froxlor - letsencrypt error question

[MasterOfDeath 1]

Hello all,

I already configured my root server for ssl. I have also paid ssl certificates for my two domains and working properly. But i would like to use lets encrypt for my other domains.

my question is, how can i fix below error?

Lets encrypt cronjobs working properly but when i checked my log files it says 404 Not found error in https://domain.com/.well-known/acme-challenge/alaOcXG2qqHJKiMj26IXNA-IkSdtSgt3rnjgJnYDv8I . I assume it couldnt able to create required certificates. But under /root/.well-known/acme-challenge i can see the key files for domain, there is no any other .well-known folder under /var/customers/webs/

Thanks in advance for your help!

[d00p 140]

1) the token is created temporarily, means it will always result in 404 if you try to open it manually. 

2) validate that you have configured the acme.conf in /etc/apache2/conf-enabled/ according to the froxlor configuration templates

[MasterOfDeath 1]

44 minutes ago, d00p said:

1) the token is created temporarily, means it will always result in 404 if you try to open it manually. 

2) validate that you have configured the acme.conf in /etc/apache2/conf-enabled/ according to the froxlor configuration templates

Thanks

i changed acme.conf

previously it was

Alias "/.well-known/acme-challenge" "/var/www/froxlor/.well-known/acme-challenge"
<Directory "/var/www/froxlor/.well-known/acme-challenge">
Require all granted
</Directory>

and overwrite with the new version according to froxlor panel configurations, restarted apache;

Alias "/.well-known/acme-challenge" "/root/.acme.sh//.well-known/acme-challenge"
<Directory "/root/.acme.sh//.well-known/acme-challenge">
	Require all granted
</Directory>

But when i execute below command, i got 403 forbidden error

php /var/www/froxlor/scripts/froxlor_master_cronjob.php --force --debug

[debug] https://github.com/acmesh-official/acme.sh
v2.8.6
[Fri Apr 17 15:00:59 +03 2020] Creating domain key
[Fri Apr 17 15:01:00 +03 2020] The domain key is here: /root/.acme.sh/xxxx.net/xxxx.net.key
[Fri Apr 17 15:01:00 +03 2020] Multi domain='DNS:xxxx.net,DNS:www.xxxx.net'
[Fri Apr 17 15:01:00 +03 2020] Getting domain auth token for each domain
[Fri Apr 17 15:01:03 +03 2020] Getting webroot for domain='xxxx.net'
[Fri Apr 17 15:01:03 +03 2020] Getting webroot for domain='www.xxxx.net'
[Fri Apr 17 15:01:03 +03 2020] Verifying: xxxx.net
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr>
<address>Apache/2.4.25 (Debian) Server at xxxx.net Port 80</address>
</body></html>
[error] Could not get Let's Encrypt certificate for xxxx.net:
https://github.com/acmesh-official/acme.sh
v2.8.6

 

[d00p 140]

8 minutes ago, MasterOfDeath said:

Alias "/.well-known/acme-challenge" "/root/.acme.sh//.well-known/acme-challenge" <Directory "/root/.acme.sh//.well-known/acme-challenge"> Require all granted </Directory>

That is wrong. It should be /var/www/froxlor/.well-known/acme-challenge/ - in no way generates froxlor that with /root/.acme.sh/....

[MasterOfDeath 1]

3 minutes ago, d00p said:

That is wrong. It should be /var/www/froxlor/.well-known/acme-challenge/ - in no way generates froxlor that with /root/.acme.sh/....

So i should change it to below again?

Alias "/.well-known/acme-challenge" "/var/www/froxlor/.well-known/acme-challenge"
<Directory "/var/www/froxlor/.well-known/acme-challenge">
Require all granted
</Directory>

Btw please see attached configuration example from froxlor panel page

[d00p 140]

Then your settings are messed up. The let's encrypt challenge path should NOT be /root/.acme.sh/ - it's default value is the path where Froxlor is installed. It must be web accessable so this is the recommended setting

[MasterOfDeath 1]

6 hours ago, d00p said:

Then your settings are messed up. The let's encrypt challenge path should NOT be /root/.acme.sh/ - it's default value is the path where Froxlor is installed. It must be web accessable so this is the recommended setting

again changed back to

Alias "/.well-known/acme-challenge" "/var/www/froxlor/.well-known/acme-challenge"
<Directory "/var/www/froxlor/.well-known/acme-challenge">
	Require all granted
</Directory>

and still i got the error

[debug] https://github.com/acmesh-official/acme.sh
v2.8.6
[Fri Apr 17 22:15:17 +03 2020] Creating domain key
[Fri Apr 17 22:15:17 +03 2020] The domain key is here: /root/.acme.sh/xxxx.net/xxxx.net.key
[Fri Apr 17 22:15:17 +03 2020] Multi domain='DNS:xxxx.net,DNS:www.xxxx.net'
[Fri Apr 17 22:15:17 +03 2020] Getting domain auth token for each domain
[Fri Apr 17 22:15:20 +03 2020] Getting webroot for domain='xxxx.net'
[Fri Apr 17 22:15:20 +03 2020] Getting webroot for domain='www.xxxx.net'
[Fri Apr 17 22:15:20 +03 2020] Verifying: xxxx.net
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.25 (Debian) Server at xxxx.net Port 80</address>
</body></html>
[error] Could not get Let's Encrypt certificate for xxxx.net:
https://github.com/acmesh-official/acme.sh
v2.8.6
[Fri Apr 17 22:15:17 +03 2020] Creating domain key
[Fri Apr 17 22:15:17 +03 2020] The domain key is here: /root/.acme.sh/xxxx.net/xxxx.net.key
[Fri Apr 17 22:15:17 +03 2020] Multi domain='DNS:xxxx.net,DNS:www.xxxx.net'
[Fri Apr 17 22:15:17 +03 2020] Getting domain auth token for each domain
[Fri Apr 17 22:15:20 +03 2020] Getting webroot for domain='xxxx.net'
[Fri Apr 17 22:15:20 +03 2020] Getting webroot for domain='xxxx.net'
[Fri Apr 17 22:15:20 +03 2020] Verifying: xxxx.net
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.25 (Debian) Server at xxxx.net Port 80</address>
</body></html>

As i understand acme script is creating key files under /root/.acme.sh/ and it cause error. As you wrote above, it should be create key files under /var/www/froxlor/.well-known , i copied them manually but still the same

so where can i find acme.sh actual installation for froxlor with proper folder destination?

thanks

[d00p 140]

12 minutes ago, MasterOfDeath said:

As i understand acme script is creating key files under /root/.acme.sh/ and it cause error. As you wrote above, it should be create key files under /var/www/froxlor/.well-known , i

omg no...the KEY files DO belong in /root/.acme.sh/ it's all about the VALIDATION process. acme.sh requests a TOKEN that will temporarily stored to /var/www/froxlor/.well-known/acme-challenge/ which is then checked via http.

You simply need to follow the configuration templates, the defaults work JUST FINE, don't change anything you don't know what it does.

 

Best solution for you now:

- change the setting to the "let's encrypt challenge path" (Settings -> SSL settings -> Path for Let's Encrypt challenges) back to /var/www/froxlor

- validate that /var/www/froxlor/.well-known/acme-challenge exists, if not, create it. Put a file in there named "test" and write something into it, like "hello world". Something like this should do the trick:

echo "Hello world" > /var/www/froxlor/.well-known/acme-challenge/test

- verify that the acme-alias (/etc/apache2/conf-enabled/acme.conf) works by opening http://domain.tld/.well-known/acme-challenge/test in your browser, if it shows "hello world" you're good to go, if not, you did something wrong

- remove all let's encrypt certificates from froxlor, log in as admin, goto "SSL certificates" and remove all the certificates that are issued by let's encrypt (if any)

- remove the whole /root/.acme.sh/ directory using rm -rf /root/.acme.sh/ the froxlor cronjob will re-install it.

- wait for the cronjob or run it manually using 

php /var/www/froxlor/scripts/froxlor_master_cronjob.php --force --debug

 

[MasterOfDeath 1]

Thanks @d00p it is working now 😀👍