Unable to create certificate

Help
1

Hello
Sorry my english is very bad,

My domain is: yvelinet.fr

I ran this command: certbot certonly -d yvelinet.fr -m zenzla@free.fr --agree-tos -a webroot --webroot-path /var/www/html

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for yvelinet.fr
Performing the following challenges:
http-01 challenge for yvelinet.fr
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Challenge failed for domain yvelinet.fr
http-01 challenge for yvelinet.fr
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: yvelinet.fr

  Type:   unauthorized
   Detail: Invalid response from
   http://yvelinet.fr/.well-known/acme-challenge/QOitlWThS7HCTnZC-_c__NsH68PfRfEXdwtM4FPBDp4
   [86.238.127.206]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):
Server version: Apache/2.4.6 (Red Hat Enterprise Linux)
Server built: Oct 7 2021 16:43:56

The operating system my web server runs on is (include version):
Red Hat Enterprise Linux Server release 7.9 (Maipo)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.11.0

I do self-hosting,
I have internet going through a router with a public ip address.
behind the router I have virtual machines.
I am using a reverse-proxy (ip 192.168.1.37) to redirect domain names to the correct server.
For example yvelinet.fr on the server 192.168.1.25

I have no problem with the por 80, but I cannot generate a certificate.
Thanks for your help

2

On which server are you running certbot? If you're running it on your reverse proxy, you probably need to exempt the path /.well-known/acme-challenge/ from the reverse proxy stuff and make sure it has /var/www/html/ as the DocumentRoot.

2 Likes
3

Hi Osiris,
Thank you for your answer

Yes, I run de certbot on mu reverse-proxy (192.168.1.37)

Yes, /var/www/ html / is the DocumentRoot.
Here is the result of the "apachectl -S" command

[root@reverse-proxy ~]# apachectl -S
VirtualHost configuration:
192.168.1.37:80        is a NameVirtualHost
         default server 3ayla.net (/etc/httpd/sites-enabled/3ayla.conf:1)
         port 80 namevhost 3ayla.net (/etc/httpd/sites-enabled/3ayla.conf:1)
         port 80 namevhost yvelinet.fr (/etc/httpd/sites-enabled/yvelinet.conf:1)
*:443                  reverse-proxy.home (/etc/httpd/conf.d/ssl.conf:56)
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default 
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
PidFile: "/run/httpd/httpd.pid"
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48

I didn't understand "need to exempt the path /.well-known/acme-challenge/ from the reverse proxy stuff"

Zenzla

4

Well, all requests are forwarded to the other server, right? So if Let's Encrypt tries to fetch the validation token, that request will also be forwarded to the other server. But certbot is run on the reverse proxy. So if certbot puts the token somewhere on the reverse proxy server, but the requests gets forwarded to the other server, you'll get a 404 file not found.

Could you please show the contents of /etc/httpd/sites-enabled/yvelinet.conf?

2 Likes
5

Thank you, I understood
Here is the content of yvelinet.conf

<VirtualHost 192.168.1.37:80>
  ServerName yvelinet.fr
  ProxyPreserveHost On
  ProxyRequests On
  ProxyPass / http://192.168.1.25/
  ProxyPassReverse / http://192.168.1.25
</VirtualHost>
6

@zenzla I think @Osiris was going to suggest something like this:

<VirtualHost 192.168.1.37:80>
  ServerName yvelinet.fr

  DocumentRoot /var/www/html
  <Location ~ /.well-known/acme-challenge/>
    #do nothing special
  </Location>

  <Location />
    ProxyPreserveHost On
    ProxyRequests On
    ProxyPass / http://192.168.1.25/
    ProxyPassReverse / http://192.168.1.25
  </Location>

</VirtualHost>

This will process the challenge requests from the Lets Encrypt server in your ".37" server while sending all other requests to ".25".

I do not think you need anything in the location for .well-known but you might want to add a CustomLog for debugging if that is necessary.

2 Likes
7

@MikeMcQ
I think you need to include some sort of DocumentRoot for Apache and certbot to both serve requests to this FQDN

1 Like
8

@rg305 Not sure what you mean. I showed a DocumentRoot at the server level.

2 Likes
9

Yikes! My :eyes: deceived me!
It's like that line wasn't there a minute ago!

2 Likes
10

No problem. It is even one of my rare posts without an edit :slight_smile:

2 Likes
11

Jup :wink:

3 Likes
12

@MikeMcQ when i use your config

<VirtualHost 192.168.1.37:80>
  ServerName yvelinet.fr
  DocumentRoot /var/www/html
  <Location ~ /.well-known/acme-challenge/>
    #do nothing special
  </Location>

  <Location />
    ProxyPreserveHost On
    ProxyRequests On
    ProxyPass / http://192.168.1.25/
    ProxyPassReverse / http://192.168.1.25
  </Location>

</VirtualHost>

i have an error when i restart httpd

systemctl restart httpd
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.

journalctl -xe

nov. 07 19:41:56 reverse-proxy httpd[9782]: AH00526: Syntax error on line 10 of /etc/httpd/sites-enabled/yvelinet.conf:
nov. 07 19:41:56 reverse-proxy httpd[9782]: ProxyRequests not allowed here
nov. 07 19:41:56 reverse-proxy systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
nov. 07 19:41:56 reverse-proxy systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: L'unité (unit) httpd.service a échoué
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
13

You can put the ProxyPreserveHost and ProxyRequests directives outside the <Location /> section.

14

Is that even needed? You are just a reverse proxy here right?

https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxyrequests

But, if you do need it I agree with Osiris just move it outside the location

15

I have placed the ProxyPreserveHost and ProxyRequests directives outside the section.

But I have the same error

<VirtualHost 192.168.1.37:80>
  ServerName yvelinet.fr
  DocumentRoot /var/www/html
  <Location ~ /.well-known/acme-challenge/>
    #do nothing special
  </Location>

    ProxyPreserveHost On
    ProxyRequests On
  <Location />
    ProxyPass / http://192.168.1.25/
    ProxyPassReverse / http://192.168.1.25
  </Location>

</VirtualHost>

journalctl -xe

- L'unité (unit) httpd.service a commencé à démarrer.
nov. 07 20:12:25 reverse-proxy httpd[9815]: AH00526: Syntax error on line 11 of /etc/httpd/sites-enabled/yvelinet.conf:
nov. 07 20:12:25 reverse-proxy httpd[9815]: ProxyPass|ProxyPassMatch can not have a path when defined in a location.
nov. 07 20:12:25 reverse-proxy systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
nov. 07 20:12:25 reverse-proxy systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: L'unité (unit) httpd.service a échoué
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- L'unité (unit) httpd.service a échoué, avec le résultat failed.
nov. 07 20:12:25 reverse-proxy systemd[1]: Unit httpd.service entered failed state.
nov. 07 20:12:25 reverse-proxy systemd[1]: httpd.service failed.
nov. 07 20:12:25 reverse-proxy polkitd[705]: Unregistered Authentication Agent for unix-process:9809:9226452 (system bus name :1.87, object path /org/freedesktop/PolicyKit
16

Sorry, just reading the docs it says the first parameter is omitted inside a location. So, should be like:

  <Location />
    ProxyPass http://192.168.1.25/
    ProxyPassReverse http://192.168.1.25
  </Location>

I still question the ProxyRequests though. Have you seen this from Apache docs? (not related to these certs, just pointing it out)

Warning
Do not enable proxying with ProxyRequests until you have secured your server. Open proxy servers are dangerous both to your network and to the Internet at large.

1 Like
17

I think that's only applicable for forward proxies. This is a reverse proxy, right?

Hmm, it seems ProxyRequests should only be On for forward proxies.. So indeed, it should either be removed or set to Off.

1 Like
18

Yes, I asked the same in post #14. And, ProxyPreserveHost should be ok inside a location.

1 Like
19

Yes is reverse-proxy
Same error white ProxyRequests Off

<VirtualHost 192.168.1.37:80>
  ServerName yvelinet.fr
  DocumentRoot /var/www/html
  <Location ~ /.well-known/acme-challenge/>
    #do nothing special
  </Location>

    ProxyPreserveHost On
    ProxyRequests Off
  <Location />
    ProxyPass / http://192.168.1.25/
    ProxyPassReverse / http://192.168.1.25
  </Location>

</VirtualHost>
20

@Zenzla Yes, please see my previous post for the correct syntax for ProxyPass inside a location.

1 Like