Invalid response from acme-challenge

katagen · June 12, 2023, 9:37pm

Hello,
I have a running website on my ubuntu server, with Apache. But when I try to get a Let's Encrypt Certificate, I always ran under an error. My different ports are open:
sudo ufw status
Status: active

To Action From

80 ALLOW Anywhere
443 ALLOW Anywhere
80 (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)

My domain is:

cloud.antoinestocker.ch

I ran this command:

sudo certbot certonly --webroot -w /var/www/owncloud -d cloud.antoinestocker.ch

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for cloud.antoinestocker.ch

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: cloud.antoinestocker.ch
Type: unauthorized
Detail: 178.192.222.220: Invalid response from http://cloud.antoinestocker.ch/.well-known/acme-challenge/PJZiPtDTTmmZvhzZU6-w3qqw1-6iTOLEFQoTFoIQetA: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

Apache

The operating system my web server runs on is (include version):

Ubuntu 22.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel: No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.21.0

_az · June 12, 2023, 10:04pm

What webserver are you using for OwnCloud? I don't see any server header, it doesn't look like Apache. Maybe nginx, but something is in front of it stripping the Server response header?

How are you determining the /var/www/owncloud path?

katagen · June 12, 2023, 10:12pm

Here is my cloud_drosera.conf, under sites-available:

<VirtualHost *:80>

ServerName cloud.antoinestocker.ch

ServerAdmin antoine.stocker@drosera-vs.ch
DocumentRoot /var/www/owncloud

<Directory /var/www/owncloud/>
Options +FollowSymlinks
AllowOverride All
Require all granted
</Directory>

ErrorLog /var/log/apache2/cloud_drosera_error.log
CustomLog /var/log/apache2/cloud_drosera_access.log combined

</VirtualHost>

As you can see, it is Apache, not Nginx.

You can also see that the path is /var/www/owncloud

_az · June 12, 2023, 10:17pm

I mean, yeah, but:

$ nc cloud.antoinestocker.ch 80
GET / HTTP/1.0

HTTP/1.1 302 Moved Temporarily
Date: Mon, 12 Jun 2023 22:00:13 GMT
Content-Type: text/html
Content-Length: 138
Connection: close
Location: http://_:5000/

<html>
<head><title>302 Found</title></head>
<body>
<center><h1>302 Found</h1></center>
<hr><center>nginx</center>
</body>
</html>

Do you have a reverse proxy in front of Apache?

katagen · June 12, 2023, 10:22pm

Yes sorry! I have a synology NAS that redirect

cloud.antoinestocker.ch:80 to localIP.Ubuntuserver:80
cloud.antoinestocker.ch:443 to localIP.Ubuntuserver:443

_az · June 12, 2023, 10:24pm

Could you post the .htaccess file from /var/www/owncloud?

I wonder if there are some rules in there which prevent access to dot-directories (like .well-known), even if they exist on the filesystem.

_az · June 12, 2023, 10:27pm

Wait, I think your Synology NAS is intercepting the request.

Open up http://cloud.antoinestocker.ch/.well-known/acme-challenge/PJZiPtDTTmmZvhzZU6-w3qqw1-6iTOLEFQoTFoIQetA in your browser.

Understandably, it's a 404.

However, it should be a 404 served by Apache. Instead, it's served directly by the Synology webserver.

If you slightly change the URL, it gets served by Apache: http://cloud.antoinestocker.ch/.well-known/xacme-challenge/PJZiPtDTTmmZvhzZU6-w3qqw1-6iTOLEFQoTFoIQetA

Is there a way you can change the Synology webserver to not intercept this request?

katagen · June 12, 2023, 10:48pm

Here is the .htaccess:

<IfModule mod_headers.c>
  <IfModule mod_setenvif.c>
    <IfModule mod_fcgid.c>
       SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
       RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
    </IfModule>
    <IfModule mod_lsapi.c>
      SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
      RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
    </IfModule>
    <IfModule mod_proxy_fcgi.c>
       SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
    </IfModule>
  </IfModule>

  <IfModule mod_env.c>
    # Add security and privacy related headers
    Header      unset X-Content-Type-Options
    Header always set X-Content-Type-Options "nosniff"
    Header      unset X-XSS-Protection
    Header always set X-XSS-Protection "0"
    Header      unset X-Robots-Tag
    Header always set X-Robots-Tag "none"
    Header      unset X-Frame-Options
    Header always set X-Frame-Options "SAMEORIGIN"
    Header      unset X-Download-Options
    Header always set X-Download-Options "noopen"
    Header      unset X-Permitted-Cross-Domain-Policies
    Header always set X-Permitted-Cross-Domain-Policies "none"
    SetEnv modHeadersAvailable true
  </IfModule>

  # Let browsers cache CSS, JS files for half a year
  <FilesMatch "\.(css|js)$">
    Header      unset Cache-Control
    Header always set Cache-Control "max-age=15778463"
  </FilesMatch>
  
  # Let browsers cache WOFF files for a week
  <FilesMatch "\.woff$">
    Header      unset Cache-Control
    Header always set Cache-Control "max-age=604800"
  </FilesMatch>
</IfModule>

<IfModule mod_php5.c>
    php_value always_populate_raw_post_data -1
    php_value upload_max_filesize 513M
    php_value post_max_size 513M
    php_value memory_limit 512M
    php_value mbstring.func_overload 0
    php_value default_charset 'UTF-8'
    php_value output_buffering 0
    <IfModule mod_env.c>
      SetEnv htaccessWorking true
    </IfModule>
</IfModule>

<IfModule mod_php7.c>
    php_value upload_max_filesize 513M
    php_value post_max_size 513M
    php_value memory_limit 512M
    php_value mbstring.func_overload 0
    php_value default_charset 'UTF-8'
    php_value output_buffering 0
    <IfModule mod_env.c>
      SetEnv htaccessWorking true
    </IfModule>
</IfModule>

<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
  RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates|changelog)/.* - [R=404,L]
  RewriteRule ^core/signature\.json - [R=404,L]
  RewriteRule ^(?:core/skeleton)/.* - [R=404,L]
  RewriteCond %{REQUEST_URI} !^/.well-known/(acme-challenge|pki-validation)/.*
  RewriteRule ^(?:\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>
<IfModule mod_mime.c>
  AddType image/svg+xml svg svgz
  AddEncoding gzip svgz
</IfModule>
<IfModule mod_dir.c>
  DirectoryIndex index.php index.html
</IfModule>
AddDefaultCharset utf-8
Options -Indexes
<IfModule pagespeed_module>
  ModPagespeed Off
</IfModule>
#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####

ErrorDocument 403 //core/templates/403.php
ErrorDocument 404 //core/templates/404.php

And I didn't find a way that the Synology won't intercept this request...

_az · June 12, 2023, 11:32pm

Then you'll probably have to use the DNS challenge instead.

My Certbot plugin here supports Infomaniak, which is who you have your DNS hosted with.

katagen · June 12, 2023, 11:45pm

Won’t be possible to add the « x » in the .htaccess file under a RewriteRule?

_az · June 13, 2023, 12:08am

No, because the request never reaches the Apache server. Whatever you have configured in .htaccess has no effect. It hits the Synology webserver and stops.

Unless you can get the Synology server to pass off the request to Apache, you can't use the HTTP challenge.

rg305 · June 13, 2023, 1:53am

OR
Reverse the proxy order:

now: NAS proxies to the Web server
proposed: Web Server proxies to the NAS

system · July 13, 2023, 1:54am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.