Files aren't created

mmagdy88 · May 9, 2016, 11:03am

Hello,

The issue is that the key files aren’t created inside the webroot folder.

OS: CentOS 6.7
cPanel/WHM
Command Line: # ./letsencrypt-auto certonly --webroot -w /home/USERNAME/public_html -d DOMAINNAME.COM

Output:

Failed authorization procedure. DOMAIN.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://DOMAIN.com/.well-known/acme-challenge/pnZ6e6CK4x7IL5r_bIUGfnd36Zp4Yo4W1IlpqdN_Vpo [xx.xx.xx.xx]: 404

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: DOMAIN.com
   Type:   unauthorized
   Detail: Invalid response from http://DOMAIN.com/.well-known/acme-
   challenge/pnZ6e6CK4x7IL5r_bIUGfnd36Zp4Yo4W1IlpqdN_Vpo
   [xx.xx.xx.xx]: 404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

Debug Log (Verbose -vvvv): http://pastebin.com/vBGv9tac

Any suggestions?

Note: Replaced domain name with DOMAIN, username with USERNAME, IP with xx.xx.xx.xx.

Best Regards,

serverco · May 9, 2016, 11:18am

Are you happy to provide your domain name ?

If you create a file (such as “test”) in /home/USERNAME/public_html/.well-known/acme-challenge/test with plain text content ( “worked” ) … can you then reach it from elsewhere on the internet at DOMAIN/.well-known/acme-challenge/test ?

mmagdy88 · May 9, 2016, 11:50am

Thanks for your reply.

Domain name is related to a customer so it won’t be nice to provide it.

Regarding the test I did it already and can reach it from anywhere, also checked DNS and .htaccess file and no issues at all.

tialaramex · May 9, 2016, 12:57pm

The log claims the files were successfully created, and then cleaned up at the end of the run.

Is it possible that’s so? Or are you confident that the files never exist at all, even while the Let’s Encrypt client is running?

mmagdy88 · May 9, 2016, 2:22pm

I put inotify on the directory and files never exists.

pfg · May 9, 2016, 2:39pm

Is this a regular local filesystem, or something like a NFS mount or some other kind of remote/distributed FS?

mmagdy88 · May 9, 2016, 2:56pm

No, Regular filesystem working on EXT4

pfg · May 9, 2016, 3:23pm

Are you certain inotify is working as expected? (Happy to test with a working client setup if you want to share how you’re doing it.)

I did some debugging of the webroot plugin source. This is the part that’s saving the challenge files:

def _perform_single(self, achall):
        response, validation = achall.response_and_validation()

        root_path = self.full_roots[achall.domain]
        validation_path = self._get_validation_path(root_path, achall)
        logger.debug("Attempting to save validation to %s", validation_path)

        # Change permissions to be world-readable, owner-writable (GH #1795)
        old_umask = os.umask(0o022)

        try:
            with open(validation_path, "w") as validation_file:
                validation_file.write(validation.encode())
        finally:
            os.umask(old_umask)

        self.performed[root_path].add(achall)

        return response

That log line (Attempting to save validation to ...) is included in your log as well. There’s no code path that wouldn’t lead to the file being written, and if there’s an error while storing the file, you’d see an exception (like OSError: [Errno 2] No such file or directory: ..., or whatever the error is).

mmagdy88 · May 9, 2016, 7:25pm

Yes, and to be completely sure, I watched the directory manually while trying to generate certificate.

Regarding the code, I’ve double checked the log and yes there’s an attemption to write files but nothing is written.

Do you think server security has to do anything with this? I’m using SuPHP, ModSecurity and SuHosin.

pfg · May 9, 2016, 7:33pm

So the files are being created, but they’re empty?

Have you checked your system logs for anything interesting? I suppose something like SELinux/AppArmor could be interfering, though I’m not sure why this wouldn’t at least trigger an exception.

mmagdy88 · May 9, 2016, 7:51pm

I’ve checked again now and found out that files are written with a content then removed again in a second, as @tialaramex stated above.

Message is 404 not found, which is happening because the files are created with root UID and GID, but the website is working as a user, so I guess this is the issue, but how to fix it?

pfg · May 9, 2016, 8:11pm

Hmm, the files are created as word-readable, plus IIRC apache would yield a 403 instead of a 404 if it's about the file permissions.

Is there anything in your apache error log? That one might have more details.

mmagdy88 · May 10, 2016, 6:43am

Apache throws this error:

Caught race condition abuser. attacker: 560, victim: 0 open file owner: 0, open file: /home/USERNAME/public_html/.well-known/acme-challenge/SihjQnu4sOO-bTXEaasRAsQUsWngUMtsvZJyc-BPSXY

Because the files are created with root and the handler is SuPHP so files created have to be made with user permissions not root permissions, any ideas?

system · June 9, 2016, 6:43am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Webroot plugin : The client lacks sufficient authorization	37	37120	April 25, 2017
Certbot certonly webroot fail to create challenge file Help	5	2885	October 27, 2018
Hello all, I try to install Letsencrypt on my server but i got this error message. I would like to ask what is the mistake? How to fix this bug? Help	6	2373	February 4, 2017
Certbot don't create the validation file Help	5	3069	September 10, 2017
Ubuntu 16.04 Apache permissions problem? Server	8	5767	July 30, 2016

Files aren't created

Related topics