Ubuntu 16.04 Apache permissions problem?

JSS · June 30, 2016, 12:46am

The problem I have seems directly related to: owner flag suggestion from 5 months ago but I haven’t been able to find any proper logical and long term resolution.

Dedicated Ubuntu 16.04 Apache install with default webroot /var/www/html/ for server abc123.domain.com.

The problem is .well-known is created but acme-challenge is missing - not created - and so the challenge file is also missing - not created.

root@abc23:/# apt-get install python-letsencrypt-apache (latest - installed today)
root@abc23:/# letsencrypt certonly --webroot -w /var/www/html -d abc123.domain.com

[…]
Failed authorization procedure. abc123.domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization
Response: 404 Not found
[…]

Folder /var/www/html/.well-known is created but no other child folders and hence no challenge file

drwxr-xr-x root root .well-known

That’s all she wrote. What is it that I (or Certbot) is missing?

pfg · June 30, 2016, 12:51am

The acme-challenge subdirectory of .well-known is deleted after the client has completed the challenge (no matter whether it’s been successful or not), so the fact that it’s missing is not conclusive - it’s likely failing because of something else.

I’d recommend trying to manually create the directory, putting a random file in there, and checking if you can browse to it from the public internet. Reviewing your apache access/error logs might also help.

JSS · June 30, 2016, 1:01am

Thank you for replying, and so fast.
I have already tried manually creating the acme-challenge folder and a test file inside - which is accessible so apparently not a dot-folder problem.
Nothing is showing in the system log if I am looking in the right place…

JSS · June 30, 2016, 1:08am

Also possibly related (last entry 14 days ago) - client lacks sufficient authorization

pfg · June 30, 2016, 1:12am

Could you try chown-ing .well-known to www-data:www-data? The file should generally be created with a mode that allows anyone to read it, but I seem to recall certain hardening features interfering with that if the owner doesn’t match the web server user. Unfortunately, I can’t seem to find the relevant thread right now, but chown should show if this is the case.

JSS · June 30, 2016, 1:26am

chown www-data:www-data /var/www/html/.well-known

Same 404 response

drwxr-xr-x www-data www-data .well-known

pfg · June 30, 2016, 1:37am

Attempted to reproduce this on a clean Ubuntu 16.04 image:

root@debug:~# apt-get update && apt-get upgrade && apt-get install apache2 python-letsencrypt
[...]
root@debug:~# letsencrypt certonly --webroot -w /var/www/html -d debug.example.com --staging
- Congratulations! Your certificate and chain have been saved at
  /etc/letsencrypt/live/debug.example.com/fullchain.pem. Your cert will
  expire on 2016-09-28. To obtain a new version of the certificate in
  the future, simply run Let's Encrypt again.

My best guess is still some kind of hardening feature that’s interfering. Did you make any changes to your apache (or system) config that could be relevant here? Do you use something like mod_security? Any non-default AppArmor rules?

JSS · June 30, 2016, 2:04am

Thanks pfg.

No dreaded mod_sec (ever) and no AppArmor.

I am going to have to start from scratch tomorrow on this, though the related posts don’t fill me with confidence and I really don’t have time to reproduce this locally on a clean server… Damn.

system · July 30, 2016, 2:04am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.