Invalid response?

mkdir /ACMEchallenges/
[literally on its’ own - away from all other folders]

then
chgrp root /ACMEchallenges/
chown root /ACMEchallenges/

1 Like

done

so how do i tell it now to use that folder for the challenge? do i need to give that folder www access?

1 Like

Although this can be done in several way, I prefer to use a “global” setting (alias).
Like [add to main conf file]:

<IfModule alias_module>
 Alias /.well-known/acme-challenge/ /ACMEchallenges/
</IfModule>

Maybe…
Let’s try it like that first.

1 Like

ok so ive done that and added the line to the alias.conf file. need to reboot apache before we try this?

1 Like

yes.

then also place a test text file in that new folder.
You should be able to access it via:
http://any.of.your.domains/.well-known/acme-challenge/testfile

If that fails, then perhaps “jabba” needs access to it…

2 Likes

same error as when we started.


Jabba@HanSolo:/ $ sudo apache2ctl restart
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
Jabba@HanSolo:/ $ sudo /usr/local/bin/certbot-auto --apache
/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py:163: CryptographyDeprecationWarning: OpenSSL version 1.0.1 is no longer supported by the OpenSSL project, please upgrade. The next version of cryptography will drop support for it.
  utils.CryptographyDeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: bobsberriesfl.com
2: www.bobsberriesfl.com
3: clemonsac.com
4: www.clemonsac.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1 2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for bobsberriesfl.com
http-01 challenge for www.bobsberriesfl.com
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain bobsberriesfl.com
Challenge failed for domain www.bobsberriesfl.com
http-01 challenge for bobsberriesfl.com
http-01 challenge for www.bobsberriesfl.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: bobsberriesfl.com
   Type:   unauthorized
   Detail: Invalid response from
   http://bobsberriesfl.com/.well-known/acme-challenge/G6x7-HTpSHOlZV2hjLf0vuPDneIfbftZSl7j3-WgqpY
   [47.196.3.41]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>403
   Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"

   Domain: www.bobsberriesfl.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.bobsberriesfl.com/.well-known/acme-challenge/FWCkfoBUtPiupAuX0a9xwxatxZ_2JtHBR0YoEMXzdSg
   [47.196.3.41]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>403
   Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
Jabba@HanSolo:/ $
1 Like

when i type the URL in
http://bobsberriesfl.com/.well-known/acme-challenge/test.txt

this is what i get

Forbidden
You don't have permission to access this resource.

Apache/2.4.10 (Raspbian) Server at bobsberriesfl.com Port 80
1 Like

We need to include a <directory> statement.

Like [in the main conf file]:

	<Directory /ACMEchallenges>
		Options FollowSymLinks
		AllowOverride None
		Order Deny,Allow
		Allow from All
	</Directory>
1 Like

yep i replied with that info at the same time you posted this.

im gonna need to move the folder then i think into the WWW directory. where it sits currently is outside the reach of the apache directive

I don’t understand this…
But it is your system, so, do whatever you think you have to do to get this to work (securely).
[I’m only here to give pointers, advice, and suggestions - I don’t preach Gospel]

ok added the directive into the apache2.conf file

lets see what it does. did not move the folder yet. wasnt sure you could give apache access to various folders throughout the system. you know better than me though im sure.

so far looking like same error. im rebooting the server again.

1 Like

When we finish all this, you may also have to deal with this:
image

[a completely separate issue - not related to obtaining, nor using, an LE cert]

1 Like

Try [giving multiple users owner rights]:
chown -R root:jabba /ACMEchallenges
or maybe…
chown -R root:users /ACMEchallenges

[no need to restart anything]

what the hell is that about now? fuck

Deal with that later.

1 Like

I think this local setting is overriding our global setting:

Which denies all access to the “/” root folder.
Try placing the directory statement in each vhost section.

1 Like

yeah this is still generating the same failure. tried both


Jabba@HanSolo:/etc/apache2 $ sudo chown -R root:Jabba /ACMEchallenges
Jabba@HanSolo:/etc/apache2 $ sudo /usr/local/bin/certbot-auto --apache
/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py:163: CryptographyDeprecationWarning: OpenSSL version 1.0.1 is no longer supported by the OpenSSL project, please upgrade. The next version of cryptography will drop support for it.
  utils.CryptographyDeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: bobsberriesfl.com
2: www.bobsberriesfl.com
3: clemonsac.com
4: www.clemonsac.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1 2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for bobsberriesfl.com
http-01 challenge for www.bobsberriesfl.com
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain bobsberriesfl.com
Challenge failed for domain www.bobsberriesfl.com
http-01 challenge for bobsberriesfl.com
http-01 challenge for www.bobsberriesfl.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: bobsberriesfl.com
   Type:   unauthorized
   Detail: Invalid response from
   http://bobsberriesfl.com/.well-known/acme-challenge/ThJUoDqnWcqm2ye2NIEeD639NHHiKq_brjuxHpjvnPI
   [47.196.3.41]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>403
   Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"

   Domain: www.bobsberriesfl.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.bobsberriesfl.com/.well-known/acme-challenge/O6q4cAfy-9gEF462QiNN3qc9GOmFTXxv_BHSDH9U30I
   [47.196.3.41]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>403
   Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Jabba@HanSolo:/etc/apache2 sudo chown -R root:users /ACMEchallenges Jabba@HanSolo:/etc/apache2 sudo /usr/local/bin/certbot-auto --apache
/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py:163: CryptographyDeprecationWarning: OpenSSL version 1.0.1 is no longer supported by the OpenSSL project, please upgrade. The next version of cryptography will drop support for it.
utils.CryptographyDeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?


1: bobsberriesfl.com
2: www.bobsberriesfl.com
3: clemonsac.com
4: www.clemonsac.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1 2
Obtaining a new certificate
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/
Please see the logfiles in /var/log/letsencrypt for more details.
Jabba@HanSolo:/etc/apache2 $

1 Like

Ok stop trying yo get a cert [you will hit a limit soon].
You need to FIRST get access to that test file from the Internet.
And I spoke too late…

curl -Iki http://bobsberriesfl.com/.well-known/acme-challenge/test.txt
HTTP/1.1 403 Forbidden <<<<<<<<<<<<<<<<<<<<<< NO BUENO !!!!!!!!!!!!
Date: Sat, 22 Feb 2020 02:17:06 GMT
Server: Apache/2.4.10 (Raspbian)
Content-Type: text/html; charset=iso-8859-1
1 Like