wld_ct
August 26, 2016, 10:24pm
1
Currently running an Apache reverse proxy for Jenkins, and I have an exception for the /.well-known/ directory. When I put a test.txt file in /.well-known/acme-challenge/ I can see it in a browser. Also, I can see Certbot generate the file in the same place as test.txt.
I can’t seem to figure out how to get the http-01 challenge to pass. I’m running Apache 2.4 on OSX 10.11 El Capitan.
Command: sudo certbot certonly --webroot -w /Users/Shared/Jenkins/Sites/ -d jenkins.metropia.com
Log file: https://gist.github.com/anonymous/52d4c9e00a1a8f54b4b03271783184ac
Is your exception working correctly ? when I try a curl, the response I get isn't a nice plain text response of the token file.
$ curl -i http://jenkins.metropia.com/.well-known/acme-challenge/oG0D9MpFsRvEqNtPyazCc-jfAyrGqmOsD3yx1eJBG3s
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 27 Aug 2016 06:33:35 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd">
<html>
<head>
<meta http-equiv='content-type' content='text/html; charset=UTF-8'>
<meta name="VERSION" content="">
<meta name="DATA" content="fwdnode6-bl.web-hosting.com (162.255.119.3)">
<link href=" " rel="shortcut icon" type="image/x-icon">
<title></title>
</head>
<frameset rows='100%, *' frameborder=no framespacing=0 border=0>
<frame src="http://70.184.89.42:9090/.well-known/acme-challenge/oG0D9MpFsRvEqNtPyazCc-jfAyrGqmOsD3yx1eJBG3s" name=mainwindow frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>
</frameset>
<noframes><h2>Your browser does not support frames. We recommend upgrading your browser.</h2><br><br>
<center>Click <a href="http://70.184.89.42:9090/.well-known/acme-challenge/oG0D9MpFsRvEqNtPyazCc-jfAyrGqmOsD3yx1eJBG3s" >here</a> to enter the site.</center>
</noframes>
</html>
wld_ct
August 28, 2016, 6:33pm
3
That's odd, I placed a test.txt file in acme-challenge to test as well and cURL isn't clean either.
C:\WINDOWS\system32>curl -i http://jenkins.metropia.com/.well-known/acme-challenge/test
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 28 Aug 2016 18:21:15 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd">
<html>
<head>
<meta http-equiv='content-type' content='text/html; charset=UTF-8'>
<meta name="VERSION" content="">
<meta name="DATA" content="fwdnode7-bl.web-hosting.com (162.255.119.4)">
<link href=" " rel="shortcut icon" type="image/x-icon">
<title></title>
</head>
<frameset rows='100%, *' frameborder=no framespacing=0 border=0>
<frame src="http://70.184.89.42:9090/.well-known/acme-challenge/test" name=mainwindow frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>
</frameset>
<noframes><h2>Your browser does not support frames. We recommend upgrading your browser.</h2><br><br>
<center>Click <a href="http://70.184.89.42:9090/.well-known/acme-challenge/test" >here</a> to enter the site.</center>
</noframes>
</html>
However, when I try to access http://jenkins.metropia.com/.well-known/acme-challenge/test through a browser I get:
Hello, world!
This is how I have the config file make a /.well-known exception:
ServerName jenkins.metropia.com
ProxyPass /.well-known !
ProxyPass / http://localhost:XXXX/ nocanon
ProxyPassReverse / http://localhost:XXXX/
It works through a browser, because your browser follows the instructions, and does support frames. However the Let’s Encrypt requires a pure text response ( hence the check via curl).
leader
August 29, 2016, 10:22am
5
It seems that you are with Namecheap and it’s likely that you are using their “masked” URL redirect feature that causes those iframes. Try disabling it or make it “unmasked”.
wld_ct
September 1, 2016, 2:20am
6
Thanks to your help we were able to figure it out. We changed the VirtualHost to *:80 and added “Listen 80” in the httpd.conf. Then we were able to get a clean response from curl, and from there it was pretty easy to integrate the certificate and set up a redirect for http -> https.
Thanks for your help!
1 Like
system
October 1, 2016, 2:20am
7
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.