Hello everybody,
today I tried to set up my first Let’s Encrypt cert with my server using the webroot method as I already have a completely configured apache2.4 on Debian 8 x64 with multiply vhosts and suexec for php execution.
The problem is that the content of the subdomain (sub1.example.com) is delivered with the rights of the suexec user and group (in my case for example vh-www)
Here is an excerpt from my www-vhost:
...
ServerName www.example.com
ServerAlias example.com
ServerAdmin webmaster@example.com
ServerSignature Off
Include /etc/apache2/mods-available/fcgid.conf
# Load Let's Encrypt config for ACME challenge
Include /etc/apache2/conf-available/lets-encrypt-manual-sepl.conf
DocumentRoot /var/www/domain/vh-www/htdocs/public
SuexecUserGroup vh-www vh-www
...
So when I issue the the following command as root:
./letsencrypt-auto --rsa-keindent preformatted text by 4 spacesy-size 4096 --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory -d www.example.com -a webroot --webroot-path /var/www/domain/vh-www/htdocs/public/ certonly
I get the following error:
Failed authorization procedure. www.example.com (http-01): unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.example.com/.well-known/acme-challenge/TmVmCDGF4eawYzLhMN7dqL2Rz_Z47_eNIn_Chzgh24o [1.2.3.4]: 403
IMPORTANT NOTES:
- The following 'unauthorized' errors were reported by the server:
Domains: www.example.com
Error: The client lacks sufficient authorization
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
The error occurs because the challenge file written to .well-known/acme-challenge
by letsencrypt-auto is owned by root and therefore can’t be delivered by apache2 as it only does so for files belonging to vh-www for the www subdomain.
My question is now how can I get a certificate for the subdomain? I already thought of executing letsencrypt-auto as the user vh-www
but obviously I don’t want to add this user to sudoers.
Is there any way to change the owner of the challenge file created?
Any help or advice is much appreciated!
greetings Florian