Wellknown_url referencing old ACL

john-pennoi · March 27, 2021, 11:03am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:pennoi.com

I ran this command:getssl -d pennoi.com

It produced this output:getssl: for some reason could not reach http://pennoi.com/.well-known/acme-challenge/Odnq1PoS2G2IaZZtm7uSLlo98f9NqcZA5g8B79OxvD0 - please check it manually

My web server is (include version):httpd-2.2.15-69.el6.centos.x86_64

The operating system my web server runs on is (include version):CentOS release 6.10 (Final)

My hosting provider, if applicable, is:N/A

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):getssl downloaded March 2021

Description of issue

I initially installed getssl as root but I would like to run it as acme user. I followed the steps on Using Let’s Encrypt with getssl and minimal root usage #letsencrypt – FU-BAR

When I run "getssl pennoi.com" as the acme user I get this error
getssl: for some reason could not reach http://pennoi.com/.well-known/acme-challenge/Odnq1PoS2G2IaZZtm7uSLlo98f9NqcZA5g8B79OxvD0 - please check it manually

I ran "getssl -d pennoi.com" and found that the wellknown_url is using the old ACL (the one I set up as root) instead of the new ACL for acme user

wellknown_url http://pennoi.com/.well-known/acme-challenge/Odnq1PoS2G2IaZZtm7uSLlo98f9NqcZA5g8B79OxvD0

My acme user ACL is
ACL=('/var/www/html/letsencrypt/.well-known/acme-challenge')

My root user ACL is
ACL=('/var/www/html/.well-known/acme-challenge')

For some reason it's still appears to be using the old (root) ACL

Any help greatly appreciated
John

Osiris · March 27, 2021, 12:16pm

I'm not really familair with getssl, but where does "ACL" stand for within this context? I only know it as " access-control list".

john-pennoi · March 27, 2021, 12:51pm

ACL is a parameter in the getssl configuration file, see below from my file

    # Acme Challenge Location. The first line for the domain, the following ones for each additional domain.
    # If these start with ssh: then the next variable is assumed to be the hostname and the rest the location.
    # An ssh key will be needed to provide you with access to the remote server.
    # Optionally, you can specify a different userid for ssh/scp to use on the remote server before the @ sign.
    # If left blank, the username on the local server will be used to authenticate against the remote server.
    # If these start with ftp:/ftpes: then the next variables are ftpuserid:ftppassword:servername:ACL_location
    # These should be of the form "/path/to/your/website/folder/.well-known/acme-challenge"
    # where "/path/to/your/website/folder/" is the path, on your web server, to the web root for your domain.
    # You can also user WebDAV over HTTPS as transport mechanism. To do so, start with davs: followed by username,
    # password, host, port (explicitly needed even if using default port 443) and path on the server.
    # Multiple locations can be defined for a file by separating the locations with a semi-colon.

ACL=('/var/www/html/letsencrypt/.well-known/acme-challenge')

Osiris · March 27, 2021, 1:20pm

That's probably due to the fact the $WORKING_DIR variable used internally (where it tries to find the configuration file) can be one of many options if I look at the source code:

/etc/getssl
${PROGDIR}/conf
${PROGDIR}/.getssl
${HOME}/.getssl

I'm guessing the script is using one of those directories previously generated by the root user.

It seems to check the above locations in that order for the existance of a configuration file and if one is found, it stops looking for any other. So if you have the file /etc/getsll/getssl.cfg, those options will be used, even if you also have a config file in, for example, /home/john/.getssl/getssl.cfg.

john-pennoi · March 27, 2021, 5:23pm

I checked those locations. The only locations with config files are /root/.getssl amd /home/acme/.getssl

I will debug the script more when I have time. Thanks for your help so far.

system · April 26, 2021, 5:24pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.