FreeBSD/APACHE/Let's Encrypt

John Gates, CISSP
John Gates, CISSP used Ask the Experts™
on
Interestingly enough I have no problem using let's encrypt on Windows platform and figured it was going to be a breeze on *nix... Running into a slew of issues.  For one I am trying to use certbot to facilitate this.  When I issue the correct commands and webroot I see it builds the .well-known folder but it does not build the acme-challenge folder.  If I try to manually create the acme-challenge folder it deletes it after the sudo certbot certonly --webroot -w /var/www/example -d example.com -d www.example.com command (with my domain info substituted of course) with the following error:

Detail: Invalid response from
   http://<mysite>/.well-known/acme-challenge/bM6ijKNrbr6Dcf3nzJdyhssFHrySeeLk-2VWQgAlWnQ:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>403 Forbidden</title>
   </head><body>
   <h1>Forbidden</h1>
   <p"
Super frustrated as everything in *nix is always easier, right?  Well not this time LOL.   Any suggestions would be appreciated!

-J
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Jim RiddlesPrepress/OMS Specialist

Commented:
Out of curiosity, does your config file for these domains force a SSL connection?  If it does, disable that before running your command, and try again.  That was an early gotcha for me.
John Gates, CISSPSecurity Professional

Author

Commented:
It does not.  As a matter of fact, SSL is not even currently enabled.  I am trying to build the cert so that I can enable it.  It's really odd.  The certbot seems to be creating the .well-known folder so I am lost on why it can't create the acme-challenge folder and drop the subject into it...
Jim RiddlesPrepress/OMS Specialist
Commented:
Is there anything in your config that would prevent an outside client from accessing your webroot for that domain?  Are you able to post the actual domains here so that I can attempt to connect from my location?
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Looks like your Apache config has disallowed directory listing (403 Forbidden).

For Apache-2.4.x Try adding something like this...

   <VirtualHost>

      ... ... ...

      DocumentRoot /path-to-your-root-dir

      <Directory /path-to-your-root-dir>
          Options +Indexes +FollowSymLinks
          AllowOverride All 
          Require all granted
      </Directory>

      ... ... ...

   </VirtualHost>

Open in new window


When  you can create files + directories in .well-known likely your cert generation will work.

Also, be sure...

1) /path-to-your-root-dir is owned by Apache

2) Be sure you have latest certbot-auto installed per https://certbot.eff.org/all-instructions/ instructions.

So arrange for latest version of certbot-auto to supersede any OS versions, as some OSes provide very old versions.

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

Open in new window


Old versions of certbot-auto have some gnarly bugs. Best to always start with latest version.
John Gates, CISSPSecurity Professional

Author

Commented:
I will try this a little later and respond.  Thanks!
David FavorFractional CTO
Distinguished Expert 2018

Commented:
You're welcome!
John Gates, CISSPSecurity Professional

Author

Commented:
Those directives were already in the config.  The certbot is creating the .well-known folder but nothing under it...  Do I have the process down.  Certbot makes the calls to let's encrypt and then is supposed to be staging the challenge in the path <domain>/.well-known/acme-challenge/<file>  this is not happening, it is not building anything beyond .well-known


-J
John Gates, CISSPSecurity Professional

Author

Commented:
also if I manually create the acme-challenge folder and then run the command the folder get's deleted.  I can only assume that the certbot is deleting, and recreating this each time it runs.  It is bombing out when trying to create the subfolder acme-challenge really pulling my hair out now.  This took me 5 minutes on Windows .....
John Gates, CISSPSecurity Professional

Author

Commented:
2017-07-19 02:18:16,398:INFO:certbot.plugins.webroot:Using the webroot path /usr/local/www/apache24/data for all unmatched domains.
2017-07-19 02:18:16,399:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /usr/local/www/apache24/data/.well-known/acme-challenge
2017-07-19 02:18:16,420:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /usr/local/www/apache24/data/.well-known/acme-challenge
2017-07-19 02:18:16,428:DEBUG:certbot.plugins.webroot:Attempting to save validation to /usr/local/www/apache24/data/.well-known/acme-challenge/Z7yBMzvliHRoK$
2017-07-19 02:18:16,431:DEBUG:certbot.plugins.webroot:Attempting to save validation to /usr/local/www/apache24/data/.well-known/acme-challenge/OgypMbYTLH44K$
2017-07-19 02:18:16,431:INFO:certbot.auth_handler:Waiting for verification...


So it's logging the creation but the creation is never happening.... Not even sure what to do with this.

-J
Security Professional
Commented:
What a PITA LOL so I had to add a .htaccess file with the following directive:

RewriteRule "/\.|^\.(?!well-known/)" - [F]

this then allowed browsing to the .well-known directory

It appears that the certbot is state in time so it writes the entries, verifies and then cleans up.  That's what threw me.  Posting this so it helps others as this did solve the issue and allow me to get the certs!
-J
John Gates, CISSPSecurity Professional

Author

Commented:
I figured it out but Jim was on point that it was not able to access the directory location.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial