Now solved. Challenge is invalid! but can get a test file fine


#1

Hi

On freebsd 10.2, apache is in a natted jail.

I’m getting: (edited for legibility)

web# letsencrypt.sh -c
# INFO: Using main config file /usr/local/etc/letsencrypt.sh/config.sh
Processing sub.domain.eu

thou:

$ telnet sub.domain.eu 80
Trying xxx.xxx.xxx.xxx
Connected to sub.domain.eu.
Escape character is ‘^]’.
GET /.well-known/acme-challenge/test
Yihaaa!
Connection closed by foreign host.

Any advice is certainly most welcome.

Thanks


#2

what does

curl -I sub.domain.eu/.well-known/acme-challenge/test

from somewhere else on the internet give ?


#3

that was from my desktop.
Sorry should have been more clear.
The server is a remote vps.


#4

The reason I was asking what the curl command gave, is that shows me the headers. So that you can tell it’s in plain text rather than anything else. What response do you get with the curl command ?


#5

curl -I sub.domain.eu/.well-known/acme-challenge/test
HTTP/1.1 200 OK
Date: Tue, 10 May 2016 12:35:33 GMT
Server: Apache/2.4.20 (FreeBSD) PHP/5.6.21
Last-Modified: Tue, 10 May 2016 10:44:25 GMT
ETag: "8-5327a9bde12c5"
Accept-Ranges: bytes
Content-Length: 8


#6

Just checking, that is the response you get when you are replacing sub.domain.eu with your correct domain name ?

Are you happy to provide your domain name ?


#7

sure!
after all I’m getting free help here.
And there’s nothing on the server… :slight_smile:
dev.gnosis-europa.eu


#8

Thanks :slight_smile: That all looks OK, I don’t use the letsencrypy.sh script myself, so may be worth asking directly on that clients support pages. I’d check though that;

  • the WELLKNOWN variable is defined and pointing to the correct location of where the token files should be
    ( i.e. is there a typo in the path for /var/www/domain/.well-known/acme-challenge/ ) This may be shown in the log file you edited above.

  • Check the permissions on the /well-known/acme-challenge are all OK ( they should be as your test file is readable, and in plain text )

  • There are no firewall rules that could be blocking the check from certain IP’s


#9

Thanks for the response!
About the client, I thought that was actually the official client on freebsd.
It’s the only shell client available on pkg. (there’s also a python client…)

On the variables, I thought those were optional?

There’s a firewall definitely, but as long the whole transaction goes through port 80, there should be no issues.

And the permissions should be fine also, first thing I checked.

I’ll look about the env vars, and come back with my findings

thanks indeed!


#10

It’s one of the unofficial letsencrypt clients. Here is a list of alternative clients - of which any of the bash clients should work ( I wrote / use the getssl one - which is a bash script designed for installing certs on remote servers where you can’t run any client, but you have SSH access )

I suspect they are if the location is the normal default. The script needs to somehow know where to write the token file in xxxxx/.well-known/acme-challenge/token

https://wiki.freebsd.org/BernardSpil/LetsEncrypt may also help for BSD and letsencrypt.sh … which says

The default configuration file requires some changes, these are stored in /usr/local/etc/letsencrypt.sh/config.sh

BASEDIR="/usr/local/etc/letsencrypt.sh"
WELLKNOWN="/usr/jails/http/usr/local/www/.well-known/acme-challenge"
alias openssl='/usr/local/bin/openssl'

From the error I’d double check your WELLKNOWN setting.


#11

Hi Jyrki, I’m on FreeBSD 10.2 as well. The official client is actually called py27-letsencrypt, and it’s currently version 0.5. The one you’re using became available in ports/pkg a few months after the official one.

It’s a silly name to call it, I know. Very confusing. And just to make life more confusing, the next official client version (0.6) will change it’s name to certbot!

I’ve successfully used the official client, though there is a bug in 0.5 where is mixes up your domains in the cert. You might want to wait for certbot 0.6 (already two weeks overdue) or perhaps install the official py27-letsencrypt 0.4.2.

I hope I’ve been clear and not too confusing! :stuck_out_tongue_winking_eye:

EDIT: Check it out :wink: https://www.freebsd.org/cgi/ports.cgi?query=letsencrypt&stype=all


#12

Hi

solved. really stupid from my part, but hey, you work with what you’ve got:

In the config file for letsencrypt.sh you can read:

grep -i acme config.sh
# Path to certificate authority (default: https://acme-v01.api.letsencrypt.org/directory)
#CA=“https://acme-v01.api.letsencrypt.org/directory
# Output directory for challenge-tokens to be served by webserver or deployed in HOOK (default: $BASEDIR/.acme-challenges)
#WELLKNOWN="${BASEDIR}/.acme-challenges"

but it happens that letsencrypt tries actually to read from ‘/.well-known/acme-challenge’, as you can see here in my access log:

66.133.109.36 - - [11/May/2016:09:28:43 +0000] “GET /.well-known/acme-challenge/IdFL44KBrV6vBGXUnkg8QfPt6MZ4Sj9_F9S0v0FXbqA HTTP/1.1” 200 87

So that extra ‘s’ has thrown me off for few hours.

On the other hand, The guide from Bernar Spil, does install the client on the base box, not the jail. Which is something I’m trying to avoid for the time being. Maybe It will have to be that way to have a single termination point for all the subdomains? maybe. I’ll find out for sure soon enough! :slight_smile: Thanks for the client list!

@DarkSteve: I did actually take a look at the python client, but it wanted to install a **** of dependencies in a prod machine (well, my own, but it will be live at some point…) and I suspect that is the reason why letsencrypt.sh does exist…
When the bug free version comes along, I’ll take a look.

Thanks you all, this one is solved.


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.