I can not create a certificate when using --webroot plugin

rg305 · January 20, 2023, 9:18pm

We are not done testing

bayardo.rivas · January 20, 2023, 9:19pm

go ahead. .sorry

rg305 · January 20, 2023, 9:31pm

Ok that test passed - Hi back!

Now we need to simulate a more accurate challenge request.
Make the challenge path:
mkdir -p /var/www/scribblersathome/.well-known/acme-challenge/
then create the test file:
echo "test#2" > /var/www/scribblersathome/.well-known/acme-challenge/test2-file
then try it from the Internet:
http://scribblersathome.com/.well-known/acme-challenge/test2-file

bayardo.rivas · January 20, 2023, 9:34pm

curl https://scribblersathome.com//.well-known/acme-ch
allenge/test2-file
test#2

 curl -Ii https://scribblersathome.com//.well-known/acm
e-challenge/test2-file
HTTP/2 200
etag: "7-63cb06df-89a24;;;"
last-modified: Fri, 20 Jan 2023 21:25:51 GMT
content-length: 7
accept-ranges: bytes
date: Fri, 20 Jan 2023 21:32:09 GMT
server: LiteSpeed
alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"
; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, qu
ic=":443"; ma=2592000; v="43,46"

rg305 · January 20, 2023, 9:37pm

The problem is that you tested HTTPS - and that works.
But the request is via HTTP - and that fails!

curl https://scribblersathome.com/.well-known/acme-challenge/test2-file
test#2

curl -Ii http://scribblersathome.com/.well-known/acme-challenge/test2-file
HTTP/1.1 404 Not Found
date: Fri, 20 Jan 2023 21:38:13 GMT
server: LiteSpeed
connection: Keep-Alive

Osiris · January 20, 2023, 9:40pm

For the /.well-known/acme-challenge/ path, your HTTP isn't redirecting to HTTPS indeed, but other paths do. So some code in your OpenLiteSpeed must cause this specific behaviour for /.well-known/acme-challenge/ paths.

rg305 · January 20, 2023, 9:41pm

It only "worked" because that "double slash" did not match the exact challenge path and it was redirected to HTTPS [which works].

The correct path fails.
Because...
There is some code in the HTTP server block to handle challenge requests from some other root path [NOT /var/www/scribblersathome].

bayardo.rivas · January 20, 2023, 9:46pm

Can you try again please??

rg305 · January 20, 2023, 9:51pm

Bingo!

curl http://scribblersathome.com/.well-known/acme-challenge/test2-file
test#2

Now you can delete the test files.
I'd leave that path there OR it will have to be created and deleted (by certbot) for each renewal request.

bayardo.rivas · January 20, 2023, 9:53pm

It was not exactly a problem with the path, I only have one DocumentRoot path, the vhost need to add the listener for http/80 port. When you told me about http vs https I checked and added this listener.

Gracias Rudy y Osiris.

rg305 · January 20, 2023, 9:56pm

Then the HTTP was being served by the default block.
Which simply sent all HTTP to HTTPS [except challenge locations - which it sent elsewhere].
Another reason to keep port 80 open and each server block using it.

Cheers from Miami

system · February 19, 2023, 9:57pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SSL Certbot errors Help	23	2276	September 24, 2020
Failing Challenge on request Help	4	543	January 12, 2020
Certbot failed to authenticate some domains (authenticator: webroot) Help	33	5070	November 21, 2023
Failing to renew via either apache or webroot Help	10	2710	September 1, 2017
I cannot get certicate, http-01 challenge fails Help	21	16013	June 29, 2019

I can not create a certificate when using --webroot plugin

Related topics