HowTo for webroot plugin and apache VirtualHost

Please fill out the fields below so we can help you better.

My domain is:
I ran this command:
certbot certonly -d

It produced this output:
Type: connection
Detail: Failed to connect to for TLS-SNI-01

My operating system is (include version):
CentOS Linux release 7.0.1406 (Core)

My web server is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

My virtual host will rewrite its requests to a Zope process, thus it normally uses its DocumentRoot merely for error documents. My newer VirtualHosts are created by Apache macros (but I have a macro to support TLS-enabled hosts as well, so I’d be able to do the install part myself.)

I don’t understand this webroot thing. What are the prerequisites to make it work? How can the process expect to connect to :443 since no certificate is present yet?

I created small VirtualHost sections as well to give the parser something to find:

<VirtualHost *:80>
DocumentRoot /var/www/

Apparently this is not good enough. Is there some complete (but minimal) example anywhere?

Could you fill in all the details in the template please ?

difficult to help without :wink:

That’s better, thanks - hadn’t noticed you edited the post.

1 Like

You’re not using the webroot plugin. It’s using the tls-sni-01 challenge, not http-01. Use --webroot with -w /var/www (in your specific case according to your VirtualHost section).

Ok, I solved my problem.
I dropped those dummy VirtualHosts and added a RewriteCond line to my “real” hosts to protect the certbot requests from being rewritten to Zope:
RewriteCond %{REQUEST_URI} !^/.well-known
Furthermore, port 80 needed to be opened in /etc/sysconfig/iptables (had been open for the ip addresses of our company only), and the macro needed to be changed to use a fixed value in the IncludeOptional lines instead of the variable $(NAME).
In the end it worked; no special adjustments were needed for the .well-known location.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.