Letsencrypt-auto with Redirection - missing / on URL Path Means Challenges Do Not Pass

My domain is:

media.teamojo.org

I ran this command (as a shell script):

# Renew Let's Encrypt SSL cert



cd /opt/letsencrypt
./letsencrypt-auto certonly --cert-name media.temojo.org -c /etc/letsencrypt/cli.ini -w /var/www/LEwebroot/ -d media.teamojo.org
if [ $? -ne 0 ]
 then
        ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log`
        echo -e "The Lets Encrypt Cert has not been renewed! \n \n" $ERRORLOG | mail -s "Lets Encrypt Cert Alert -" email@example.com
 else
        service apache2 reload
	echo -e "Success! The Lets Encrypt Cert has been renewed!" | mail -s "Lets Encrypt Cert Alert +" email@example.com
fi

exit 0

(with this cli.ini):

# This is an example of the kind of things you can do in a configuration file.
# All flags used by the client can be configured here. Run "Let's Encrypt" with
# "--help" to learn more about the available options.

# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096

# Always use the staging/testing server
# server = https://acme-staging.api.letsencrypt.org/directory

# Uncomment and update to register with the specified e-mail address
email = email@example.com

# Uncomment to use a text interface instead of ncurses
text = True

agree-tos = True

authenticator = webroot

Here is the alias config for /var/www/LEwebroot:

Alias /.well-known /var/www/LEwebroot/.well-known
<Directory /var/www/LEwebroot/.well-known>
    Options FollowSymlinks
    AllowOverride All
    Order allow,deny
    Require all granted
</Directory> 

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for media.teamojo.org
Using the webroot path /var/www/LEwebroot for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. media.teamojo.org (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to media.teamojo.org.well-known

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: media.teamojo.org
   Type:   connection
   Detail: Could not connect to media.teamojo.org.well-known

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

My web server is (include version):

Server version: Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version):

Ubuntu 16.04.02

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Note: I find it odd that the error is that no connection could be made to example.com.well-known rather than example.com/.well-known

I can connect to the domain url normally.

You have a redirect from http to https, but it’s omitting the slash at the end of the domain name. So when Let’s Encrypt requests http://media.teamojo.org/.well-known/... it gets redirected to https://media.teamojo.org.well-known/... instead of https://media.teamojo.org/.well-known/...

2 Likes

Hi @joshp23,

Yes, you have not configured correctly your Redirect or Rewriterule that is redirecting your site from http to https:

Two examples:

$ curl -IkL http://media.teamojo.org/login.php
HTTP/1.1 302 Found
Date: Tue, 23 May 2017 22:02:02 GMT
Server: Apache
Location: https://media.teamojo.orglogin.php
Content-Type: text/html; charset=iso-8859-1

curl: (6) Couldn't resolve host 'media.teamojo.orglogin.php'


$ curl -IkL media.teamojo.org/.well-known
HTTP/1.1 302 Found
Date: Tue, 23 May 2017 22:02:30 GMT
Server: Apache
Location: https://media.teamojo.org.well-known
Content-Type: text/html; charset=iso-8859-1

curl: (6) Couldn't resolve host 'media.teamojo.org.well-known'

You have a missing / somewhere in your redirection, if you paste here how are you performing the redirect we could advice to fix it.

Cheers,
sahsanu

1 Like

@sahsanu @jmorahan that was it, exactly. I went digging about just after posting this and found the same error. I had my redirect like so:

<VirtualHost  _default_:80>
	ServerName   media.teamojo.org
	Redirect / https://media.teamojo.org
</VirtualHost>

When it ought to be like so:

<VirtualHost  _default_:80>
	ServerName   media.teamojo.org
	Redirect / https://media.teamojo.org/
</VirtualHost>

Hope this helps someone else out there in a knot!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.