Well I still get the letsencrypt error:
Failed authorization procedure. interndemo.sfg-singen.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to http://interndemo.sfg-singen.de/.well-known/acme-challenge/f1ooD18w2PdWwZcTL8QdELNBCbrihcTTXR97ryoicaE
Because your redirects are broken and miss a /
before .well-known
.
$ http "http://interndemo.sfg-singen.de/.well-known/acme-challenge/f1ooD18w2PdWwZcTL8QdELNBCbrihcTTXR97ryoicaE"
results in:
Location: https://interndemo.sfg-singen.de.well-known/acme-challenge/f1ooD18w2PdWwZcTL8QdELNBCbrihcTTXR97ryoicaE
This is how my config looks like:
<VirtualHost *:80> ServerName interndemo.sfg-singen.de Redirect 302 / https://interndemo.sfg-singen.de </VirtualHost>
Try adding an extra /
to the end of your Redirect
directive?
From the documentation:
Additional path information beyond the matched URL-Path will be appended to the target URL.
Keyword here is additional: as your URL-path is a single slash /
, the .well-known/acme-challenge/foobar
is the additional part. Without the slash. And as your URL doesn't contain a trailing slash, it all goes awry.
I did that, with the letsencrypt client it still won't work but in curl the redirect and everything works:
`curl -Lv http://interndemo.sfg-singen.de/.well-known/acme-challenge/test
- Hostname was NOT found in DNS cache
- Trying 176.9.146.143...
- Connected to interndemo.sfg-singen.de (176.9.146.143) port 80 (#0)
GET /.well-known/acme-challenge/test HTTP/1.1
User-Agent: curl/7.38.0
Host: interndemo.sfg-singen.de
Accept: /
< HTTP/1.1 302 Found
< Date: Wed, 16 Dec 2015 13:58:10 GMT
- Server Apache/2.4.10 (Debian) is not blacklisted
< Server: Apache/2.4.10 (Debian)
< Location: https://interndemo.sfg-singen.de/.well-known/acme-challenge/test
< Content-Length: 338
< Content-Type: text/html; charset=iso-8859-1
< - Ignoring the response-body
- Connection #0 to host interndemo.sfg-singen.de left intact
- Issue another request to this URL: 'https://interndemo.sfg-singen.de/.well-known/acme-challenge/test'
- Found bundle for host interndemo.sfg-singen.de: 0x7f53416d4550
- Hostname was NOT found in DNS cache
- Trying 176.9.146.143...
- Connected to interndemo.sfg-singen.de (176.9.146.143) port 443 (#1)
- successfully set certificate verify locations:
- CAfile: none
CApath: /etc/ssl/certs - SSLv3, TLS handshake, Client hello (1):
- SSLv3, TLS handshake, Server hello (2):
- SSLv3, TLS handshake, CERT (11):
- SSLv3, TLS handshake, Server key exchange (12):
- SSLv3, TLS handshake, Server finished (14):
- SSLv3, TLS handshake, Client key exchange (16):
- SSLv3, TLS change cipher, Client hello (1):
- SSLv3, TLS handshake, Finished (20):
- SSLv3, TLS change cipher, Client hello (1):
- SSLv3, TLS handshake, Finished (20):
- SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
- Server certificate:
-
subject: CN=interndemo.sfg-singen.de
-
start date: 2015-12-16 09:42:00 GMT
-
expire date: 2016-03-15 09:42:00 GMT
-
subjectAltName: interndemo.sfg-singen.de matched
-
issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X1
-
SSL certificate verify ok.
GET /.well-known/acme-challenge/test HTTP/1.1
User-Agent: curl/7.38.0
Host: interndemo.sfg-singen.de
Accept: /
< HTTP/1.1 200 OK
< Date: Wed, 16 Dec 2015 13:58:10 GMT
- Server Apache/2.4.10 (Debian) is not blacklisted
< Server: Apache/2.4.10 (Debian)
< Last-Modified: Wed, 16 Dec 2015 11:46:22 GMT
< ETag: "1d-52702748b8057"
< Accept-Ranges: bytes
< Content-Length: 29
< Content-Type: application/jose+json
<
Wed Dec 16 12:46:22 CET 2015 - Connection #1 to host interndemo.sfg-singen.de left intact`
What’s the LE log now? That’s more interesting.
OMG my alias was wrong… I missed that letsencrypt actually creates those directories. Now my config looks like this:
Alias /.well-known/acme-challenge /var/www/letsencrypt/.well-known/acme-challenge
So it is working now! But it also works without the additional /
in the end.
Ah.. Good to know Curious though why CURL did work in the mean time, while that didn't work before... Or perhaps it was the combination of both: the added slash in the
Redirect
directive (I'm assuming you didn't roll back that change?) ánd the fixed Alias
?
No my alias looked like that before:
Alias /.well-known/acme-challenge /var/www/letsencrypt
I created the test file in /var/www/letsencrypt. But I also thought that LE puts the files directly in there but it actually creates the subfolders. That’s why I got a 404 in the end.