludo2608 · June 14, 2016, 9:49pm

if I do

<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>

curl works

[ root@vps1128 letsencrypt]$ curl -I http://meetropole.com/.well-known/acme-challenge/test.txt
HTTP/1.1 200 OK
Date: Tue, 14 Jun 2016 21:42:48 GMT
Server: Apache
Last-Modified: Sun, 12 Jun 2016 17:11:21 GMT
Accept-Ranges: bytes
Content-Length: 5
Vary: User-Agent
Content-Type: text/plain; charset=UTF-8

and if I corrupt the name of my htaccess files the error is changing for letsencrypt command ;

[root@vps1128 letsencrypt]$ ./certbot-auto certonly --agree-tos --rsa-key-size 4096 --renew-by-default -m dnsadmin@meetropole.com --webroot -w /home/ludoludo/var/www/html/ -d meetropole.com --renew-by-default --test-cert
Version: 1.1-20080819
Version: 1.1-20080819
Failed authorization procedure. meetropole.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://meetropole.com/.well-known/acme-challenge/_zkDdkOqjMpo0vaT8x9Nzb3IQL8d9rpF_PYrez7Rs8c: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: meetropole.com
   Type:   unauthorized
   Detail: Invalid response from
   http://meetropole.com/.well-known/acme-challenge/_zkDdkOqjMpo0vaT8x9Nzb3IQL8d9rpF_PYrez7Rs8c:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>404 Not Found</title>
   </head><body>
   <h1>Not Found</h1>
   <p"

leader · June 14, 2016, 9:56pm

There should be a related record in the Apache error log for that 404. That might give you a hint what’s wrong (for example - symlink protection).

ludo2608 · June 14, 2016, 10:12pm

something like this?

[Wed Jun 15 00:08:40.663268 2016] [rewrite:trace2] [pid 22473:tid 139853102565120] mod_rewrite.c(476): [client 66.133.109.36:57341] 66.133.109.36 - - [meetropole.com/sid#9fff78][rid#7f320800eaa0/initial] init rewrite engine with requested uri /.well-known/acme-challenge/aYODGTJ5-rMxBpj_PP_zhd-QElw_r6bRSKVsG3EoEyA [Wed Jun 15 00:08:40.663337 2016] [rewrite:trace1] [pid 22473:tid 139853102565120] mod_rewrite.c(476): [client 66.133.109.36:57341] 66.133.109.36 - - [meetropole.com/sid#9fff78][rid#7f320800eaa0/initial] pass through /.well-known/acme-challenge/aYODGTJ5-rMxBpj_PP_zhd-QElw_r6bRSKVsG3EoEyA [Wed Jun 15 00:08:40.663617 2016] [rewrite:trace2] [pid 22473:tid 139853102565120] mod_rewrite.c(476): [client 66.133.109.36:57341] 66.133.109.36 - - [meetropole.com/sid#9fff78][rid#7f320800e6c0/initial/redir#1] init rewrite engine with requested uri /404.shtml [Wed Jun 15 00:08:40.663639 2016] [rewrite:trace1] [pid 22473:tid 139853102565120] mod_rewrite.c(476): [client 66.133.109.36:57341] 66.133.109.36 - - [meetropole.com/sid#9fff78][rid#7f320800e6c0/initial/redir#1] pass through /404.shtml

MitchellK · June 15, 2016, 11:58am

Try setting your Apache combined log format to.

LogFormat "%h %l %u %t \"%r\" %>s %O %b %D \"%{Referer}i\" \"%{User-Agent}i\"" combined

Then restart apache and monitor this file

/usr/local/apache/domlogs/meetropole.com

You are getting closer … be careful with mod_security it can have nasty side effects if not carefully configured.

ludo2608 · June 15, 2016, 7:33pm

hello MitchellK,

it’s returning this, does it mean something to you?

66.133.109.36 - - [15/Jun/2016:21:25:20 +0200] “GET /.well-known/acme-challenge/v4Ac1OgZNAXxb73HB9wNRtg1-kO-0is2ZToduHs0hxI HTTP/1.1” 404 551 - 889 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”

thanks

MitchellK · June 16, 2016, 4:26pm

Well now that your apache log is showing what’s really going on, it showing you a 404 error “not found”. It means your apache config is still not right and apache is blocking the location /.well-known/

I will have a look through your config file again in the morning

ludo2608 · June 16, 2016, 10:01pm

thanks Mitchell
Here is my latest version of my httpd httpd.txt (22.3 KB)

MitchellK · June 17, 2016, 7:55am

Got it, will have a look through it for you.

MitchellK · June 17, 2016, 9:20am

Give this a try and make sure .htaccess is disabled before you do. I have heavily commented your file so have a good look through it. Let me know if this helps at all and monitor your logs when you test again.

httpd-mk.txt (26.6 KB)

ludo2608 · June 17, 2016, 9:56am

thank you for your time

I tested it and it is changing nothing

I still have a 404 error

MitchellK · June 17, 2016, 11:00am

Try this please

So check if /home/ludoludo/public_html/.well-known/acme-challenge exists
If not then

cd /home/ludoludo/public_html
mkdir .well-known
cd .well-known
mkdir acme-challenge
chmod -R www-data: /home/ludoludo/public_html
chmod -R 755 /home/ludoludo/public_html/.well-known

Then .... place a simple html file in that folder as follows

cd /home/ludoludo/public_html/.well-known/acme-challenge/
nano test.html

In that file just put the following text, save and exit

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>Test HTML File</title>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
</head>
<body>

<p>HELLO ACME</p>

</body>
</html>

Then go to

http://www.meetropole.com/.well-known/acme-challenge/test.html

If you see the HELLO ACME then that folder no works and exists.

Delete the test file and then try your ./certbot-auto command again

ludo2608 · June 17, 2016, 1:33pm

we are probably closer

http://www.meetropole.com/.well-known/acme-challenge/test.html returns a 404

but if I create a directory just called acme it works

http://www.meetropole.com/.well-known/acme/test.html

something with the ‘-’?
`