Issue when trying to install SSL


#1

My domain is: aqaj.org

I ran this command: sudo certbot --apache -d aqaj.org

Output:
"Obtaining a new certificate
Performing the following challenges:
http-01 challenge for aqaj.org
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. aqaj.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://aqaj.org/.well-known/acme-challenge/Q6MkISlID_N1xaOd6SdPLx4AUD6wEFzMSJZZ0i_Ou5s: “\r\n\r\n\r\n\t\r\n\tAccueil Association Qu\xe9b\xe9coise des Administrat”

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: aqaj.org
Type: unauthorized
Detail: Invalid response from
http://aqaj.org/.well-known/acme-challenge/Q6MkISlID_N1xaOd6SdPLx4AUD6wEFzMSJZZ0i_Ou5s:
“\r\n\r\n\r\n\t\r\n\tAccueil Association Québécoise
des Administrat”

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal."

When I ping aqaj.org, it resolves to the correct DNS (my droplet).

My web server is (include version): apache

The operating system my web server runs on is (include version): linux ubuntu 14.04

My hosting provider, if applicable, is: digitalocean.com

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

It seems certbot is having trouble placing the challenge file in the correct folder.
Please place a test.txt file as:
http://aqaj.org/.well-known/acme-challenge/test.txt


#3

Hi @Zonesportive

additional:

Your webserver sends an unexpected http status 200 when fetching a not existing file.

And these answers don’t send headers, your main domains are sending headers.

Perhaps there is an internal redirect which is wrong.


#4

I do have a htaccess file:

Options All -Indexes

# Deny access to .htaccess
<Files .htaccess>
 order allow,deny
 deny from all
 satisfy all
</Files>

# Deny access to php.ini
<Files php.ini>
 order allow,deny
 deny from all
 satisfy all
</Files>

# Deny access to php_error.log
<Files php_error.log>
 order allow,deny
 deny from all
 satisfy all
</Files>

RewriteEngine on
RewriteBase /

# Prevent any kind of looping:
RewriteCond %{ENV:REDIRECT_STATUS} 200
RewriteRule ^ - [L]

# Rewrite links to index.php
# RewriteCond %{REQUEST_URI} !^/index\.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?uri=$1 [L]

How should I edit this file to accomodate let’s encrypt and redirect all traffic to https?


#5

Try this
RewriteRule ^\.well-known\/acme-challenge\/ - [L]
above:


#6

Your https doesn’t work. So before you add a redirect you should install a certificate.

Or is this only an internal visible site?


#7

The htaccess redirection is used for internal website structure purposes. It transforms all URLs into GET requests. It does not, as of now, redirect to https.

Since you said:

I am wondering how to edit my current htaccess file to solve the issue and allow let’s encrypt to work properly.

I understand that when let’s encrypt will be functioning properly, I’ll have to edit again my htaccess to redirect http traffic to https.


#8

That’s the most unrelevant thing.

If someone want’s to get a not-existing file, a webserver should send a 404, not a 200-status.

But the other things (certificate and redirect) are much more important.


#9

I tried what you guys suggested. I removed all redirections in htaccess and virtual host files, and was able to access to a test file placed at http://aqaj.org/.well-known/acme-challenge/test.txt.

However, I keep getting the following error:

certbot --apache -d aqaj.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for aqaj.org
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. aqaj.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://aqaj.org/.well-known/acme-challenge/mNVPie10PNzV8ojgxDs8510fgUiaa_Qb1s9Oy6Cxxi0: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: aqaj.org
   Type:   unauthorized
   Detail: Invalid response from
   http://aqaj.org/.well-known/acme-challenge/mNVPie10PNzV8ojgxDs8510fgUiaa_Qb1s9Oy6Cxxi0:
   "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

What is causing the issue?

Could it have to do with the fact that my website root is not located in /var/www/html?


#10

Did you delete the file?
I can’t access it.


#11

If you can load your file, you have found your correct webroot. So use this information to split authenticator and installation.

certbot run -a webroot -i apache -w pathToYourWebroot -d aqaj.org

That may be part of the problem. But if you have your correct webroot, you can use it.

PS: The file is without extension, so try 1234 as file name, not 1234.txt. Sometimes redirect rules have a different behaviour if the file has an extension or not.


#12

Would one of you be kind enough to help me solve this live tonight? I could give you root access to my server. My skype is yannick.v2


#13

Your Apache configuration should have a VirtualHost:

<VirtualHost *:80>
    DocumentRoot "/www/example1"
    ServerName www.example.com

    # Other directives here
</VirtualHost>

“DocumentRoot” is the parameter Certbot want’s to have as -w parameter.