I created a certificate for a domain using this command:
sudo ./letsencrypt-auto certonly -a webroot --webroot-path=/var/www/domain.co.uk/html -d www.domain.co.uk -d domain.co.uk
It created the certificate but there was a general permission error of some sort.
The certs have been created at /etc/letsencrypt/live/domain.co.uk but the /.well-known/ directory is empty.
I created a test file in the directory and tested to see if it was publicly viewable and it was.
I tried running the command again and it asked if I wanted to replace the cert so I did but still no files copied. I tried with -manual as an option but there was no change in the process.
Is there a command to try copying the files again? What should I do now?
The client cleans up acme-challenge/* and acme-challenge after issuance, so they will always be removed. .well-known will not be deleted, that’s why it stays there being empty.
@jsha Does the client account for concurrent issuance, so it doesn’t delete acme-challenge if it’s not empty? In my own client, I just delete the challenge files, but not acme-challenge, because of that and because a single directory doesn’t hurt.
The /.well-known/acme-challenge/ directory is only temporarily used for the domain challenge. Once the challenge has been approved or failed, the challenge file will be deleted.
If I understand your post correctly, you’ve succesfully generated your certificates (otherwise, the client wouldn’t ask to replace any certificate), so it makes sense the directory is empty.
I was not having any problem but the tutorial I am following told me to go check in the acme-challenge folder but there wasn’t one there so I got kind of confused.
Thank you very much for clearing that up for me and the quick response
It wasn’t an official one, just a blog post I found. I’ve been on a bit of a googling spree since I read it so I can’t put my finger on it but it could well have been me misinterpreting what they meant (I do that sometimes).
@jsha@kelunik Looking at the source code, the official client uses os.rmdir() which only removes empty directories and raises OSError if the directory is not empty.
If an OSError occurs and errno == ENOTEMPTY, it logs it like that: logger.debug("Challenges cleaned up but %s not empty", root_path)
Therefore I’d assume that @kelunik’s scenario wouldn’t really occur.
However, there might be an extremely rare and unlikely scenario where a second process would remove the directory after prepare calls os.makedirs(), but before the validation file is written: The directory is empty after (re-)creating it with makedirs() and will therefore be removed. As far as I can see it is not re-created just before writing the file.
I assume the client will fail in case this occurs. @schoen, I’m not sure if this is worth fixing at all.
