today I tried to set up my first Let’s Encrypt cert with my server using the webroot method as I already have a completely configured apache2.4 on Debian 8 x64 with multiply vhosts and suexec for php execution.
The problem is that the content of the subdomain (sub1.example.com) is delivered with the rights of the suexec user and group (in my case for example vh-www)
Here is an excerpt from my www-vhost:
... ServerName www.example.com ServerAlias example.com ServerAdmin email@example.com ServerSignature Off Include /etc/apache2/mods-available/fcgid.conf # Load Let's Encrypt config for ACME challenge Include /etc/apache2/conf-available/lets-encrypt-manual-sepl.conf DocumentRoot /var/www/domain/vh-www/htdocs/public SuexecUserGroup vh-www vh-www ...
So when I issue the the following command as root:
./letsencrypt-auto --rsa-keindent preformatted text by 4 spacesy-size 4096 --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory -d www.example.com -a webroot --webroot-path /var/www/domain/vh-www/htdocs/public/ certonly
I get the following error:
Failed authorization procedure. www.example.com (http-01): unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.example.com/.well-known/acme-challenge/TmVmCDGF4eawYzLhMN7dqL2Rz_Z47_eNIn_Chzgh24o [18.104.22.168]: 403 IMPORTANT NOTES: - The following 'unauthorized' errors were reported by the server: Domains: www.example.com Error: The client lacks sufficient authorization To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
The error occurs because the challenge file written to
.well-known/acme-challenge by letsencrypt-auto is owned by root and therefore can’t be delivered by apache2 as it only does so for files belonging to vh-www for the www subdomain.
My question is now how can I get a certificate for the subdomain? I already thought of executing letsencrypt-auto as the user
vh-www but obviously I don’t want to add this user to sudoers.
Is there any way to change the owner of the challenge file created?
Any help or advice is much appreciated!