HowTo for webroot plugin and apache VirtualHost

tobiasherp · November 11, 2016, 5:32pm

Please fill out the fields below so we can help you better.

My domain is:
dev.mydomain.de
I ran this command:
certbot certonly -d dev.mydomain.de

It produced this output:
Domain: dev.mydomain.de
Type: connection
Detail: Failed to connect to 123.123.123.123:443 for TLS-SNI-01
challenge

My operating system is (include version):
CentOS Linux release 7.0.1406 (Core)

My web server is (include version):
Apache/2.4.6

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

My virtual host will rewrite its requests to a Zope process, thus it normally uses its DocumentRoot merely for error documents. My newer VirtualHosts are created by Apache macros (but I have a macro to support TLS-enabled hosts as well, so I’d be able to do the install part myself.)

I don’t understand this webroot thing. What are the prerequisites to make it work? How can the process expect to connect to :443 since no certificate is present yet?

I created small VirtualHost sections as well to give the parser something to find:

<VirtualHost *:80>
ServerName dev.mydomain.de
DocumentRoot /var/www/
</VirtualHost>

Apparently this is not good enough. Is there some complete (but minimal) example anywhere?

serverco · November 11, 2016, 5:43pm

Could you fill in all the details in the template please ?

difficult to help without

That’s better, thanks - hadn’t noticed you edited the post.

Osiris · November 11, 2016, 10:08pm

You’re not using the webroot plugin. It’s using the tls-sni-01 challenge, not http-01. Use --webroot with -w /var/www (in your specific case according to your VirtualHost section).

tobiasherp · November 14, 2016, 10:08am

Ok, I solved my problem.
I dropped those dummy VirtualHosts and added a RewriteCond line to my “real” hosts to protect the certbot requests from being rewritten to Zope:
RewriteCond %{REQUEST_URI} !^/.well-known
Furthermore, port 80 needed to be opened in /etc/sysconfig/iptables (had been open for the ip addresses of our company only), and the macro needed to be changed to use a fixed value in the IncludeOptional lines instead of the variable $(NAME).
In the end it worked; no special adjustments were needed for the .well-known location.

system · December 14, 2016, 10:08am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.