Webroot mystery

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: admin.bios-living.com

I ran this command:
certbot-auto certonly -d admin.bios-living.com --webroot -w /usr/local/apache2/htdocs --deploy-hook “/usr/local/apache2/bin/apachectl -k graceful”
It produced this output:
aps:/ # certbot-auto certonly -d admin.bios-living.com --webroot -w /usr/local/apache2/htdocs --deploy-hooksr/local/apache2/bin/apachectl -k graceful"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for admin.bios-living.com
Using the webroot path /usr/local/apache2/htdocs for all unmatched domains.
Waiting for verification…
Challenge failed for domain admin.bios-living.com
http-01 challenge for admin.bios-living.com
Cleaning up challenges
Some challenges have failed.

 - The following errors were reported by the server:

   Domain: admin.bios-living.com
   Type:   unauthorized
   Detail: Invalid response from
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):
apache 2.4
The operating system my web server runs on is (include version):
Artix Linux
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
yes - I am root
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
aps:/ # certbot-auto --version
certbot 1.4.0

I am very let down by lets encrypt. I have no clue what it is doing. I had to create an alias and a directory in Apache for LS ACME which looks like this, and OBVIOUSLY is it not being used for found

<VirtualHost *:80>
    ServerName admin.bios-living.com
    ServerAdmin ruben@mrbrklyn.com
    DocumentRoot "/usr/local/apache2/htdocs/admin"
    Alias "/.well-known/acme-challenge" "/usr/local/apache2/tokens"
    <Directory "/usr/local/apache2/tokens">
        Require all granted
        Options +Indexes +FollowSymLinks
#    SSLEngine on
#    SSLOptions +StrictRequire
#    SSLCertificateFile /var/lib/ca-certificates/pem/bios-living.com.crt
#    SSLCertificateKeyFile /etc/ssl/private/bios-living.com.key
    Header set Cache-Control "no-store, must-revalidate"
    Header set Pragma "no-cache"
    Header set Expires "0"

    Options Indexes
    <Files *.html>
       SetHandler perl-script
       PerlResponseHandler Embperl
    <Location "/">
      AuthType basic
      AuthName "admin"
      AuthBasicProvider file
      AuthUserFile "/usr/local/apache2/conf/admin.auth"
      Require valid-user
      Options +Indexes +FollowSymLinks
    <Location "/.well-known/acme-challenge" >
        AuthType None
        Require all granted

These conflict with each other. Please read the documentation on how to use the webroot plugin.

1 Like

The documentation seems to be incorrect. The key part is this:

The webroot plugin works by creating a temporary file for each of your requested domains in ${webroot-path}/.well-known/acme-challenge . Then the Let’s Encrypt validation server makes HTTP requests to validate that the DNS for each requested domain resolves to the server running certbot. An example request made to your web server would look like:

where otherwise it says:

If you’re running a local webserver for which you have the ability to modify the content being served, and you’d prefer not to stop the webserver during the certificate issuance process, you can use the webroot plugin to obtain a certificate by including certonly and --webroot on the command line. In addition, you’ll need to specify --webroot-path or -w with the top-level directory (“web root”) containing the files served by your webserver. For example, --webroot-path /var/www/html or --webroot-path /usr/share/nginx/html are two common webroot paths.

I had to pull /.well-known/acme-challenge out of the docroot because LS was blocked by the SSL and the authentication.

It should have two simple to understand options on the command line: The aparent URI ROOT to querry, amd the FILE locationt to write the token to. Is that not what it is doing? It is generating a token, writing the token under the webserver, and fetching it in order to prove you have control of the webserver. Once I understand how it works, I will be happy to re-edit the documentation so that it is clearer.

I had to change the alias to this file … /usr/local/apache2/tokens/.well-known/acme-challenge

So now I got it up and working, but I need to set it up to auto-recertify and this is still an essential problem.

<VirtualHost *:80>
   ServerName admin.bios-living.com
   Redirect permanent /  https://admin.bios-living.com/

<VirtualHost _default_:443>
    ServerName admin.bios-living.com
    ServerAdmin ruben@mrbrklyn.com
    DocumentRoot "/usr/local/apache2/htdocs/admin"
    Alias "/.well-known/acme-challenge" "/usr/local/apache2/tokens/.well-known/acme-challenge"
    <Directory "/usr/local/apache2/tokens">
        Require all granted
        Options +Indexes +FollowSymLinks
    SSLEngine on
    SSLOptions +StrictRequire
    #SSLCertificateFile /var/lib/ca-certificates/pem/bios-living.com.crt
    #SSLCertificateKeyFile /etc/ssl/private/bios-living.com.key
    SSLCertificateFile /etc/letsencrypt/live/admin.bios-living.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/admin.bios-living.com/privkey.pem
#    SSLCertificateChainFile /etc/letsencrypt/live/admin.bios-living.com/chain.pem

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.