Jump to content
Froxlor Forum
  • 0

Cannot access domain acme challenge file when requesting Lets Encrypt certificate


ajp

Question

Since a week now, I am unable to create or renew any expired Lets encrypt certificate. The only significant event on the server was an update of froxlor to the latest

When running the cronjob, it reports a 404 not found when trying to access the file http://domain.name/.well-known/acme-challenge/ . 

Quote

Wed 22 Jun 2022 09:12:41 AM UTC] aeroweb.com:Verify error:102.37.45.140: Invalid response from http://aeroweb.com/.well-known/acme-challenge/DMhdsp7PMUFK3iYemN7aUpkzgpFp34S9FunMpxbeqic: 404

The acme.conf is present and installed as per the instructions. I am also unable to access the test file http://domain.name/.well-known/acme-challenge/test that I manually created.

I tried creating a symlink from the vhost RootDir to the acme-challenge directory in /var/www/froxlor without success.  I tried adding the alias, on the sites-available file and froxlor vhost settings without success..

I even tried creating an index.php that strips out the last URL segment and render the file contents from /var/www/froxlor but this did not work because of permissions. This last attempt led me to believe that perhaps this is related to access controls. I tried adding the vhost user to the www-group without success.

- the vhost root directory '/var/customers/webs/aeroweb/aeroweb.com/ is owned by a user aeroweb:aeroweb

- the acme challenge directory /var/www/froxlor/.well-known/acme-challenge/ is owned by www-data:www-data

The logs show a file not found error.

While this may not be a froxlor issue, I am at a loss oh how to proceed further, and hope that someone would have solved this or assist in looking at something else I may have overlooked. Any assistance is appreciated.

Link to comment
Share on other sites

11 answers to this question

Recommended Posts

  • 0
7 minutes ago, d00p said:

Where to exacty? The target path is a setting. Depending on the used webserver it might need adjusting

Quote

$ more /etc/apache2/conf-enabled/acme.conf

Alias "/.well-known/acme-challenge" "/var/www/froxlor/.well-known/acme-challenge"
<Directory "/var/www/froxlor/.well-known/acme-challenge">
        Require all granted
</Directory>

The acme points from the vhosts /.well-known/acme-challenge to /var/www/froxlor/.well-known/acme-challenge where the challenge files are present, and where I created the test file. As I mentioned, accessing the test file outside of the cron job resulted in a 404.

I am using apache on Ubuntu 20.04 and config is as per the froxlor configuration.

 

Link to comment
Share on other sites

  • 0
2 hours ago, d00p said:

100% sure the domains DNS resolves to the server?

The DNS is external to the server and resolves to the server. In the backup logs the content is showed. To verify this i created an .htaccess file that directs all traffic to the index.php file and the content showed in the backup cron output (I later removed the .htacess). I am testing on a site that is empty except for an index.html

I have tried removing the acme.sh directory and setting the SSL one by one.

- The renew worked for still valid domains

- The rewew failed for expired domains

- The rewew failed for new domains


As I mentioned before, the one thing I did notice is that the site owner is not www-data, while the file owner of the directory /var/www/froxlor/.well-known/acme-challenge is www-data.  I have verified the access of the directory and that it has 'r' and 'x' permission for each component in the path,

I have added a cleaned up version of the backup log below

[information] Creating certificate for aeroweb.con
[information] Adding common-name: aeroweb.con
[Wed 22 Jun 2022 09:12:32 AM UTC] Lets find script dir.
[Wed 22 Jun 2022 09:12:32 AM UTC] _SCRIPT_='/root/.acme.sh/acme.sh'
[Wed 22 Jun 2022 09:12:32 AM UTC] _script='/root/.acme.sh/acme.sh'
[Wed 22 Jun 2022 09:12:32 AM UTC] _script_home='/root/.acme.sh'
[Wed 22 Jun 2022 09:12:32 AM UTC] Using config home:/root/.acme.sh
[Wed 22 Jun 2022 09:12:32 AM UTC] Using server: https://acme-v02.api.letsencrypt.org/directory
[Wed 22 Jun 2022 09:12:32 AM UTC] Running cmd: issue
[Wed 22 Jun 2022 09:12:32 AM UTC] _main_domain='aeroweb.con'
[Wed 22 Jun 2022 09:12:32 AM UTC] _alt_domains='no'
[Wed 22 Jun 2022 09:12:32 AM UTC] Using config home:/root/.acme.sh
[Wed 22 Jun 2022 09:12:32 AM UTC] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Wed 22 Jun 2022 09:12:32 AM UTC] DOMAIN_PATH='/root/.acme.sh/aeroweb.con'
[Wed 22 Jun 2022 09:12:32 AM UTC] Le_NextRenewTime
[Wed 22 Jun 2022 09:12:32 AM UTC] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Wed 22 Jun 2022 09:12:32 AM UTC] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Wed 22 Jun 2022 09:12:32 AM UTC] GET
[Wed 22 Jun 2022 09:12:32 AM UTC] url='https://acme-v02.api.letsencrypt.org/directory'
[Wed 22 Jun 2022 09:12:32 AM UTC] timeout=
[Wed 22 Jun 2022 09:12:32 AM UTC] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Wed 22 Jun 2022 09:12:33 AM UTC] ret='0'
[Wed 22 Jun 2022 09:12:33 AM UTC] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Wed 22 Jun 2022 09:12:33 AM UTC] ACME_NEW_AUTHZ
[Wed 22 Jun 2022 09:12:33 AM UTC] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Wed 22 Jun 2022 09:12:33 AM UTC] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Wed 22 Jun 2022 09:12:33 AM UTC] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Wed 22 Jun 2022 09:12:33 AM UTC] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Wed 22 Jun 2022 09:12:33 AM UTC] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Wed 22 Jun 2022 09:12:33 AM UTC] _on_before_issue
[Wed 22 Jun 2022 09:12:33 AM UTC] _chk_main_domain='aeroweb.con'
[Wed 22 Jun 2022 09:12:33 AM UTC] _chk_alt_domains
[Wed 22 Jun 2022 09:12:33 AM UTC] Le_LocalAddress
[Wed 22 Jun 2022 09:12:33 AM UTC] d='aeroweb.con'
[Wed 22 Jun 2022 09:12:33 AM UTC] Check for domain='aeroweb.con'
[Wed 22 Jun 2022 09:12:33 AM UTC] _currentRoot='/var/www/froxlor'
[Wed 22 Jun 2022 09:12:33 AM UTC] d
[Wed 22 Jun 2022 09:12:33 AM UTC] _saved_account_key_hash is not changed, skip register account.
[Wed 22 Jun 2022 09:12:33 AM UTC] Read key length:4096
[Wed 22 Jun 2022 09:12:33 AM UTC] _createcsr
[Wed 22 Jun 2022 09:12:33 AM UTC] d
[Wed 22 Jun 2022 09:12:33 AM UTC] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Wed 22 Jun 2022 09:12:33 AM UTC] payload='{"identifiers": [{"type":"dns","value":"aeroweb.con"}]}'
[Wed 22 Jun 2022 09:12:33 AM UTC] RSA key
[Wed 22 Jun 2022 09:12:33 AM UTC] HEAD
[Wed 22 Jun 2022 09:12:33 AM UTC] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Wed 22 Jun 2022 09:12:33 AM UTC] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g  -I  '
[Wed 22 Jun 2022 09:12:34 AM UTC] _ret='0'
[Wed 22 Jun 2022 09:12:34 AM UTC] POST
[Wed 22 Jun 2022 09:12:34 AM UTC] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Wed 22 Jun 2022 09:12:34 AM UTC] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Wed 22 Jun 2022 09:12:36 AM UTC] _ret='0'
[Wed 22 Jun 2022 09:12:36 AM UTC] code='201'
[Wed 22 Jun 2022 09:12:36 AM UTC] Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/450484450/99996481836'
[Wed 22 Jun 2022 09:12:36 AM UTC] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/450484450/99996481836'
[Wed 22 Jun 2022 09:12:36 AM UTC] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/122387738876'
[Wed 22 Jun 2022 09:12:36 AM UTC] payload
[Wed 22 Jun 2022 09:12:36 AM UTC] POST
[Wed 22 Jun 2022 09:12:36 AM UTC] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/122387738876'
[Wed 22 Jun 2022 09:12:36 AM UTC] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Wed 22 Jun 2022 09:12:36 AM UTC] _ret='0'
[Wed 22 Jun 2022 09:12:36 AM UTC] code='200'
[Wed 22 Jun 2022 09:12:36 AM UTC] d='aeroweb.con'
[Wed 22 Jun 2022 09:12:37 AM UTC] _w='/var/www/froxlor'
[Wed 22 Jun 2022 09:12:37 AM UTC] _currentRoot='/var/www/froxlor'
[Wed 22 Jun 2022 09:12:37 AM UTC] entry='"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/122387738876/dsP_Zw","token":"DMhdsp7PMUFK3iYemN7aUpkzgpFp34S9FunMpxbeqic"'
[Wed 22 Jun 2022 09:12:37 AM UTC] token='DMhdsp7PMUFK3iYemN7aUpkzgpFp34S9FunMpxbeqic'
[Wed 22 Jun 2022 09:12:37 AM UTC] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/122387738876/dsP_Zw'
[Wed 22 Jun 2022 09:12:37 AM UTC] keyauthorization='DMhdsp7PMUFK3iYemN7aUpkzgpFp34S9FunMpxbeqic.ceoMx6hV_yV4mFEpS8g2x4mMs6O30ZDb89PxOZBuJHg'
[Wed 22 Jun 2022 09:12:37 AM UTC] dvlist='aeroweb.con#DMhdsp7PMUFK3iYemN7aUpkzgpFp34S9FunMpxbeqic.ceoMx6hV_yV4mFEpS8g2x4mMs6O30ZDb89PxOZBuJHg#https://acme-v02.api.letsencrypt.org/acme/chall-v3/122387738876/dsP_Zw#http-01#/var/www/froxlor'
[Wed 22 Jun 2022 09:12:37 AM UTC] d
[Wed 22 Jun 2022 09:12:37 AM UTC] vlist='aeroweb.con#DMhdsp7PMUFK3iYemN7aUpkzgpFp34S9FunMpxbeqic.ceoMx6hV_yV4mFEpS8g2x4mMs6O30ZDb89PxOZBuJHg#https://acme-v02.api.letsencrypt.org/acme/chall-v3/122387738876/dsP_Zw#http-01#/var/www/froxlor,'
[Wed 22 Jun 2022 09:12:37 AM UTC] d='aeroweb.con'
[Wed 22 Jun 2022 09:12:37 AM UTC] ok, let's start to verify
[Wed 22 Jun 2022 09:12:37 AM UTC] d='aeroweb.con'
[Wed 22 Jun 2022 09:12:37 AM UTC] keyauthorization='DMhdsp7PMUFK3iYemN7aUpkzgpFp34S9FunMpxbeqic.ceoMx6hV_yV4mFEpS8g2x4mMs6O30ZDb89PxOZBuJHg'
[Wed 22 Jun 2022 09:12:37 AM UTC] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/122387738876/dsP_Zw'
[Wed 22 Jun 2022 09:12:37 AM UTC] _currentRoot='/var/www/froxlor'
[Wed 22 Jun 2022 09:12:37 AM UTC] wellknown_path='/var/www/froxlor/.well-known/acme-challenge'
[Wed 22 Jun 2022 09:12:37 AM UTC] writing token:DMhdsp7PMUFK3iYemN7aUpkzgpFp34S9FunMpxbeqic to /var/www/froxlor/.well-known/acme-challenge/DMhdsp7PMUFK3iYemN7aUpkzgpFp34S9FunMpxbeqic
[Wed 22 Jun 2022 09:12:37 AM UTC] Changing owner/group of .well-known to www-data:www-data
[Wed 22 Jun 2022 09:12:37 AM UTC] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/122387738876/dsP_Zw'
[Wed 22 Jun 2022 09:12:37 AM UTC] payload='{}'
[Wed 22 Jun 2022 09:12:37 AM UTC] POST
[Wed 22 Jun 2022 09:12:37 AM UTC] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/122387738876/dsP_Zw'
[Wed 22 Jun 2022 09:12:37 AM UTC] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Wed 22 Jun 2022 09:12:38 AM UTC] _ret='0'
[Wed 22 Jun 2022 09:12:38 AM UTC] code='200'
[Wed 22 Jun 2022 09:12:38 AM UTC] trigger validation code: 200
[Wed 22 Jun 2022 09:12:38 AM UTC] sleep 2 secs to verify again
[Wed 22 Jun 2022 09:12:40 AM UTC] checking
[Wed 22 Jun 2022 09:12:40 AM UTC] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/122387738876/dsP_Zw'
[Wed 22 Jun 2022 09:12:40 AM UTC] payload
[Wed 22 Jun 2022 09:12:40 AM UTC] POST
[Wed 22 Jun 2022 09:12:40 AM UTC] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/122387738876/dsP_Zw'
[Wed 22 Jun 2022 09:12:40 AM UTC] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Wed 22 Jun 2022 09:12:41 AM UTC] _ret='0'
[Wed 22 Jun 2022 09:12:41 AM UTC] code='200'
[Wed 22 Jun 2022 09:12:41 AM UTC] aeroweb.con:Verify error:102.37.45.140: Invalid response from http://aeroweb.con/.well-known/acme-challenge/DMhdsp7PMUFK3iYemN7aUpkzgpFp34S9FunMpxbeqic: 404
[Wed 22 Jun 2022 09:12:41 AM UTC] Debug: get token url.
[Wed 22 Jun 2022 09:12:41 AM UTC] GET
[Wed 22 Jun 2022 09:12:41 AM UTC] url='http://aeroweb.con/.well-known/acme-challenge/DMhdsp7PMUFK3iYemN7aUpkzgpFp34S9FunMpxbeqic'
[Wed 22 Jun 2022 09:12:41 AM UTC] timeout=1
[Wed 22 Jun 2022 09:12:41 AM UTC] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g  --connect-timeout 1'
[Wed 22 Jun 2022 09:12:41 AM UTC] ret='0'
[Wed 22 Jun 2022 09:12:41 AM UTC] Debugging, skip removing: /var/www/froxlor/.well-known/acme-challenge/DMhdsp7PMUFK3iYemN7aUpkzgpFp34S9FunMpxbeqic
[Wed 22 Jun 2022 09:12:41 AM UTC] pid
[Wed 22 Jun 2022 09:12:41 AM UTC] No need to restore nginx, skip.
[Wed 22 Jun 2022 09:12:41 AM UTC] _clearupdns
[Wed 22 Jun 2022 09:12:41 AM UTC] dns_entries
[Wed 22 Jun 2022 09:12:41 AM UTC] skip dns.
[Wed 22 Jun 2022 09:12:41 AM UTC] _on_issue_err
[Wed 22 Jun 2022 09:12:41 AM UTC] Please add '--debug' or '--log' to check more details.
[Wed 22 Jun 2022 09:12:41 AM UTC] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
[Wed 22 Jun 2022 09:12:41 AM UTC] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/122387738876/dsP_Zw'
[Wed 22 Jun 2022 09:12:41 AM UTC] payload='{}'
[Wed 22 Jun 2022 09:12:41 AM UTC] POST
[Wed 22 Jun 2022 09:12:41 AM UTC] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/122387738876/dsP_Zw'
[Wed 22 Jun 2022 09:12:41 AM UTC] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Wed 22 Jun 2022 09:12:42 AM UTC] _ret='0'
[Wed 22 Jun 2022 09:12:42 AM UTC] code='400'
[Wed 22 Jun 2022 09:12:42 AM UTC] socat doesn't exist.
[Wed 22 Jun 2022 09:12:42 AM UTC] Diagnosis versions:
openssl:openssl
OpenSSL 1.1.1f  31 Mar 2020
apache:
apache doesn't exist.
nginx:
nginx doesn't exist.
socat:
[debug] https://github.com/acmesh-official/acme.sh
v3.0.5
[Wed 22 Jun 2022 09:12:33 AM UTC] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Wed 22 Jun 2022 09:12:33 AM UTC] Single domain='aeroweb.con'
[Wed 22 Jun 2022 09:12:33 AM UTC] Getting domain auth token for each domain
[Wed 22 Jun 2022 09:12:36 AM UTC] Getting webroot for domain='aeroweb.con'
[Wed 22 Jun 2022 09:12:37 AM UTC] Verifying: aeroweb.con
[Wed 22 Jun 2022 09:12:38 AM UTC] Pending, The CA is processing your order, please just wait. (1/30)
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at aeroweb.con Port 80</address>
</body></html>
[error] Could not find file 'aeroweb.con.cer' in '/root/.acme.sh/aeroweb.con/'
[error] Could not find file 'ca.cer' in '/root/.acme.sh/aeroweb.con/'
[error] Could not find file 'fullchain.cer' in '/root/.acme.sh/aeroweb.con/'
[error] Could not get Let's Encrypt certificate for aeroweb.con:
https://github.com/acmesh-official/acme.sh
v3.0.5
[Wed 22 Jun 2022 09:12:33 AM UTC] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Wed 22 Jun 2022 09:12:33 AM UTC] Single domain='aeroweb.con'
[Wed 22 Jun 2022 09:12:33 AM UTC] Getting domain auth token for each domain
[Wed 22 Jun 2022 09:12:36 AM UTC] Getting webroot for domain='aeroweb.con'
[Wed 22 Jun 2022 09:12:37 AM UTC] Verifying: aeroweb.con
[Wed 22 Jun 2022 09:12:38 AM UTC] Pending, The CA is processing your order, please just wait. (1/30)
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at aeroweb.con Port 80</address>
</body></html>

[error] Could not find file 'aeroweb.con.cer' in '/root/.acme.sh/aeroweb.con/'
[error] Could not find file 'ca.cer' in '/root/.acme.sh/aeroweb.con/'
[error] Could not find file 'fullchain.cer' in '/root/.acme.sh/aeroweb.con/'
[error] Could not get Let's Encrypt certificate for aeroweb.con:

[information] Let's Encrypt certificates have been updated

 

Link to comment
Share on other sites

  • 0
Quote
aeroweb.con:Verify error:102.37.45.140: Invalid response from http://aeroweb.con/.well-known/acme-challenge/DMhdsp7PMUFK3iYemN7aUpkzgpFp34S9FunMpxbeqic

->

$ dig aeroweb.con

; <<>> DiG 9.18.1-1ubuntu1.1-Ubuntu <<>> aeroweb.con
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 15469
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;aeroweb.con.			IN	A

this domain does not resolve to anything

Link to comment
Share on other sites

  • 0
47 minutes ago, d00p said:

->

$ dig aeroweb.con

; <<>> DiG 9.18.1-1ubuntu1.1-Ubuntu <<>> aeroweb.con
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 15469
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;aeroweb.con.			IN	A

this domain does not resolve to anything

You should use .com instead of .con 😉

Quote

;; ANSWER SECTION:
aeroweb.com.            176     IN      A       64.190.63.111

;; AUTHORITY SECTION:
aeroweb.com.            172676  IN      NS      ns2.sedoparking.com.
aeroweb.com.            172676  IN      NS      ns1.sedoparking.com.

 

Link to comment
Share on other sites

  • 0
2 hours ago, d00p said:

Even if its .com, then again 64.190.63.111 is not 102.37.45.140 and we are again at the point where I was asking "are you sure the DNS is correct"  :)

Hi folks

I am so sorry, I should have explained previously that the domain name I used in the logs was changed. My bad. I didn't want to use it without the permission of the domain owner. The actual domain name resolves correctly to the server.

 

This was a domain with an existing LE SSL certificate, which expired. When trying to renew, the error came about, (pointing to the correct domain), saying the /.well-known/acme-challenge/file was returning a 404.

The server does the same for a new domain. When trying to get the SSL certificate, the callback fetch returns a 404. The test file is also not accessible from the browser, which is why I said to me it looks like apache is having an issue loading the acme.conf, which exists and is correct.

The apache config has not been manually modified in any and is as per the froxlor configuration instructions.

 

 

 

 

Link to comment
Share on other sites

  • 0

There must be some issue at some point. A testfile in .well-known/acme-challenge/ should definelty be viewable via browser. If not, either the global alias is not working (which seemed correct and ok to me) or the domain is not resolving correctly (maybe multiple ip addresses? ipv4/ipv6?). 99% of the cases it's one of these two causes

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×
×
  • Create New...