[Webroot] Only performs http-01 challenge which doesn't follow HTTP redirects to HTTPS site

Help
22

Well I still get the letsencrypt error:
Failed authorization procedure. interndemo.sfg-singen.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to http://interndemo.sfg-singen.de/.well-known/acme-challenge/f1ooD18w2PdWwZcTL8QdELNBCbrihcTTXR97ryoicaE

23

Because your redirects are broken and miss a / before .well-known.

 $ http "http://interndemo.sfg-singen.de/.well-known/acme-challenge/f1ooD18w2PdWwZcTL8QdELNBCbrihcTTXR97ryoicaE"

results in:

Location: https://interndemo.sfg-singen.de.well-known/acme-challenge/f1ooD18w2PdWwZcTL8QdELNBCbrihcTTXR97ryoicaE
24

This is how my config looks like:

<VirtualHost *:80> ServerName interndemo.sfg-singen.de Redirect 302 / https://interndemo.sfg-singen.de </VirtualHost>

25

Try adding an extra / to the end of your Redirect directive?

From the documentation:

Additional path information beyond the matched URL-Path will be appended to the target URL.

Keyword here is additional: as your URL-path is a single slash /, the .well-known/acme-challenge/foobar is the additional part. Without the slash. And as your URL doesn't contain a trailing slash, it all goes awry.

1 Like
26

I did that, with the letsencrypt client it still won't work but in curl the redirect and everything works:

`curl -Lv http://interndemo.sfg-singen.de/.well-known/acme-challenge/test

  • Hostname was NOT found in DNS cache
  • Trying 176.9.146.143...
  • Connected to interndemo.sfg-singen.de (176.9.146.143) port 80 (#0)

GET /.well-known/acme-challenge/test HTTP/1.1
User-Agent: curl/7.38.0
Host: interndemo.sfg-singen.de
Accept: /

< HTTP/1.1 302 Found
< Date: Wed, 16 Dec 2015 13:58:10 GMT

  • Server Apache/2.4.10 (Debian) is not blacklisted
    < Server: Apache/2.4.10 (Debian)
    < Location: https://interndemo.sfg-singen.de/.well-known/acme-challenge/test
    < Content-Length: 338
    < Content-Type: text/html; charset=iso-8859-1
    <
  • Ignoring the response-body
  • Connection #0 to host interndemo.sfg-singen.de left intact
  • Issue another request to this URL: 'https://interndemo.sfg-singen.de/.well-known/acme-challenge/test'
  • Found bundle for host interndemo.sfg-singen.de: 0x7f53416d4550
  • Hostname was NOT found in DNS cache
  • Trying 176.9.146.143...
  • Connected to interndemo.sfg-singen.de (176.9.146.143) port 443 (#1)
  • successfully set certificate verify locations:
  • CAfile: none
    CApath: /etc/ssl/certs
  • SSLv3, TLS handshake, Client hello (1):
  • SSLv3, TLS handshake, Server hello (2):
  • SSLv3, TLS handshake, CERT (11):
  • SSLv3, TLS handshake, Server key exchange (12):
  • SSLv3, TLS handshake, Server finished (14):
  • SSLv3, TLS handshake, Client key exchange (16):
  • SSLv3, TLS change cipher, Client hello (1):
  • SSLv3, TLS handshake, Finished (20):
  • SSLv3, TLS change cipher, Client hello (1):
  • SSLv3, TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
  • Server certificate:
  •    subject: CN=interndemo.sfg-singen.de

  •    start date: 2015-12-16 09:42:00 GMT

  •    expire date: 2016-03-15 09:42:00 GMT

  •    subjectAltName: interndemo.sfg-singen.de matched

  •    issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X1

  •    SSL certificate verify ok.

GET /.well-known/acme-challenge/test HTTP/1.1
User-Agent: curl/7.38.0
Host: interndemo.sfg-singen.de
Accept: /

< HTTP/1.1 200 OK
< Date: Wed, 16 Dec 2015 13:58:10 GMT

  • Server Apache/2.4.10 (Debian) is not blacklisted
    < Server: Apache/2.4.10 (Debian)
    < Last-Modified: Wed, 16 Dec 2015 11:46:22 GMT
    < ETag: "1d-52702748b8057"
    < Accept-Ranges: bytes
    < Content-Length: 29
    < Content-Type: application/jose+json
    <
    Wed Dec 16 12:46:22 CET 2015
  • Connection #1 to host interndemo.sfg-singen.de left intact`
27

What’s the LE log now? That’s more interesting.

28

OMG my alias was wrong… I missed that letsencrypt actually creates those directories. Now my config looks like this:

Alias /.well-known/acme-challenge /var/www/letsencrypt/.well-known/acme-challenge

So it is working now! But it also works without the additional / in the end.

29

Ah.. Good to know :stuck_out_tongue: Curious though why CURL did work in the mean time, while that didn't work before... Or perhaps it was the combination of both: the added slash in the Redirect directive (I'm assuming you didn't roll back that change?) ánd the fixed Alias?

30

No my alias looked like that before:
Alias /.well-known/acme-challenge /var/www/letsencrypt

I created the test file in /var/www/letsencrypt. But I also thought that LE puts the files directly in there but it actually creates the subfolders. That’s why I got a 404 in the end.