What is my webroot?


#1

Hi, Im trying to generate a certficate to my website but I cant. Someone can help me? I dont know what is my webroot

I have a Java EE Application and my company uses Wix for your website (domain and subdomain)
My Java application is using Amazon EC2.
The subdomain(from wix) point to IP of the Java Application

PS:The application was developed on another computer

I ran this command:
./letsencrypt-auto certonly --webroot -d mysubdomain.domain.com.br -d www.mysubdomain.domain.com.br

It produced this output:
aving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mysubdomain.domain.com.br
http-01 challenge for www.mysubdomain.domain.com.br
Input the webroot for mysubdomain.domain.com.br: (Enter ‘c’ to cancel):
I dont know what is my webroot

My web server is (include version):

The operating system my web server runs on is (include version):
Debian 9

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#2

Hi,

The WebRoot is where you define it.

You can set whereever you want as webroot, just to make sure certbot has the correct permission to it.

-------- Take a look at @jared.m’s response, ignore my response (after this line) ---------
For example, you can set the webroot to : /var/certbot_webroot (Since certbot definitely can access /var/)
But, please avoid set the webroot to : /root/ (Since certbot might not able to access)

Thank you


#3

The be a bit more specific, the webroot directory is whichever directory serves files for your website. For instance, if your domain is www.example.com, your webroot is where you would put a file (say, index.html) to access it with www.example.com/index.html. Often it’s something like /var/www/html if you’re using Apache.


#4

It depends on the application server you’re using.

With Glassfish it’s something like:

/opt/glassfish/domains/domain1/docroot

With Wildfly/JBoss it’s something like:

/opt/wildfly/standalone/welcome-content

I have no idea what IBM and Oracle do in their properietary implementations.

The installation directory of these servers varies. You could possibly find them in /usr/local or /home as well.


#5

For some ways of running web applications you could also imagine that there is no webroot because all URLs are mapped directly into the application (for example we see this here with people setting a blanket nginx proxy_pass for all paths).

So another question could be:

How? :slight_smile:


#6

You just need to buy a virtual machine in amazon, put your server (ex:Glassfish) and put the war file


#7

Thank you for reply!

I dont have glassfish installed on this computer, it is just a raw debian


#8

Thank you for replay, this computer is just a raw linux, has nothing…

Im losted, I do not know what to do :frowning:


#9

I mean, how did you configure the server to serve the Java application?


#10

It was not me, but what I know, is to just install the glassfish through the command line

Amazon has its own service for glassfish as well, like the codecommit


#11

Earlier you said

but here you said

Does that mean that someone else has installed Glassfish? Or some other possibility?


#12

I’ve developed a java application on another computer(Windows). Now I’m using a Debian to generate the certificate

I put the war file of my application made on windows on the glassfish in the ec2 virtual machine

Another person in the company installed glassfish on ec2


#13

Im tried this, but it is not work.

root@debian:~/certificado/letsencrypt# ./letsencrypt-auto certonly --webroot -d mysubdomain.mydomain.com.br -d www.mysubdomain.mydomain.com.br
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mysubdomain.mydomain.com.br
http-01 challenge for www.mysubdomain.mydomain.com.br
Input the webroot for mysubdomain.mydomain.com.br: (Enter ‘c’ to cancel): /opt

Select the webroot for www.mysubdomain.mydomain.com.br:

1: Enter a new webroot
2: /opt

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.mysubdomain.mydomain.com.br(http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.mysubdomain.mydomain.com.br/.well-known/acme-challenge/Dy6Yy52uvxGxTOM_Q7YXU6wjvXlCwouSU291FF0bQ_4: "<html xmlns=“http:/”, mysubdomain.mydomain.com.br(http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mysubdomain.mydomain.com.br/.well-known/acme-challenge/iOjGWi4kP1YJcSuRhNsQJBemCFAsiHo-l-q1pibXcSY: "<html xmlns=“http:/”

IMPORTANT NOTES:


#14

So, the configuration of Glassfish either serves static files directly from the filesystem somehow, or doesn’t do this. If it does, then you need to look at the Glassfish configuration to find out where they are served from. If it doesn’t, then you need to configure Glassfish so that it does this.

As an alternative, you can also use the --standalone method instead of --webroot. This creates a temporary web server to pass the challenges. It would probably require stopping Glassfish temporarily and restarting it afterward.

(Se quiser, também falo português do Brasil, caso isso ajudar nessa conversa.)


#15

Isso vai ajudar muito :slight_smile:

Antes eu tentei com --standalone, mas me retornou o seguinte:
Problem binding to port 80: Could not bind to IPv4 or IPv6.

Eu tentei antes de parar e depois que eu parei

Então se eu usar a linha de comando do computador do ec2 deve dar certo, pois neste computador não tem o glassfish e nem a minha aplicação, o que você acha?


#16

Agora acho que me confundi quanto aos vários servidores. Qual o servidor que já tem o Glassfish e onde está? Em qual servidor está pedindo o certificado com o Certbot?

Geralmente essa mensagem indica que já existe outro processo (tipo Apache, nginx, Glassfish, ou outro) aceitando conexões em porta 80. Tem certeza de já ter parado o Glassfish antes de usar certbot --standalone?

É possível que existe um processo nginx como proxy, por exemplo com proxy_pass, para repassar cada conexão ao Glassfish? Não sei qual a configuração mais comum com o Glassfish mas desenvolvidores de aplicações web em muitos outros ambientes usaram nginx dessa forma. (nginx aceita a conexão em porta 80 e/ou 443, e repassa para localhost em outra porta que contém o processo da aplicação web em si.)

Se não tem certeza, talvez pode determinar qual o outro processo já ocupando porta 80 com netstat -nta | grep :80 ou algo parecido.


#17

O da Amazon tem o glassfish.

No meu computador local.


#18

Sim, tenho certeza, apareceu a mensagem na tela dizendo que o servidor parou e eu não consigo mais acessa-lo

Eu utilizei os seguintes comandos
fuser 80/tcp
80/tcp: 8739
root@debian:~# ps aux | grep 8739
root 8739 0.0 0.2 40036 2456 ? S 05:53 0:07 /usr/bin/python2 -c import BaseHTTPServer, SimpleHTTPServer; s = BaseHTTPServer.HTTPServer((’’, 80), SimpleHTTPServer.SimpleHTTPRequestHandler); s.serve_forever()
root 10044 0.0 0.0 12784 936 pts/1 S+ 15:58 0:00 grep 8739


#19

Faria mais sentido pedí-lo diretamente no servidor da Amazon porque a autoridade certificadora precisa conectar-se ao servidor para confirmar que a entidade pedindo o certificado realmente tem controle sobre o domínio. O Certbot não tem opção muito conveniente para configurar um servidor remoto para esse procedimento de verificação.


#20

É a segunda vez em que tentou fazê-lo com certbot --standalone? Esse processo Python parece uma tentativa prévia (!) com o Certbot, mas normalmente não continua ocupando a porta após o fim da execução do Certbot. Talvez deveria terminar o processo com kill 8739, mas não sei direito porque ele ainda existe.