Jump to content
Froxlor Forum
  • 0
nisamudeen97

letsencrypt getting failed under NAT

Question

Hi,

Our froxlor server is behiend NAT and it uses the local IP  192.168.73.40.  We have enabled letsencrypt module in froxlor and tried validating SSL for a domain in the server.  SSL generation is getting failed with 403 error.  See the debug log information.      Replaced domain name and main IP.    Can any one help me regarding the issue.

 

[information] Updating Let's Encrypt certificates
[information] Updating domain-name.com
[information] Adding SAN entry: domain-name.com
[information] Adding SAN entry: www.domain-name.com
[information] letsencrypt-v2 Using 'https://acme-v02.api.letsencrypt.org' to generate certificate
[information] letsencrypt-v2 Using existing account key
[information] letsencrypt-v2 Starting certificate generation process for domains
[information] letsencrypt-v2 Sending signed request to https://acme-v02.api.letsencrypt.org/acme/new-order
[information] letsencrypt-v2 Requesting challenge for domain-name.com
[information] letsencrypt-v2 Got challenge token for domain-name.com
[information] letsencrypt-v2 Token for domain-name.com saved at /var/www/froxlor/.well-known/acme-challenge/vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k and should be available at http://domain-name.com/.well-known/acme-challenge/vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k
[information] letsencrypt-v2 Sending request to challenge
[information] letsencrypt-v2 Sending signed request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/803008408/k46kFQ
[information] letsencrypt-v2 Verification pending, sleeping 1s
[information] letsencrypt-v2 Verification pending, sleeping 1s
[error] Could not get Let's Encrypt certificate for domain-name.com: Verification ended with error: {"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"Invalid response from http:\/\/domain-name.com\/.well-known\/acme-challenge\/vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k [212.224.xxx.xxx]: \"<!DOCTYPE html>\\n<html lang=\\\"en-CA\\\" class=\\\"html_stretched responsive av-preloader-active av-preloader-enabled av-default-lightbox\"","status":403},"url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/803008408\/k46kFQ","token":"vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k","validationRecord":[{"url":"http:\/\/www.domain-name.com\/.well-known\/acme-challenge\/vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k","hostname":"www.domain-name.com","port":"80","addressesResolved":["212.224.xxx.xxx"],"addressUsed":"212.224.xxx.xxx"},{"url":"http:\/\/domain-name.com\/.well-known\/acme-challenge\/vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k","hostname":"domain-name.com","port":"80","addressesResolved":["212.224.xxx.xxx"],"addressUsed":"212.224.xxx.xxx"}]}
[information] Let's Encrypt certificates have been updated

 

Share this post


Link to post
Share on other sites

2 answers to this question

Recommended Posts

  • 0

Hi,

Problem is solved.   Acme conf was found causing the problem.   Fixed that

 

/etc/apache2/conf-enabled/acme.conf


Alias "/.well-known/acme-challenge" "/var/www/froxlor/.well-known/acme-challenge"
<Directory "/var/www/froxlor/.well-known/acme-challenge">
Require all granted
</Directory>

Share this post


Link to post
Share on other sites
  • 0

Well, let's encrypt needs to verify the domain using http-request on the domain, which from your logs resolve to 212.224.xxx.xxx; if your apache does not listen on that IP to validate the token, then it cannot be verified and you won't get a certificate.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • By Michael Groß
      Hallo zusammen,
      ich kämpfe momentan mit der SSL Konfiguration von meinem Froxlor-Server.
      Bedauerlicherweise befindet sich der Webserver hinter einer Firewall und hat eine private IP Adresse zugewiesen bekommen. 
      Die Firewall leitet entsprechend den Traffic von außerhalb auf den Server weiter (HTTP ist das alles kein Problem).
      Nun habe ich vorhin SSL aktivieren wollen und hierzu kann ich leider keine private IP Adresse eintragen (lässt Froxlor nicht zu).
      Entsprechend habe ich die public IP eingetragen, was aber auch nicht funktioniert, da durch das NAT der Firewall die private IP angesprochen wird - somit funktioniert dies nicht.
      Habt ihr eine Idee, wie man das umbauen kann?
      An sich brauche ich nur die private IP Adresse als SSL Adresse eintragen - vermute aber, dass dadurch Let's Encrypt auch nicht mehr richtig laufen wird.
      Viele Grüße
      Michael
      PS: Ein 1:1 NAT wäre noch eine Möglichkeit, da ich die Public IP aber für diverse Server verwende, fällt das auch raus. Müsste dann eine neue Public IP kaufen, welche ich dann mit einem 1:1 NAT auf den Webserver laufen lasse (wäre noch eine Möglichkeit)
    • By Pro-Webs
      Hallo,
      ich bin gerade dabei einen Shopware Shop v.5 unter nginx mit froxlor einzurichten.
      Das ist jedoch relativ problematisch.
      Aktuell habe ich im Froxlor folgende vHost Einstellung zur Domain:
      location @php { fastcgi_pass unix:/run/php/php7.2-fpm.sock; fastcgi_read_timeout 1500; } location ~ ^/(engine|files|templates|media/(archive|banner|image|music|pdf|unknown|video))/ { rewrite ^/files/documents/.* /engine last; location ~ \.(jpe?g|png|gif|css|js)$ { expires 1M; } } location / { index index.html index.php shopware.php; rewrite shopware.dll /shopware.php; rewrite files/documents/.* /engine last; #rewrite images/ayww/(.*) /images/banner/$1 last; rewrite backend/media/(.*) /media/$1 last; if (!-e $request_filename){ rewrite . /shopware.php last; } location ~ \.(jpe?g|png|gif|css|js)$ { rewrite backend/media/(.*) /media/$1 last; expires 1M; } } location ~ \.(tpl|yml|ini)$ { deny all; } location /install/ { location /install/assets { } if (!-e $request_filename){ rewrite . /install/index.php last; } } location /update/ { location /update/assets { } location /update/templates { } if (!-e $request_filename){ rewrite . /update/index.php last; } } location /recovery/install/ { location /recovery/install/assets { } if (!-e $request_filename){ rewrite . /recovery/install/index.php last; } } location /recovery/update/ { location /recovery/update/assets { } if (!-e $request_filename){ rewrite . /recovery/update/index.php last; } } location ~ ^/(logs|media/temp|bin|cache)/ { deny all; } location ~ \.php$ { try_files $uri =404; include /etc/nginx/fastcgi_params; fastcgi_pass 127.0.0.1:9000; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param HTTPS $fastcgi_https; fastcgi_param HTTP_AUTHORIZATION $http_authorization; } Diese Einstellung führt zu einem 500 error.
      Meine 35_froxlor_ssl_vhost_studio-ausruestung.de.conf sieht damit leider wie folgt aus:
      # 35_froxlor_ssl_vhost_studio-ausruestung.de.conf # Created 02.01.2020 14:30 # Do NOT manually edit this file, all changes will be deleted after the next domain change at the panel. server { listen 91.250.82.51:443 ssl; server_name studio-ausruestung.de www.studio-ausruestung.de xn--studio-ausrstung-tzb.de *.xn--studio-ausrstung-tzb.de studioausruestung.de *.studioausruestung.de priolite-shop.com www.priolite-shop.com sirui-shop.de www.sirui-shop.de shooting-gutschein.de *.shooting-gutschein.de shooting-gutscheine.de *.shooting-gutscheine.de; ssl_protocols TLSv1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH; ssl_ecdh_curve secp384r1; ssl_prefer_server_ciphers on; ssl_certificate /etc/ssl/froxlor-custom/studio-ausruestung.de.crt; ssl_certificate_key /etc/ssl/froxlor-custom/studio-ausruestung.de.key; add_header Strict-Transport-Security "max-age=0"; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/ssl/froxlor-custom/studio-ausruestung.de.crt; include /etc/apache2/conf-enabled/acme.conf; access_log /var/customers/logs/klimek-studio-ausruestung.de-access.log combined; error_log /var/customers/logs/klimek-studio-ausruestung.de-error.log error; root /var/customers/webs/klimek/studio-ausruestung.de/shopware/; location / { index index.php index.html index.htm; try_files $uri $uri/ @rewrites; index index.html index.php shopware.php; rewrite shopware.dll /shopware.php; rewrite files/documents/.* /engine last; #rewrite images/ayww/(.*) /images/banner/$1 last; rewrite backend/media/(.*) /media/$1 last; if (!-e $request_filename){ rewrite . /shopware.php last; } location ~ \.(jpe?g|png|gif|css|js)$ { rewrite backend/media/(.*) /media/$1 last; expires 1M; } } location @rewrites { rewrite ^ /index.php last; } location /webalizer { alias /var/customers/webs/klimek/webalizer/studio-ausruestung.de/; auth_basic "Restricted Area"; auth_basic_user_file /etc/nginx/htpasswd/1-c3d3ffdab2b8342809d19524c21b98c1.htpasswd; } location ~ \.php { try_files /333c3697df6a41bcc37bccd05271f644.htm @php; } location @php { fastcgi_split_path_info ^(.+\.php)(/.+)$; include /etc/nginx/fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; try_files $fastcgi_script_name =404; fastcgi_index index.php; fastcgi_param HTTPS on; fastcgi_pass unix:/run/php/php7.2-fpm.sock; fastcgi_read_timeout 1500; } location ~ ^/(engine|files|templates|media/(archive|banner|image|music|pdf|unknown|video))/ { rewrite ^/files/documents/.* /engine last; location ~ \.(jpe?g|png|gif|css|js)$ { expires 1M; } } location ~ \.(tpl|yml|ini)$ { deny all; } location /install/ { location /install/assets { } if (!-e $request_filename){ rewrite . /install/index.php last; } } location /update/ { location /update/assets { } location /update/templates { } if (!-e $request_filename){ rewrite . /update/index.php last; } } location /recovery/install/ { location /recovery/install/assets { } if (!-e $request_filename){ rewrite . /recovery/install/index.php last; } } location /recovery/update/ { location /recovery/update/assets { } if (!-e $request_filename){ rewrite . /recovery/update/index.php last; } } location ~ ^/(logs|media/temp|bin|cache)/ { deny all; } } Man bemerkt u.a. das einige Konfigurationen doppelt vorhanden sind, da floxlor diese auch selbst generiert. Das könnte natürlich schon die Ursache des Fehler sein. Ich weiß nur leider nicht, wie ich es "besser" lösen kann.
      Die original .htaccess für den appache sieht folgende Konfiguration vor:
      php_value memory_limit 1024M php_value max_execution_time 600 php_value upload_max_filesize 20M php_value post_max_size 20M <IfModule mod_rewrite.c> RewriteEngine on #RewriteBase /shopware/ # Https config for the backend #RewriteCond %{HTTPS} !=on #RewriteRule backend/(.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] RewriteRule shopware.dll shopware.php RewriteRule files/documents/.* engine [NC,L] RewriteRule backend/media/(.*) media/$1 [NC,L] RewriteRule custom/.*(config|menu|services|plugin)\.xml$ ./shopware.php?controller=Error&action=pageNotFoundError [NC,L] RewriteCond %{REQUEST_URI} !(\/(engine|files|templates|themes|web)\/) RewriteCond %{REQUEST_URI} !(\/media\/(archive|banner|image|music|pdf|unknown|video)\/) RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^(.*)$ shopware.php [PT,L,QSA] # Fix missing authorization-header on fast_cgi installations RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L] </IfModule> <IfModule mod_alias.c> # Restrict access to VCS directories RedirectMatch 404 /\\.(svn|git|hg|bzr|cvs)(/|$) # Restrict access to root folder files RedirectMatch 404 /(autoload\.php|composer\.(json|lock|phar)|README\.md|UPGRADE-(.*)\.md|CONTRIBUTING\.md|eula.*\.txt|\.gitignore|.*\.dist|\.env.*)$ # Restrict access to shop configs files RedirectMatch 404 /(web\/cache\/(config_\d+\.json|all.less))$ # Restrict access to theme configurations RedirectMatch 404 /themes/(.*)(.*\.lock|package\.json|\.gitignore|Gruntfile\.js|all\.less|node_modules\/.*)$ </IfModule> # Staging environment #SetEnvIf Host "staging.test.shopware.in" SHOPWARE_ENV=staging # Development environment #SetEnvIf Host "dev.shopware.in" SHOPWARE_ENV=dev #SetEnv SHOPWARE_ENV dev DirectoryIndex index.html DirectoryIndex index.php DirectoryIndex shopware.php # Disables download of configuration <Files ~ "\.(tpl|yml|ini)$"> # Deny all requests from Apache 2.4+. <IfModule mod_authz_core.c> Require all denied </IfModule> # Deny all requests from Apache 2.0-2.2. <IfModule !mod_authz_core.c> Deny from all </IfModule> </Files> # Enable gzip compression <IfModule mod_deflate.c> AddOutputFilterByType DEFLATE text/html text/xml text/plain text/css text/javascript application/javascript application/json application/font-woff application/font-woff2 image/svg+xml </IfModule> <Files ~ "\.(jpe?g|png|gif|css|js|woff|woff2|ttf|svg|webp|eot|ico)$"> <IfModule mod_expires.c> ExpiresActive on ExpiresDefault "access plus 1 month" </IfModule> <IfModule mod_headers.c> Header append Cache-Control "public" Header unset ETag </IfModule> FileETag None </Files> # Match generated files like: # 1429684458_t22_s1.css # 1429684458_t22_s1.js <FilesMatch "([0-9]{10})_(.+)\.(js|css)$"> <ifModule mod_headers.c> Header set Cache-Control "max-age=31536000, public" </ifModule> <IfModule mod_expires.c> ExpiresActive on ExpiresDefault "access plus 1 year" </IfModule> </FilesMatch> # Disables auto directory index <IfModule mod_autoindex.c> Options -Indexes </IfModule> <IfModule mod_negotiation.c> Options -MultiViews </IfModule> <IfModule mod_php5.c> # php_value memory_limit 256M # php_value max_execution_time 120 # php_value upload_max_filesize 20M php_flag phar.readonly off php_flag magic_quotes_gpc off php_flag session.auto_start off php_flag suhosin.session.cryptua off php_flag zend.ze1_compatibility_mode off php_value always_populate_raw_post_data -1 </IfModule> # AddType x-mapp-php5 .php # AddHandler x-mapp-php5 .php <IfModule mod_headers.c> Header append X-Frame-Options SAMEORIGIN </IfModule>  
      Für Ideen und Vorschläge wäre ich wie immer sehr dankbar
    • By Jason Szymanski
      Hallo,
       
      ich habe leider ein Problem mit Froxlor.
      Zu meiner Situation: Froxlor läuft auf der Subdomain web01.meinedomain.net
      Jetzt möchte ich die Domain aber auch noch weiter Nutzen und habe mich daher als Kunde angelegt und die Domain meineDomain.net als Domain hinzugefügt.
      Dort kann ich auch weitere Subdomains hinzufügen. Das scheint soweit auch zu klappen ich sehe das er VHosts anlegt und auch die Verzeichnisse im FTP anlegt.
      Wenn ich jetzt allerdings versuche auf meinedomain.net oder eine andere Subdomain unter dieser Domain zuzugreifen leitet er mich auf web01.meinedomain.net
      Ich habe mich schon in den Einstellungen umgeschaut konnte aber keine entsprechende Einstellung finden an der das liegen könnte.
      Wie verhindere ich also das er mich auf Froxlor umleitet?
       
      Mit Freundlichen Grüßen
      Jason Szymanski
    • By nisamudeen97
      Hi,
      Wile doing migration of email accounts from one froxlor server to another I have noting some thing.   Expecting some clarification on this.  As we all know emails are normally stored in the location "/var/customers/mail/user/domain.com/user/Maildir/" .   I create email accounts via froxlor panel and copy the email files directly via scp or rsync from old server to new.  The strange thing I have noticed is it is not coping custom folders and its emails like we have in source.  
      The solution I have found for this is to use imapsync between old and new.  imapsync is preserving custom folders like as it is in source.    Does it mean custom folder settings are stored somewhere else?  How we can preserve it and copy emails manually?
×
×
  • Create New...