Unable to Create Certificates -- Is this related to today's service disruption?

IslandBoy · October 3, 2018, 6:16am

Hello again Steven. Actually, I was going to do that. However, while I found the invisible "“well-known” folder at the top level of my domain, there was no “acme-challenge” subfolder inside of it. Then, mnordhoff informed me that Certbot will automatically create that subfolder – and the response file within it – and then delete both when it is done creating the certificates.

So, can I manually create the “acme-challenge” subfolder and put an html file in it without messing up Certbot? In other words, if Certbot already finds that subfolder created, it won’t go bonkers?

What needs to be in the HTML file?

Thanks again!

stevenzhu · October 3, 2018, 6:18am

If certbot found the folder already exist, I believe it will just add contents into that folder... (In other words, no impact)

Also, could you please add a file without extension?

Just populate some random content inside the file....

Thank you

IslandBoy · October 3, 2018, 6:19am

Can it be a plain old text file, but without the .txt extension?

stevenzhu · October 3, 2018, 6:20am

Yes.

It could.

IslandBoy · October 3, 2018, 6:23am

Okay, I just created the subfolder and added a small text file without the extension.

stevenzhu · October 3, 2018, 6:24am

Could you please share us a link to that file?

Thank you

IslandBoy · October 3, 2018, 6:26am

Oh, sorry.

https://www.billkochman.com/.well-known/acme-challenge/Certbot-Test-File

I just tried https://, https://www., http:// and http://www, and they all work.

In fact, both http:// and http://www. automatically redirect to their https equivalents, as expected.

stevenzhu · October 3, 2018, 6:31am

Hi,

In a regular http based validation, let’s encrypt will always connect to http version of the site first, then may accept redirects to https version (or even other domains)

Upon checking, when a visitor connects to the http version of this link, here’s what is shown:

HTTP/1.1 302 Found
Date: Wed, 03 Oct 2018 06:27:08 GMT
Server: Apache
Location: https://www.billkochman.com/errors/404.html
Keep-Alive: timeout=5, max=50
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

When I connects to the site via chrome, everything works fine because my browser honors hsts.
However, curl and command line tools does not accept those kind of redirections, (normally only http 301 & 302 are accepted)

So here’s the issue … Please check your Apache configuration file since all traffic occurs in plain http will be redirected into https 404 error page.

P.S. I’ll be offline for 6+ hours in order to get enough sleep. So, see you tomorrow.

Thank you

IslandBoy · October 3, 2018, 6:45am

Steven, okay, I am a little confused here.

I am using Firefox on OS X. As I noted in my last comment above, all four variations of the URL work in Firefox as well, which I assume is what you are also seeing in Chrome.

So are you saying that, unlike Firefox – or Chrome – because the OS X terminal is a command line tool, redirects won’t work when it comes to Certbot?

If that is what you are saying, that confuses me even more, because Certbot has worked fine for a long time now with my current configuration.

Did you see above the actual redirect code that I am using in my httpd.conf file? Here it is again:

ServerAdmin wordweaver777@gmail.com
ServerName billkochman.com
RedirectMatch 301 (. ) https://billkochman.com$1
RedirectMatch 301 (. ) https://www.billkochman.com$1

As far as my error files are concerned, to my knowledge, the only related directives in my httpd.conf file are these:

ErrorDocument 302 https://www.billkochman.com/errors/302.html
ErrorDocument 400 https://www.billkochman.com/errors/400.html
ErrorDocument 401 https://www.billkochman.com/errors/401.html
ErrorDocument 403 https://www.billkochman.com/errors/403.html
ErrorDocument 404 https://www.billkochman.com/errors/404.html
ErrorDocument 500 https://www.billkochman.com/errors/500.html

There is nothing that tells my server to send all http traffic to my 404 error file, so I am lost.

stevenzhu · October 3, 2018, 6:52am

Hi,

Before I go to sleep.

Yes, browsers and command line tools might deal with some website differently.
(In my own words), Websites are executing the codes, command line tools are fetching it.

One question: Are you sure the plain text version of www site is working?

Can you please confirm if there’s a serveralias in the redirection virtual host? (Similiar to the following line)

ServerAlias www.billkochman.com

If not, please add that line, restart apache and try again. (The issue might related to the fact that plain version of the www site is not associated with a existing port 80 virtual host)

Thank you

mnordhoff · October 3, 2018, 6:56am

I don’t know what’s changed, but your redirects are working correctly now.

Try Certbot again.

IslandBoy · October 3, 2018, 7:07am

Steven, BINGO! You hit the bullseye. I did NOT have that string in my redirection code, so I added it so that it now looks like this:

ServerAdmin wordweaver777@gmail.com
ServerName billkochman.com
ServerAlias www.billkochman.com
RedirectMatch 301 (.) https://billkochman.com$1
RedirectMatch 301 (.) https://www.billkochman.com$1

After that, I rebooted the server, and I trashed the old “letsencrypt” folder in the “private/etc” folder and also in the “private/var/log” folder.

Then I ran Certbot from scratch and all is now well with a certificate for both domains.

Thank you so much fellows for your time and assistance. I couldn’t have done it without your help. I am a happy man again!

IslandBoy · October 3, 2018, 7:08am

Mnordhoff, yes, there was something missing in my “A” record at my registrar which I had deleted earlier in the day.

system · November 2, 2018, 7:08am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.