Issue with acme challenging

Help
21

Yes I’m going to do this.
Regarding Rewrite rules I don’t any on my own for this server and I installed LE from github.
… and I just found that a debian package named dehydrated exists !

22

Well,
I can't manage to do it.
Something is curious: the directories own to root

ls -ali /var/lib/letsencrypt

3801125 drwxr-x--- 4 root root 4096 août 15 18:36 .
3670018 drwxr-xr-x 82 root root 4096 juil. 28 13:36 ..
3801925 drwxr-x--- 3 root root 4096 mai 5 2016 backups
3802591 drwxr-xr-x 2 root root 4096 août 15 21:11 http_challenges

so I did: (I presume that www-data, the httpd user must get R/W rights

chgrp -R www-data /var/lib/letsencrypt

chmod g+w -R /var/lib/letsencrypt

then I add what is created by certbot into the VHost conf:

  Alias /.well-known /www/.well-known
  <Location /.well-known/acme-challenge>
    Require all granted
  </Location>

  <Directory /var/lib/letsencrypt/http_challenges>
    Require all granted
  </Directory>

but I was unable to get the test file from this new location

I also tried with following command without success

# ./letsencrypt-auto --test-cert --webroot-path /www/.well-known/acme-challenge --apache certonly -d phlinux.ovh

23

This may be wrong:

Your webroot-path is /www

.well-known/acme-challenge/ is added if not exists.

Perhaps define explicit --webroot as authenticator. I don't know how the combination of --apache + --webroot-path is used.

1 Like
24

I just use
# ./letsencrypt-auto --test-cert --webroot-path /www --apache certonly -d phlinux.ovh
but same result.
I really don’t understand what happen.
I’m going to stop that for tonight and wil do some tries tomorrow.
As there is a debian package, i will clean all what i did and try with official packages.
May be it will point me where my error is?
Anyway thank you to all of you for attention and time to help.
I’ll post my results.

25

--webroot-path is completely ignored by --apache and is only used by --webroot (or -a webroot). --apache will try to make changes to the existing Apache configuration that don't rely on or use te existing webroot at all.

1 Like
26

Thanks.

So @PhLinuX - you should use

./letsencrypt-auto --test-cert --webroot --webroot-path /www certonly -d phlinux.ovh

27

Another option is to use the webroot authenticator and the Apache installer, assuming it can parse your configs well enough to apply the certificates:

./letsencrypt-auto --test-cert -i apache -a webroot --webroot-path /www certonly -d phlinux.ovh

28

I tried this syntax but no success

29

Then you may have a great bug in your system.

The http-01 challenge needs a file, the webroot option defines the root.

So the file should be at the right place, Letsencrypt should get the file.

If this doesn’t work: Your webroot argument may be wrong, you may have additional redirects or rewrite rules.

30

Ok,
I decided to remove and clean all what I did and install the Debian package I found yesterday.
It is named dehydrated.

The dehydrated ACME client allows signing certificates with an ACME server, like the one provided by the Let’s Encrypt certificate authority (letsencrypt.org). It is implemented as a relatively simple Bash script, which uses curl to communicate with the ACME server and OpenSSL to deal with keys, sign requests and certificates.

I installed it and it works !

I notice what it was done mainly into the apache conf. I suppose it is where was my issue but the differences I can see doesn't explain it.
There is a different challenge dir, Option -Index instead of Index and test for modules presence.

Install process add the file /etc/apache2/conf-available/dehydrated.conf containing:

        <IfModule alias_module>
          # Serve ACME challenge responses
          Alias /.well-known/acme-challenge/ /var/lib/dehydrated/acme-challenges/
        </IfModule>
        <Directory /var/lib/dehydrated/acme-challenges/>
          Options FollowSymlinks
          Options -Indexes
          AllowOverride None
          # Apache >= 2.3
          <IfModule mod_authz_core.c>
              Require all granted
          </IfModule>
          # Apache < 2.3
          <IfModule !mod_authz_core.c>
              Order Allow,Deny
              Allow from all
          </IfModule>
        </Directory>

Tomorrow I will test the cert renewal, but I'm quite sure this should be Ok now :slightly_smiling_face:

Again, many thanks to all of you for yourtime, patience and kind help.
With this issue, I learned a lot of things.

2 Likes
31

I think the issue was from my Apache config but I didn’t found any evidence.
May be cleaning all my letsencrypt install (and also an old LE not used for a long time) did the trick?
You may have some question regarding my new dehydrated install … do not hesitate to ask.
(I know how it is frustrating when one fix an error and can’t find exactly where it was)
Many thanks for your help.

2 Likes
32

Happy to hear that it works now.

Sometime it’s better to start again :wink:

1 Like
33

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.