I try to generate the (staging) certificate using a script that executes this command: ./letsencrypt-auto certonly --non-interactive --staging --break-my-certs --force-renewal --agree-tos --email=my@email.here --webroot -w /var/www -d disc-pre.upcnet.es
There is a rewrite rule from HTTP to HTTPS in the config file, I think LE follows redirects so I don’t see a problem here. In the 443 config there is other redirect like: RedirectMatch ^/$ /owncloud/
That I guess is not a problem since we can check the test URL I just gave you, correct me if I’m wrong.
This is the access log related information where we see the different behaviours: $ cat /var/log/apache2/access.log | fgrep .well-known 66.133.109.36 - - [17/Mar/2016:13:07:59 +0100] “GET /.well-known/acme-challenge/i4fdweYhip5Y6atva4-5WfMQ38eYS-R052c-ttPi6Kc HTTP/1.1” 302 721 “-” "Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)" 85.17.24.67 - - [17/Mar/2016:11:26:32 +0100] “GET /.well-known/test.html HTTP/1.1” 200 5979 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0”
Any hint, guys? If you need any additional information just tell me.
Thank you in advance.
Redirects should work fine, and IIRC self-signed certificates should also work for http-01.
The only thing I noticed is that your site is currently using is a SHA-1 certificate expiring after 2017, which some browser vendors treat as untrusted. I suppose it’s possible that the CA server is refusing to connect because of that, but that’s just a long-shot and I haven’t seen that issue come up before. If nothing else comes up, try using a self-signed SHA-2 certificate instead (I think that’s -sha256 with openssl).
Thanks for your quick response.
I see your point there, since this is not a production site I will generate a self-signed SHA256 certificate and try it again, now I must go but you will have news about this tomorrow in the morning.
In the meantime, if someone have any other ideas I’d like to hear them, just in case it is not about the SHA1 thing.
I will comment the steps I followed because it could be useful for other people:
I generated a self-signed certificate using openssl:
openssl req -x509 -nodes -days 1460 -newkey rsa:2048
-keyout disc-pre.upcnet.es.key
-out disc-pre.upcnet.es.crt
I commented the lines related with the previous certificate, and included the self-signed certificate and the private key. After it I only reloaded apache, checked that now I could see a certificate warning (that means now the self-signed cert is there) and I ran my script the same way I tried yesterday.
I forgot to remove the debug flags, so I got an unexpected error (because the CA was “happy hacker fake CA” :P) but after removing them, I just changed the config to the cert, pk, chain of LE and now it works like a charm!