Hi, I know this question came up several times but I couldn’t find an answer to the issue I am experiencing.
I am running a Debian 9 (stretch) dedicated server with all my client’s websites. LetsEncrypt is installed on all domain names, redirections work flawlessly, and yet I have an issue configuring phpMyAdmin to be secured.
phpMyAdmin runs by default in /usr/share/phpmyadmin
I created a virtual host “db.mydomain.com” that points to the phpMyAdmin directory, instead of using the default “hostname/phpmyadmin”.
I also set phpMyAdmin to run on port 8888 and secured this port (and others) on my firewall so that only I can access them from my fixed IP.
Now, when trying to create a certificate for db.mydomain.com with the following command:
certbot --authenticator webroot --installer apache
I select the db.mydomain.com from the domains list and get the following error:
I get the following error:
Failed authorization procedure. db.mydomain.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://db.mydomain.com/.well-known/acme-challenge/_nYb5erdCSqSepU8ZcY5rtY0iDnjtB1yCZwYVdKXZ1I [xxx.xxx.xxx.xxx]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"
The Let's Encrypt validation servers are forced to use certain ports to initiate the validation. The only available ports are 80 for the http-01 challenge and 443 for the tls-alpn-01 challenge. You cannot use port 8888 for the challenge validation.
However, I assume you're running phpMyAdmin on the same IP address as the other sites. You might be able to use the --authenticator apache plugin. I don't know for sure, but perhaps it will use port 80 by default in its temporary virtualhost it spins up during the challenge.
I am using the --authenticator plugin. I am using webroot so I suspect that this may be a permission issue, where the authenticator doesn't have permissions to write to /usr/share/phpmyadmin (just an assumption) but I don't want to change permissions to that directory to avoid any security issues.
What if I temporarily change the port from 8888 to 80 and 443, and assuming that the authentication will run correctly, then change it back to 8888? Will this create any issue or throw any SSL errors?
The "--authenticator" part is just a command to the program. The actual authenticator plugin you're using, is called "webroot". As certbot is run as root, it shouldn't have any trouble with file permissions.
That would deny you the posibility for automated renewal.