mkdir /ACMEchallenges/
[literally on its' own - away from all other folders]
then
chgrp root /ACMEchallenges/
chown root /ACMEchallenges/
2 Likes
done
so how do i tell it now to use that folder for the challenge? do i need to give that folder www access?
1 Like
Although this can be done in several way, I prefer to use a "global" setting (alias).
Like [add to main conf file]:
<IfModule alias_module>
Alias /.well-known/acme-challenge/ /ACMEchallenges/
</IfModule>
Maybe...
Let's try it like that first.
2 Likes
ok so ive done that and added the line to the alias.conf file. need to reboot apache before we try this?
1 Like
yes.
then also place a test text file in that new folder.
You should be able to access it via:
http://any.of.your.domains/.well-known/acme-challenge/testfile
If that fails, then perhaps "jabba" needs access to it...
3 Likes
same error as when we started.
Jabba@HanSolo:/ $ sudo apache2ctl restart
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
Jabba@HanSolo:/ $ sudo /usr/local/bin/certbot-auto --apache
/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py:163: CryptographyDeprecationWarning: OpenSSL version 1.0.1 is no longer supported by the OpenSSL project, please upgrade. The next version of cryptography will drop support for it.
utils.CryptographyDeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: bobsberriesfl.com
2: www.bobsberriesfl.com
3: clemonsac.com
4: www.clemonsac.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1 2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for bobsberriesfl.com
http-01 challenge for www.bobsberriesfl.com
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain bobsberriesfl.com
Challenge failed for domain www.bobsberriesfl.com
http-01 challenge for bobsberriesfl.com
http-01 challenge for www.bobsberriesfl.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: bobsberriesfl.com
Type: unauthorized
Detail: Invalid response from
http://bobsberriesfl.com/.well-known/acme-challenge/G6x7-HTpSHOlZV2hjLf0vuPDneIfbftZSl7j3-WgqpY
[47.196.3.41]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
2.0//EN\">\n<html><head>\n<title>403
Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"
Domain: www.bobsberriesfl.com
Type: unauthorized
Detail: Invalid response from
http://www.bobsberriesfl.com/.well-known/acme-challenge/FWCkfoBUtPiupAuX0a9xwxatxZ_2JtHBR0YoEMXzdSg
[47.196.3.41]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
2.0//EN\">\n<html><head>\n<title>403
Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
Jabba@HanSolo:/ $
1 Like
when i type the URL in
http://bobsberriesfl.com/.well-known/acme-challenge/test.txt
this is what i get
Forbidden
You don't have permission to access this resource.
Apache/2.4.10 (Raspbian) Server at bobsberriesfl.com Port 80
1 Like
We need to include a <directory> statement.
Like [in the main conf file]:
<Directory /ACMEchallenges>
Options FollowSymLinks
AllowOverride None
Order Deny,Allow
Allow from All
</Directory>
2 Likes
yep i replied with that info at the same time you posted this.
im gonna need to move the folder then i think into the WWW directory. where it sits currently is outside the reach of the apache directive
I don't understand this...
But it is your system, so, do whatever you think you have to do to get this to work (securely).
[I'm only here to give pointers, advice, and suggestions - I don't preach Gospel]
1 Like
ok added the directive into the apache2.conf file
lets see what it does. did not move the folder yet. wasnt sure you could give apache access to various folders throughout the system. you know better than me though im sure.
so far looking like same error. im rebooting the server again.
1 Like
When we finish all this, you may also have to deal with this:
[a completely separate issue - not related to obtaining, nor using, an LE cert]
2 Likes
Try [giving multiple users owner rights]:
chown -R root:jabba /ACMEchallenges
or maybe…
chown -R root:users /ACMEchallenges
[no need to restart anything]
1 Like
what the hell is that about now? fuck
Deal with that later.
2 Likes
I think this local setting is overriding our global setting:
Which denies all access to the "/" root folder.
Try placing the directory statement in each vhost section.
2 Likes
yeah this is still generating the same failure. tried both
Jabba@HanSolo:/etc/apache2 $ sudo chown -R root:Jabba /ACMEchallenges
Jabba@HanSolo:/etc/apache2 $ sudo /usr/local/bin/certbot-auto --apache
/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py:163: CryptographyDeprecationWarning: OpenSSL version 1.0.1 is no longer supported by the OpenSSL project, please upgrade. The next version of cryptography will drop support for it.
utils.CryptographyDeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: bobsberriesfl.com
2: www.bobsberriesfl.com
3: clemonsac.com
4: www.clemonsac.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1 2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for bobsberriesfl.com
http-01 challenge for www.bobsberriesfl.com
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain bobsberriesfl.com
Challenge failed for domain www.bobsberriesfl.com
http-01 challenge for bobsberriesfl.com
http-01 challenge for www.bobsberriesfl.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: bobsberriesfl.com
Type: unauthorized
Detail: Invalid response from
http://bobsberriesfl.com/.well-known/acme-challenge/ThJUoDqnWcqm2ye2NIEeD639NHHiKq_brjuxHpjvnPI
[47.196.3.41]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
2.0//EN\">\n<html><head>\n<title>403
Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"
Domain: www.bobsberriesfl.com
Type: unauthorized
Detail: Invalid response from
http://www.bobsberriesfl.com/.well-known/acme-challenge/O6q4cAfy-9gEF462QiNN3qc9GOmFTXxv_BHSDH9U30I
[47.196.3.41]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
2.0//EN\">\n<html><head>\n<title>403
Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
Jabba@HanSolo:/etc/apache2 $ sudo chown -R root:users /ACMEchallenges
Jabba@HanSolo:/etc/apache2 $ sudo /usr/local/bin/certbot-auto --apache
/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py:163: CryptographyDeprecationWarning: OpenSSL version 1.0.1 is no longer supported by the OpenSSL project, please upgrade. The next version of cryptography will drop support for it.
utils.CryptographyDeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Which names would you like to activate HTTPS for?
1: bobsberriesfl.com
2: www.bobsberriesfl.com
3: clemonsac.com
4: www.clemonsac.com
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1 2
Obtaining a new certificate
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt
Please see the logfiles in /var/log/letsencrypt for more details.
Jabba@HanSolo:/etc/apache2 $
1 Like
Ok stop trying yo get a cert [you will hit a limit soon].
You need to FIRST get access to that test file from the Internet.
And I spoke too late…
curl -Iki http://bobsberriesfl.com/.well-known/acme-challenge/test.txt
HTTP/1.1 403 Forbidden <<<<<<<<<<<<<<<<<<<<<< NO BUENO !!!!!!!!!!!!
Date: Sat, 22 Feb 2020 02:17:06 GMT
Server: Apache/2.4.10 (Raspbian)
Content-Type: text/html; charset=iso-8859-1
2 Likes