What is my webroot?

Help
1

Hi, Im trying to generate a certficate to my website but I cant. Someone can help me? I dont know what is my webroot

I have a Java EE Application and my company uses Wix for your website (domain and subdomain)
My Java application is using Amazon EC2.
The subdomain(from wix) point to IP of the Java Application

PS:The application was developed on another computer

I ran this command:
./letsencrypt-auto certonly --webroot -d mysubdomain.domain.com.br -d www.mysubdomain.domain.com.br

It produced this output:
aving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mysubdomain.domain.com.br
http-01 challenge for www.mysubdomain.domain.com.br
Input the webroot for mysubdomain.domain.com.br: (Enter ‘c’ to cancel):
I dont know what is my webroot

My web server is (include version):

The operating system my web server runs on is (include version):
Debian 9

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

2

Hi,

The WebRoot is where you define it.

You can set whereever you want as webroot, just to make sure certbot has the correct permission to it.

-------- Take a look at @jared.m’s response, ignore my response (after this line) ---------
For example, you can set the webroot to : /var/certbot_webroot (Since certbot definitely can access /var/)
But, please avoid set the webroot to : /root/ (Since certbot might not able to access)

Thank you

1 Like
3

The be a bit more specific, the webroot directory is whichever directory serves files for your website. For instance, if your domain is www.example.com, your webroot is where you would put a file (say, index.html) to access it with www.example.com/index.html. Often it’s something like /var/www/html if you’re using Apache.

4 Likes
4

It depends on the application server you're using.

With Glassfish it's something like:

/opt/glassfish/domains/domain1/docroot

With Wildfly/JBoss it's something like:

/opt/wildfly/standalone/welcome-content

I have no idea what IBM and Oracle do in their properietary implementations.

The installation directory of these servers varies. You could possibly find them in /usr/local or /home as well.

4 Likes
5

For some ways of running web applications you could also imagine that there is no webroot because all URLs are mapped directly into the application (for example we see this here with people setting a blanket nginx proxy_pass for all paths).

So another question could be:

How? :slight_smile:

1 Like
6

You just need to buy a virtual machine in amazon, put your server (ex:Glassfish) and put the war file

7

Thank you for reply!

I dont have glassfish installed on this computer, it is just a raw debian

8

Thank you for replay, this computer is just a raw linux, has nothing


Im losted, I do not know what to do :frowning:

9

I mean, how did you configure the server to serve the Java application?

10

It was not me, but what I know, is to just install the glassfish through the command line

Amazon has its own service for glassfish as well, like the codecommit

11

Earlier you said

but here you said

Does that mean that someone else has installed Glassfish? Or some other possibility?

12

I've developed a java application on another computer(Windows). Now I'm using a Debian to generate the certificate

I put the war file of my application made on windows on the glassfish in the ec2 virtual machine

Another person in the company installed glassfish on ec2

13

Im tried this, but it is not work.

root@debian:~/certificado/letsencrypt# ./letsencrypt-auto certonly --webroot -d mysubdomain.mydomain.com.br -d www.mysubdomain.mydomain.com.br
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mysubdomain.mydomain.com.br
http-01 challenge for www.mysubdomain.mydomain.com.br
Input the webroot for mysubdomain.mydomain.com.br: (Enter ‘c’ to cancel): /opt

Select the webroot for www.mysubdomain.mydomain.com.br:

1: Enter a new webroot
2: /opt

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Waiting for verification

Cleaning up challenges
Failed authorization procedure. www.mysubdomain.mydomain.com.br(http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.mysubdomain.mydomain.com.br/.well-known/acme-challenge/Dy6Yy52uvxGxTOM_Q7YXU6wjvXlCwouSU291FF0bQ_4: "<html xmlns=“http:/”, mysubdomain.mydomain.com.br(http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mysubdomain.mydomain.com.br/.well-known/acme-challenge/iOjGWi4kP1YJcSuRhNsQJBemCFAsiHo-l-q1pibXcSY: "<html xmlns=“http:/”

IMPORTANT NOTES:

14

So, the configuration of Glassfish either serves static files directly from the filesystem somehow, or doesn't do this. If it does, then you need to look at the Glassfish configuration to find out where they are served from. If it doesn't, then you need to configure Glassfish so that it does this.

As an alternative, you can also use the --standalone method instead of --webroot. This creates a temporary web server to pass the challenges. It would probably require stopping Glassfish temporarily and restarting it afterward.

(Se quiser, tambĂ©m falo portuguĂȘs do Brasil, caso isso ajudar nessa conversa.)

1 Like
15

Isso vai ajudar muito :slight_smile:

Antes eu tentei com --standalone, mas me retornou o seguinte:
Problem binding to port 80: Could not bind to IPv4 or IPv6.

Eu tentei antes de parar e depois que eu parei

EntĂŁo se eu usar a linha de comando do computador do ec2 deve dar certo, pois neste computador nĂŁo tem o glassfish e nem a minha aplicação, o que vocĂȘ acha?

16

Agora acho que me confundi quanto aos vĂĄrios servidores. Qual o servidor que jĂĄ tem o Glassfish e onde estĂĄ? Em qual servidor estĂĄ pedindo o certificado com o Certbot?

Geralmente essa mensagem indica que jå existe outro processo (tipo Apache, nginx, Glassfish, ou outro) aceitando conexÔes em porta 80. Tem certeza de jå ter parado o Glassfish antes de usar certbot --standalone?

É possĂ­vel que existe um processo nginx como proxy, por exemplo com proxy_pass, para repassar cada conexĂŁo ao Glassfish? NĂŁo sei qual a configuração mais comum com o Glassfish mas desenvolvidores de aplicaçÔes web em muitos outros ambientes usaram nginx dessa forma. (nginx aceita a conexĂŁo em porta 80 e/ou 443, e repassa para localhost em outra porta que contĂ©m o processo da aplicação web em si.)

Se nĂŁo tem certeza, talvez pode determinar qual o outro processo jĂĄ ocupando porta 80 com netstat -nta | grep :80 ou algo parecido.

17

O da Amazon tem o glassfish.

No meu computador local.

18

Sim, tenho certeza, apareceu a mensagem na tela dizendo que o servidor parou e eu nĂŁo consigo mais acessa-lo

Eu utilizei os seguintes comandos
fuser 80/tcp
80/tcp: 8739
root@debian:~# ps aux | grep 8739
root 8739 0.0 0.2 40036 2456 ? S 05:53 0:07 /usr/bin/python2 -c import BaseHTTPServer, SimpleHTTPServer; s = BaseHTTPServer.HTTPServer(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandler); s.serve_forever()
root 10044 0.0 0.0 12784 936 pts/1 S+ 15:58 0:00 grep 8739

19

Faria mais sentido pedí-lo diretamente no servidor da Amazon porque a autoridade certificadora precisa conectar-se ao servidor para confirmar que a entidade pedindo o certificado realmente tem controle sobre o domínio. O Certbot não tem opção muito conveniente para configurar um servidor remoto para esse procedimento de verificação.

1 Like
20

É a segunda vez em que tentou fazĂȘ-lo com certbot --standalone? Esse processo Python parece uma tentativa prĂ©via (!) com o Certbot, mas normalmente nĂŁo continua ocupando a porta apĂłs o fim da execução do Certbot. Talvez deveria terminar o processo com kill 8739, mas nĂŁo sei direito porque ele ainda existe.

1 Like