What should be --webroot path


#1

Please fill out the fields below so we can help you better.

My domain is:oar12apc.consolidated.work

I ran this command:./certbot-auto certonly --webroot -w /u01/apps/fs1/FMW_Home/wlserver_10.3/server/lib -d oar12apc.consolidated.work

./certbot-auto certonly --webroot -w /u01/apps/fs1/FMW_Home/user_projects/domains/EBS_domain_PROD -d oar12apc.consolidated.work

./certbot-auto certonly --webroot -w /u01/apps/fs1/FMW_Home/oracle_common/webservices/bin -d oar12apc.consolidated.work

It produced this output: 1) It is giving me .well-known – just this nothing else.

  1. Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for oar12apc.consolidated.work
    Using the webroot path /u01/apps/fs1/FMW_Home/wlserver_10.3/server/lib for all unmatched domains.
    Waiting for verification…
    Cleaning up challenges
    Failed authorization procedure. oar12apc.consolidated.work (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://oar12apc.consolidated.work/.well-known/acme-challenge/ucEE1dlVKyr0ynI-kBry2O6N3WYkZNBrVlaUJkGHpzM: "
404 Not Found

Not Found

<p"

IMPORTANT NOTES:

My operating system is (include version): RHEL 7

My web server is (include version): i am using oracle apache

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#2

That’s the directory where all the files of the website are residing. I.e., if you access “http://oar12apc.consolidated.work/testfile.txt”, and the file in question would be /path/to/testfile.txt, the webroot is /path/to/.


#3

Thanks for the quick reply

The url “http://oar12apc.consolidated.work” is an Oracle E-Business Suite., and it’s not an WEBSITE.

http://oar12apc.consolidated.work/OA_HTML/AppsLocalLogin.jsp

When we type the url as “http://oar12apc.consolidated.work”, it takes us to login page as follows::
http://oar12apc.consolidated.work/OA_HTML/AppsLocalLogin.jsp”.

So i understood from ur feedback that, we need to provide this location “OA_HTML/AppsLocalLogin.jsp” write?
So the file “OA_HTML/AppsLocalLogin.jsp” has permission as applprod:oinstall .

And i ran the following::
./certbot-auto certonly --webroot -w /u01/apps/fs1/FMW_Home/Oracle_EBS-app1/applications/oacore/html/ -d oar12apc.consolidated.work

in the directory /u01/apps/fs1/FMW_Home/Oracle_EBS-app1/applications/oacore/html/ — the directory created as .Well-Known

And facing still the same issue.

And also please help me how to access the testfile.txt from the url.

Thanks,


#4

I’m totally not familiar with Oracle, so I have no idea what that means.

For the http-01 challenge, you’re supposed to be able to provide files from http://oar12apc.consolidated.work/.well-known/acme-challenge/
If that’s not possible, you have to use an other challenge, such as tls-sni-01 (which probably isn’t going to work either) of through DNS with the dns-01 challenge.


#5

Hello,

Now i got what the webroot path should be.My webroot path is in the server "/u01/apps/fs1/FMW_Home/Oracle_EBS-app1/applications/oacore/html"
As u told earlier, i created a testfile.txt, test.html, a.jsp — all the three files i am able to access with the url using the IE browser.

http://oar12apc.consolidated.work/OA_HTML/testfile.txt
http://oar12apc.consolidated.work/OA_HTML/test.html
http://oar12apc.consolidated.work/OA_HTML/a.jsp
And still i am facing the same issue. Please help me on this…we are very close to the GO Live date.

[root@oar12apc certbot]# ./certbot-auto certonly --webroot -w /u01/apps/fs1/FMW_Home/Oracle_EBS-app1/applications/oacore/html/ -d oar12apc.consolidated.work
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for oar12apc.consolidated.work
Using the webroot path /u01/apps/fs1/FMW_Home/Oracle_EBS-app1/applications/oacore/html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. oar12apc.consolidated.work (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://oar12apc.consolidated.work/.well-known/acme-challenge/8IsUtF_ZKflPMW7XuIEaMAKmGLQuSRULly4HA2M_P-U: "

404 Not Found

Not Found

<p"

IMPORTANT NOTES:

Thanks,


#6

Well, that “OA_HTML” is a problem. Because /.well-known/acme-challenge/ (required) is not the same as /OA_HTML/.well-known/acme-challenge/ (I assume the current situation).


Having issues, Please help!
#7

So Please guide me – what you want me to do.

under OA_HTML directory, the certbot-auto script generated .well-known directory


#8

I don’t know, as I said, I’m not familiar with Oracle.

If you can’t get Oracle to serve files directly under the root (http://oar12apc.consolidated.work/) without the OA_HTML part, the webroot plugin most likely isn’t going to work.

I’m quite certain (but not 100 %) the tls-sni-01 challenge with the apache plugin isn’t going to work either, so best bet is to use the dns-01 challenge (with the manual plugin in certbot or with one of the bash clients [third party clients]).


#9

Right, a key point to understand here is that the webroot plugin only works if you can get the web server to serve a file at /.well-known/acme-challenge/ca-chosen-filename directly at the top level of your site with no other path components. Otherwise, the webroot plugin can’t work at all; the Let’s Encrypt certificate authority won’t accept anything else for this type of validation.

In order to prove your control over the domain, you have to make a change to your site as requested by the certificate authority. The three kinds of changes that Let’s Encrypt supports for this purpose are called

  • HTTP-01 (posting a file in a specified place on the site, as described above, which is what the webroot plugin tries to do),

  • TLS-SNI-01 (changing the certificates that the server serves to include a custom one, which requires some integration with your specific web server software, which probably currently doesn’t exist for the Oracle server, although the standalone plugin can also handle this if you’re able to shut down your web server entirely for the brief period of validation, including during renewals of the certificate every 90 days),

  • and DNS-01 (which requires some way to add DNS records to your DNS zone, which the bash clients are the best at doing automatically via DNS provider APIs).


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.