John Gates, CISSP, CDPSE
asked on
FreeBSD/APACHE/Let's Encrypt
Interestingly enough I have no problem using let's encrypt on Windows platform and figured it was going to be a breeze on *nix... Running into a slew of issues. For one I am trying to use certbot to facilitate this. When I issue the correct commands and webroot I see it builds the .well-known folder but it does not build the acme-challenge folder. If I try to manually create the acme-challenge folder it deletes it after the sudo certbot certonly --webroot -w /var/www/example -d example.com -d www.example.com command (with my domain info substituted of course) with the following error:
Detail: Invalid response from
http://<mysite>/.well-known/acme- challenge/ bM6ijKNrbr 6Dcf3nzJdy hssFHrySee Lk-2VWQgAl WnQ:
"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p"
Super frustrated as everything in *nix is always easier, right? Well not this time LOL. Any suggestions would be appreciated!
-J
Detail: Invalid response from
http://<mysite>/.well-known/acme-
"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p"
Super frustrated as everything in *nix is always easier, right? Well not this time LOL. Any suggestions would be appreciated!
-J
Out of curiosity, does your config file for these domains force a SSL connection? If it does, disable that before running your command, and try again. That was an early gotcha for me.
ASKER
It does not. As a matter of fact, SSL is not even currently enabled. I am trying to build the cert so that I can enable it. It's really odd. The certbot seems to be creating the .well-known folder so I am lost on why it can't create the acme-challenge folder and drop the subject into it...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Looks like your Apache config has disallowed directory listing (403 Forbidden).
For Apache-2.4.x Try adding something like this...
When you can create files + directories in .well-known likely your cert generation will work.
Also, be sure...
1) /path-to-your-root-dir is owned by Apache
2) Be sure you have latest certbot-auto installed per https://certbot.eff.org/al l-instruct ions/ instructions.
So arrange for latest version of certbot-auto to supersede any OS versions, as some OSes provide very old versions.
Old versions of certbot-auto have some gnarly bugs. Best to always start with latest version.
For Apache-2.4.x Try adding something like this...
<VirtualHost>
... ... ...
DocumentRoot /path-to-your-root-dir
<Directory /path-to-your-root-dir>
Options +Indexes +FollowSymLinks
AllowOverride All
Require all granted
</Directory>
... ... ...
</VirtualHost>
When you can create files + directories in .well-known likely your cert generation will work.
Also, be sure...
1) /path-to-your-root-dir is owned by Apache
2) Be sure you have latest certbot-auto installed per https://certbot.eff.org/al
So arrange for latest version of certbot-auto to supersede any OS versions, as some OSes provide very old versions.
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
Old versions of certbot-auto have some gnarly bugs. Best to always start with latest version.
ASKER
I will try this a little later and respond. Thanks!
You're welcome!
ASKER
Those directives were already in the config. The certbot is creating the .well-known folder but nothing under it... Do I have the process down. Certbot makes the calls to let's encrypt and then is supposed to be staging the challenge in the path <domain>/.well-known/acme- challenge/ <file> this is not happening, it is not building anything beyond .well-known
-J
-J
ASKER
also if I manually create the acme-challenge folder and then run the command the folder get's deleted. I can only assume that the certbot is deleting, and recreating this each time it runs. It is bombing out when trying to create the subfolder acme-challenge really pulling my hair out now. This took me 5 minutes on Windows .....
ASKER
2017-07-19 02:18:16,398:INFO:certbot. plugins.we broot:Usin g the webroot path /usr/local/www/apache24/da ta for all unmatched domains.
2017-07-19 02:18:16,399:DEBUG:certbot .plugins.w ebroot:Cre ating root challenges validation dir at /usr/local/www/apache24/da ta/.well-k nown/acme- challenge
2017-07-19 02:18:16,420:DEBUG:certbot .plugins.w ebroot:Cre ating root challenges validation dir at /usr/local/www/apache24/da ta/.well-k nown/acme- challenge
2017-07-19 02:18:16,428:DEBUG:certbot .plugins.w ebroot:Att empting to save validation to /usr/local/www/apache24/da ta/.well-k nown/acme- challenge/ Z7yBMzvliH RoK$
2017-07-19 02:18:16,431:DEBUG:certbot .plugins.w ebroot:Att empting to save validation to /usr/local/www/apache24/da ta/.well-k nown/acme- challenge/ OgypMbYTLH 44K$
2017-07-19 02:18:16,431:INFO:certbot. auth_handl er:Waiting for verification...
So it's logging the creation but the creation is never happening.... Not even sure what to do with this.
-J
2017-07-19 02:18:16,399:DEBUG:certbot
2017-07-19 02:18:16,420:DEBUG:certbot
2017-07-19 02:18:16,428:DEBUG:certbot
2017-07-19 02:18:16,431:DEBUG:certbot
2017-07-19 02:18:16,431:INFO:certbot.
So it's logging the creation but the creation is never happening.... Not even sure what to do with this.
-J
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I figured it out but Jim was on point that it was not able to access the directory location.