What is special about the .well-known/acme-challenge directory?

fodux · February 21, 2020, 6:46am

I am investigating why one attempt at sudo /usr/local/bin/certbot-auto --apache resulted in a acme-challenge failure, while a subsequent attempt was successful.

In my VPS, /var/www is a symlink to /data/www
In the main httpd.conf file, the document root remains as "/var/www/html"
In my own mydomain.com.conf file, the VirtualHost section looks like this:
<VirtualHost *:80>
ServerName mydomain.com
DocumentRoot “/var/www/html”

  <Directory "/var/www/html">
      Options -Indexes +FollowSymLinks
      AllowOverride All
  </Directory>
</VirtualHost>

I created a simple test1.html file, which was copied to all these locations:
/data/www/html/.well-known/acme-challenge/test1.html
/data/www/html/.well-known/test1.html
/data/www/html/mytest/test1.html
/data/www/html/test1.html

And I visit all the above via web browser, and the only one that fails (Wordpress’s 404) is:
http://mydomain.com/.well-known/acme-challenge/test1.html

I cannot figure out why.

rg305 · February 21, 2020, 6:55pm

I would rename those as:
/data/www/html/.well-known/acme-challenge/test4.html
/data/www/html/.well-known/test3.html
/data/www/html/mytest/test2.html
/data/www/html/test1.html
[or modify their contents so that you can know exactly which one was reached]

I don't see why/how the root file was not reachable:
http://mydomain.com/test1.html
should serve:
/data/www/html/test1.html

If that fails, then you have some overlapping domain name issues.
What does this say?:
apachectl -S

fodux · February 24, 2020, 2:43am

Thank you.
Not sure if you mis-read or I had a typo… but the file at the doc root was reachable.
Three (3 nos.) cases were reachable.
The only case that was not reachable was the one in the full path.

rg305 · February 24, 2020, 6:12am

Then there may be some special handling for that gull path.
If this is a shared server, then you may need to speak with the admin about that.
If this is a dedicated server (and you are the admin), then you need to review the entire config for such a condition.

fodux · February 25, 2020, 2:37am

It is a VPS that I subscribed for just my own website, and I am the admin.
The .well-known directory and acme-challenge directory were both created by CertBot, or possibly by the LE WordPress plugin by “Go Web Smarty”.
What might be special about these directories? Where should I check? Because there’s nothing special about the dir permissions.

BTW, this is the WP plugin by “Go Web Smarty”: https://wordpress.org/plugins/wp-letsencrypt-ssl/

rg305 · February 25, 2020, 2:54am

There is nothing "special" about those directories (usually - by default).
If any were created by anything other than cerbot, then we need to review that.

I would search through the config folders (or entire disk) for anything related to acme-challenge
[something (my guess is WordPress) has to be handling those requests "differently"]

fodux · February 25, 2020, 2:59am

thanks!

$ pwd
/data/www/html

$ sudo grep -nr "acme-challenge" .
./wp-content/uploads/wp_letsencrypt/debug.log:14:Creating HTTP challenge file http://sc.og.com.sg/.well-known/acme-challenge/6ebRtc9uWuKaqS_qjVzyNg89MvhOcsaAGEecoMvtT0o
./wp-content/plugins/wp-letsencrypt-ssl/admin/le_admin.php:763:      add_rewrite_rule('.well-known/acme-challenge/(.*)$', '$1', 'top');
./wp-content/plugins/wp-letsencrypt-ssl/lib/LEFunctions.php:211:    $requestURL = $domain . '/.well-known/acme-challenge/' . $token;
./wp-content/plugins/wp-letsencrypt-ssl/lib/LEFunctions.php:244:    $requestURL = 'https://dns.google.com/resolve?name=_acme-challenge.' . $domain . '&type=TXT';
./wp-content/plugins/wp-letsencrypt-ssl/classes/le-core.php:228:                                $acmefile = site_url( '/.well-known/acme-challenge/' . $challenge['filename'], 'http' );
./wp-content/plugins/wp-letsencrypt-ssl/classes/le-core.php:238:                                        'RewriteRule ^.well-known/acme-challenge/(.*)$ $1 [L,R=301]',
./wp-content/plugins/wp-letsencrypt-ssl/classes/le-core.php:264:                                    //add_rewrite_rule('.well-known/acme-challenge/(.*)$', '$1', 'top');
./wp-content/plugins/wp-letsencrypt-ssl/classes/le-core.php:436:            'challenge_folder_exists' => file_exists( ABSPATH . '.well-known/acme-challenge' ),
./wp-content/plugins/wp-letsencrypt-ssl/classes/le-core.php:472:                $vrfy .= 'Name: <b>_acme-challenge.' . $site . '</b>
./wp-content/plugins/wp-letsencrypt-ssl/classes/le-core.php:658:        $fpath = ABSPATH . '.well-known/acme-challenge/';
./wp-content/plugins/wp-letsencrypt-ssl/classes/le-core.php:727:        $acmefilepath = ABSPATH . '.well-known/acme-challenge/' . $challenge['filename'];
./wp-content/plugins/wp-letsencrypt-ssl/classes/le-core.php:737:            $fpath = ABSPATH . '.well-known/acme-challenge/';
./.htaccess:10:RewriteRule ^.well-known/acme-challenge/(.*)$ /$1 [QSA,L]
$

rg305 · February 25, 2020, 3:02am

BINGO !

rg305 · February 25, 2020, 3:09am

I would try:

Rem that line out.
http://your.domain/.well-known/acme-challenge/test1.html

fodux · February 25, 2020, 3:13am

Thanks. I had to look up a rewrite rule tester to find out what it does…
It rewrites http://example.com/.well-known/acme-challenge/foo to http://example.com/foo
Very curious why the WordPress LE plugin would create this rule.
And very curious how certbot eventually passed the challenge.
I am going to remove the WP plugin, (I had used it part way thru and encountered some problems, don’t really remember, before coming back to fix up my virtualhost so that I could use certbot-auto), sorry it is so convoluted, but I believe certbot-auto is working now. So I will remove the WP plugin.

fodux · February 25, 2020, 3:15am

As you expected, it works after commenting out that rewrite line. Thank you.

system · March 26, 2020, 3:15am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.