How to: certs for an open street map tile server

rogers · July 28, 2022, 2:09pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:tile.semrdemo.com

I ran this command:certbot certonly (selected option 2, then tile.semrdemo.com, webroot)

It produced this output:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: tile.semrdemo.com
Type: unauthorized
Detail: 194.233.160.35: Invalid response from http://tile.semrdemo.com/.well-known/acme-challenge/nByk39Qakzq02zem-d-uE5DjqHOJUXw3bGuImvRXb70: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

My web server is (include version): Apache2 2.4.54

The operating system my web server runs on is (include version):
ubuntu

My hosting provider, if applicable, is:
Ubuntu 22.04

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No. Command line

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
1.21.0

Note, other 'normal' virtual host sites I was able to get certificates easily. (Thank You).

This virtual host is quite different. Here is the site config in apache's sites-available
<VirtualHost *:80>
ServerName tile.semrdemo.com
LogLevel info
Include /etc/apache2/conf-available/renderd.conf

<VirtualHost *:443>
ServerName tile.semrdemo.com
LogLevel info
Include /etc/apache2/conf-available/renderd.conf

MikeMcQ · July 28, 2022, 2:17pm

Welcome to the community @rogers

Can you show what in the /etc/apache2/conf-available/renderd.conf

Please put 3 backticks before and after the output to ensure proper formatting. Like this:
```
contents of file
```

If your first post had more info around your VirtualHosts you can go back and add 3 backticks around those too. Thanks

rogers · July 28, 2022, 2:28pm

The info around VirtualHosts was complete.
Here is what you requested (comments were removed)


    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Require all granted

    ModTileTileDir /var/cache/renderd/tiles

    LoadTileConfigFile /etc/renderd.conf

    ModTileEnableStats On

    ModTileBulkMode Off

    ModTileRequestTimeout 3

    ModTileMissingRequestTimeout 10

    ModTileMaxLoadOld 2

    ModTileMaxLoadMissing 5

    ModTileRenderdSocketName /run/renderd/renderd.sock

    ModTileCacheDurationMax 604800

    ModTileCacheDurationDirty 900

    ModTileCacheDurationMinimum 10800
    ModTileCacheDurationMediumZoom 13 86400

    ModTileCacheDurationLowZoom 9 518400

    ModTileCacheLastModifiedFactor 0.20

    ModTileEnableTileThrottling Off

    ModTileEnableTileThrottlingXForward 0

    ModTileThrottlingTiles 10000 1
    ModTileThrottlingRenders 128 0.2

</Directory>

rogers · July 28, 2022, 2:37pm

Sorry.. have been working since 3:30 am. The info as depicted for Virtual Hosts was indeed complete however, I suspect the lack of using 3 backslashes prevented the line

</VirtualHost>

from displaying.

MikeMcQ · July 28, 2022, 3:17pm

No problem. I don't see a DocumentRoot in that VirtualHost. So, did the folder you entered when certbot asked for webroot match the default DocumentRoot in apache?

The 404 error means "Not Found" and often it's because of mismatch between the DocumentRoot and the certbot webroot.

rogers · July 28, 2022, 3:35pm

Interestingly, the file apache2.conf does not have DocumentRoot defined. That file remains as it was when installed.

So, no, they do not match.

MikeMcQ · July 28, 2022, 3:41pm

Try adding DocumentRoot to your VirtualHost and use that for the -w folder value

Could use a folder outside your regular hosted files such as:

/var/lib/letsencrypt/http_challenges

Osiris · July 28, 2022, 3:46pm

A custom module named mod_tile is being used (GitHub - openstreetmap/mod_tile: Renders map tiles with mapnik and serves them using apache) which probably explains the lack of a DocumentRoot directive.

You probably want to limit any DocumentRoot setting to the path /.well-known/acme-challenge/. Not sure how that would fair when mod_tile is also being used.

rogers · July 28, 2022, 4:35pm

That worked. Thank you.

Rogers

rogers · July 28, 2022, 4:59pm

Just to make this complete:
I was concerned with setting DocumentRoot thinking that might interfere with the renderd engine. So I did set it, but to the location /var/www/tileserver One of the directories that comprise the renderd system.

system · August 27, 2022, 4:59pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.