Let's Encrypt webroot method with suexec config


#1

Hello everybody,

today I tried to set up my first Let’s Encrypt cert with my server using the webroot method as I already have a completely configured apache2.4 on Debian 8 x64 with multiply vhosts and suexec for php execution.

The problem is that the content of the subdomain (sub1.example.com) is delivered with the rights of the suexec user and group (in my case for example vh-www)

Here is an excerpt from my www-vhost:

...
ServerName www.example.com
ServerAlias example.com
ServerAdmin webmaster@example.com
ServerSignature Off

Include /etc/apache2/mods-available/fcgid.conf

# Load Let's Encrypt config for ACME challenge
Include /etc/apache2/conf-available/lets-encrypt-manual-sepl.conf

DocumentRoot /var/www/domain/vh-www/htdocs/public
SuexecUserGroup vh-www vh-www
...

So when I issue the the following command as root:

./letsencrypt-auto --rsa-keindent preformatted text by 4 spacesy-size 4096 --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory -d www.example.com -a webroot --webroot-path /var/www/domain/vh-www/htdocs/public/ certonly

I get the following error:

Failed authorization procedure. www.example.com (http-01): unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.example.com/.well-known/acme-challenge/TmVmCDGF4eawYzLhMN7dqL2Rz_Z47_eNIn_Chzgh24o [1.2.3.4]: 403

IMPORTANT NOTES:
 - The following 'unauthorized' errors were reported by the server:

   Domains: www.example.com
   Error: The client lacks sufficient authorization

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

The error occurs because the challenge file written to .well-known/acme-challenge by letsencrypt-auto is owned by root and therefore can’t be delivered by apache2 as it only does so for files belonging to vh-www for the www subdomain.

My question is now how can I get a certificate for the subdomain? I already thought of executing letsencrypt-auto as the user vh-www but obviously I don’t want to add this user to sudoers.

Is there any way to change the owner of the challenge file created?

Any help or advice is much appreciated! :blush:

greetings Florian


#2

Hello again,

I “hacked” around my issue mentioned above by using Debian’s “inotifywait”

The little script I wrote listens for folder changes and upon file creation immediatly changes the owner and group of the file the suexec user.

It worked like a charm and I now have a working Let’s Encrypt cert :smiley:

Nevertheless it would be awesome to here the community’s thoughts on this! And maybe some of you out there know how to solve this little problem in neater way than I did :wink:

Thanks and greetings Florian


#3

It’s being fixed :

Once this is in, the challenge directories and files will be created with the mode and gid, uid of the directory they are in.


#4

Knowing it will be fixed is always nice and it seems you are already quite far with the implementation.

This saves a lot of workaround with scripts etc…

Thanks for your answer and I will stay up to date with your progress!