Link to home
Start Free TrialLog in
Avatar of John Gates, CISSP, CDPSE
John Gates, CISSP, CDPSEFlag for United States of America

asked on

FreeBSD/APACHE/Let's Encrypt

Interestingly enough I have no problem using let's encrypt on Windows platform and figured it was going to be a breeze on *nix... Running into a slew of issues.  For one I am trying to use certbot to facilitate this.  When I issue the correct commands and webroot I see it builds the .well-known folder but it does not build the acme-challenge folder.  If I try to manually create the acme-challenge folder it deletes it after the sudo certbot certonly --webroot -w /var/www/example -d example.com -d www.example.com command (with my domain info substituted of course) with the following error:

Detail: Invalid response from
   http://<mysite>/.well-known/acme-challenge/bM6ijKNrbr6Dcf3nzJdyhssFHrySeeLk-2VWQgAlWnQ:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>403 Forbidden</title>
   </head><body>
   <h1>Forbidden</h1>
   <p"
Super frustrated as everything in *nix is always easier, right?  Well not this time LOL.   Any suggestions would be appreciated!

-J
Avatar of Jim Riddles
Jim Riddles
Flag of United States of America image
Out of curiosity, does your config file for these domains force a SSL connection?  If it does, disable that before running your command, and try again.  That was an early gotcha for me.
Avatar of John Gates, CISSP, CDPSE
John Gates, CISSP, CDPSE
Flag of United States of America image

ASKER

It does not.  As a matter of fact, SSL is not even currently enabled.  I am trying to build the cert so that I can enable it.  It's really odd.  The certbot seems to be creating the .well-known folder so I am lost on why it can't create the acme-challenge folder and drop the subject into it...
SOLUTION
Avatar of Jim Riddles
Jim Riddles
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of David Favor
David Favor
Flag of United States of America image
Looks like your Apache config has disallowed directory listing (403 Forbidden).

For Apache-2.4.x Try adding something like this...

   <VirtualHost>

      ... ... ...

      DocumentRoot /path-to-your-root-dir

      <Directory /path-to-your-root-dir>
          Options +Indexes +FollowSymLinks
          AllowOverride All 
          Require all granted
      </Directory>

      ... ... ...

   </VirtualHost>

Open in new window


When  you can create files + directories in .well-known likely your cert generation will work.

Also, be sure...

1) /path-to-your-root-dir is owned by Apache

2) Be sure you have latest certbot-auto installed per https://certbot.eff.org/all-instructions/ instructions.

So arrange for latest version of certbot-auto to supersede any OS versions, as some OSes provide very old versions.

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

Open in new window


Old versions of certbot-auto have some gnarly bugs. Best to always start with latest version.
Avatar of John Gates, CISSP, CDPSE
John Gates, CISSP, CDPSE
Flag of United States of America image

ASKER

I will try this a little later and respond.  Thanks!
Avatar of David Favor
David Favor
Flag of United States of America image
You're welcome!
Avatar of John Gates, CISSP, CDPSE
John Gates, CISSP, CDPSE
Flag of United States of America image

ASKER

Those directives were already in the config.  The certbot is creating the .well-known folder but nothing under it...  Do I have the process down.  Certbot makes the calls to let's encrypt and then is supposed to be staging the challenge in the path <domain>/.well-known/acme-challenge/<file>  this is not happening, it is not building anything beyond .well-known


-J
Avatar of John Gates, CISSP, CDPSE
John Gates, CISSP, CDPSE
Flag of United States of America image

ASKER

also if I manually create the acme-challenge folder and then run the command the folder get's deleted.  I can only assume that the certbot is deleting, and recreating this each time it runs.  It is bombing out when trying to create the subfolder acme-challenge really pulling my hair out now.  This took me 5 minutes on Windows .....
Avatar of John Gates, CISSP, CDPSE
John Gates, CISSP, CDPSE
Flag of United States of America image

ASKER

2017-07-19 02:18:16,398:INFO:certbot.plugins.webroot:Using the webroot path /usr/local/www/apache24/data for all unmatched domains.
2017-07-19 02:18:16,399:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /usr/local/www/apache24/data/.well-known/acme-challenge
2017-07-19 02:18:16,420:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /usr/local/www/apache24/data/.well-known/acme-challenge
2017-07-19 02:18:16,428:DEBUG:certbot.plugins.webroot:Attempting to save validation to /usr/local/www/apache24/data/.well-known/acme-challenge/Z7yBMzvliHRoK$
2017-07-19 02:18:16,431:DEBUG:certbot.plugins.webroot:Attempting to save validation to /usr/local/www/apache24/data/.well-known/acme-challenge/OgypMbYTLH44K$
2017-07-19 02:18:16,431:INFO:certbot.auth_handler:Waiting for verification...


So it's logging the creation but the creation is never happening.... Not even sure what to do with this.

-J
ASKER CERTIFIED SOLUTION
Avatar of John Gates, CISSP, CDPSE
John Gates, CISSP, CDPSE
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of John Gates, CISSP, CDPSE
John Gates, CISSP, CDPSE
Flag of United States of America image

ASKER

I figured it out but Jim was on point that it was not able to access the directory location.