Hi, I created a webroot configuration for letsencrypt with this configuration Alias /.well-known "/var/www/letsencrypt/.well-known" <IfModule mod_headers.c> <LocationMatch "/.well-known/acme-challenge/*"> Header set Content-Type "application/jose+json" Order allow,deny Allow from all </LocationMatch> </IfModule> have two ispconfig servers 1. Apache 2.4 it's ok 2. Apache 2.2 i have this error : client denied by server configuration: /var/www/letsencrypt/.well-known Thanks for your help BEts regrads
Thanks Till This is my new letsencrypt.conf file Alias /.well-known "/var/www/letsencrypt/.well-known" <Directory /var/www/letsencrypt> Allow from all </Directory> <IfModule mod_headers.c> <LocationMatch "/.well-known/acme-challenge/*"> Header set Content-Type "application/jose+json" </LocationMatch> </IfModule>
Probably this file gets loaded before the ispconfig.conf file, so that you open the directory here and ispconfig closes it again later on. Try to add: <Directory /var/www/letsencrypt> Allow from all </Directory> at the end of the apache ispconfig.conf file in sites-available directory and restart apache.
Hi, That works. What is the best configuration ? The ispconfig.conf will change after an update ? Bets regrads
You could have a look at my little tool until ISPC has integrated it (well, it's in master but not in general): https://www.howtoforge.com/community/threads/lets-encrypt-2-ispconfig.71348/
Hi sjau, Yes i saw you tool and adapt to my needs few weeks ago. I don't follow the impovement of you tool. I adapt my version Best regards
no worries, I just updated all the certs today and fixed some bugs in the renewer gl and hope the integrated version will be available soon.
Yes. But you can e.g. add your own custom file that contains just these lines in sites-available, then enable it in sites-enabled, just ensure that the name in sites-enabled comes after 000-ispconfig.conf in alphabetic order..
I have the same problem. I added Code: <Directory /var/www/.well-known> Require all granted </Directory> to the end of my ispconfig.conf file in sites-available, but it didn't work after restarting apache2.4. The permissions on .well-known and acme-challenge are both 777. I have Options -Indexes in my ispconfig.conf and ispconfig.vhost files, could that be causing the problem? phpMyAdmin and Squirrelmail both work fine. I switched Squirrelmail to https a couple days ago. Edit: I already have letsencrypt-webroot.conf which contains: Code: RewriteEngine On Alias /.well-known /var/www/.well-known <Directory /var/www/.well-known> Options +FollowSymLinks AllowOverride All Require all granted </Directory>
My server just won't let me browse /.well-known for some reason that I cannot figure out. Here is a log of a variation of sjau's script: - Renewal in 60 days - Domain: mydomain.net - Query MySQL whether it's a vhost. - Sub-Domain(s): - 'mydomain.net' has DNS mbox. - Email source [email protected] - Prepare Server for webroot authentication. - Disabling necessary Server Modules - Run Let's Encrypt Tool /opt/letsencrypt/letsencrypt-auto --text --agree-tos --renew-by-default --rsa-key-size 4096 --email '[email protected]' -d 'mydomain.net' -d 'www.mydomain.net' -a webroot --webroot-path /var/www/ certonly Failed authorization procedure. mydomain.net (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mydomain.net/.well-known/acme-challenge/DOaNM66FgRSLWkHDyM9veIUBamG2oGHuKvQsVND6bmQ [ww.xx.yy.zz]: 403, www.mydomain.net (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.mydomain.net/.well-known/acme-challenge/BGIsLjvl9uuTUJgUbgDU3eXQaSC64XsIeGl9yiOnKKc [ww.xx.yy.zz]: 403 Sorry, there was some error. Please check: Checking for new version... Requesting root privileges to run letsencrypt... /root/.local/share/letsencrypt/bin/letsencrypt --no-self-upgrade --text --agree-tos --renew-by-default --rsa-key-size 4096 --email [email protected] -d mydomain.net -d www.mydomain.net -a webroot --webroot-path /var/www/ certonly
Working with a particular client, I setup some aliases pointing to a file index.html: I setup an alias to /usr/share/me and it works. 755 for both the folder & file. I also setup an alias to /opt/me and it works. 755 for both the folder & file. I setup an alias to /root/data, with 755 permisions on ./data and 777 on index.html, but can't access it. var/www/letsencrypt/.well-known/acme-challenge (755/755/777/777/777) on the folders, and 777 on index.html in .well-known & acme-challenge, but I can't access them. All owners are root:root. Cheers, Nap
<Directory /var/www/mydomain.com> AllowOverride None Require all denied </Directory> <VirtualHost *:80> DocumentRoot /var/www/mydomain.com/web ServerName mydomain.com ServerAlias www.mydomain.com ServerAlias forum.mydomain.com ServerAlias applic.mydomain.com ServerAdmin [email protected] ErrorLog /var/log/ispconfig/httpd/mydomain.com/error.log Alias /error/ "/var/www/mydomain.com/web/error/" ErrorDocument 400 /error/400.html ErrorDocument 401 /error/401.html ErrorDocument 403 /error/403.html ErrorDocument 404 /error/404.html ErrorDocument 405 /error/405.html ErrorDocument 500 /error/500.html ErrorDocument 502 /error/502.html ErrorDocument 503 /error/503.html <IfModule mod_ssl.c> </IfModule> <Directory /var/www/mydomain.com/web> # Clear PHP settings of this website <FilesMatch ".+\.ph(p[345]?|t|tml)$"> SetHandler None </FilesMatch> Options +FollowSymLinks AllowOverride All Require all granted # ssi enabled AddType text/html .shtml AddOutputFilter INCLUDES .shtml Options +Includes </Directory> <Directory /var/www/clients/client2/web10/web> # Clear PHP settings of this website <FilesMatch ".+\.ph(p[345]?|t|tml)$"> SetHandler None </FilesMatch> Options +FollowSymLinks AllowOverride All Require all granted # ssi enabled AddType text/html .shtml AddOutputFilter INCLUDES .shtml Options +Includes </Directory> <IfModule mod_ruby.c> <Directory /var/www/mydomain.com/web> Options +ExecCGI </Directory> RubyRequire apache/ruby-run #RubySafeLevel 0 AddType text/html .rb AddType text/html .rbx <Files *.rb> SetHandler ruby-object RubyHandler Apache::RubyRun.instance </Files> <Files *.rbx> SetHandler ruby-object RubyHandler Apache::RubyRun.instance </Files> </IfModule> <IfModule mod_perl.c> PerlModule ModPerl::Registry PerlModule Apache2::Reload <Directory /var/www/mydomain.com/web> PerlResponseHandler ModPerl::Registry PerlOptions +ParseHeaders Options +ExecCGI </Directory> <Directory /var/www/clients/client2/web10/web> PerlResponseHandler ModPerl::Registry PerlOptions +ParseHeaders Options +ExecCGI </Directory> <Files *.pl> SetHandler perl-script </Files> </IfModule> <IfModule mod_python.c> <Directory /var/www/mydomain.com/web> <FilesMatch "\.py$"> SetHandler mod_python </FilesMatch> PythonHandler mod_python.publisher PythonDebug On </Directory> </IfModule> # cgi enabled <Directory /var/www/clients/client2/web10/cgi-bin> Require all granted </Directory> ScriptAlias /cgi-bin/ /var/www/clients/client2/web10/cgi-bin/ <FilesMatch "\.(cgi|pl)$"> SetHandler cgi-script </FilesMatch> # suexec enabled <IfModule mod_suexec.c> SuexecUserGroup web10 client2 </IfModule> # php as fast-cgi enabled # For config options see: http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html <IfModule mod_fcgid.c> IdleTimeout 300 ProcessLifeTime 3600 # MaxProcessCount 1000 DefaultMinClassProcessCount 0 DefaultMaxClassProcessCount 100 IPCConnectTimeout 3 IPCCommTimeout 600 BusyTimeout 3600 </IfModule> <Directory /var/www/mydomain.com/web> <FilesMatch "\.php[345]?$"> SetHandler fcgid-script </FilesMatch> FCGIWrapper /var/www/php-fcgi-scripts/web10/.php-fcgi-starter .php FCGIWrapper /var/www/php-fcgi-scripts/web10/.php-fcgi-starter .php3 FCGIWrapper /var/www/php-fcgi-scripts/web10/.php-fcgi-starter .php4 FCGIWrapper /var/www/php-fcgi-scripts/web10/.php-fcgi-starter .php5 Options +ExecCGI AllowOverride All Require all granted </Directory> <Directory /var/www/clients/client2/web10/web> <FilesMatch "\.php[345]?$"> SetHandler fcgid-script </FilesMatch> FCGIWrapper /var/www/php-fcgi-scripts/web10/.php-fcgi-starter .php FCGIWrapper /var/www/php-fcgi-scripts/web10/.php-fcgi-starter .php3 FCGIWrapper /var/www/php-fcgi-scripts/web10/.php-fcgi-starter .php4 FCGIWrapper /var/www/php-fcgi-scripts/web10/.php-fcgi-starter .php5 Options +ExecCGI AllowOverride All Require all granted </Directory> RewriteEngine on RewriteCond %{HTTP_HOST} ^forum\.mydomain\.com$ [NC] RewriteCond %{REQUEST_URI} !^/webdav/ RewriteCond %{REQUEST_URI} !^/php5-fcgi/ RewriteCond %{REQUEST_URI} !^/forum/ RewriteRule ^/(.*)$ /forum/$1 RewriteCond %{HTTP_HOST} ^applic\.mydomain\.com$ [NC] RewriteCond %{REQUEST_URI} !^/webdav/ RewriteCond %{REQUEST_URI} !^/php5-fcgi/ RewriteCond %{REQUEST_URI} !^/applic/ RewriteRule ^/(.*)$ /applic/$1 # add support for apache mpm_itk <IfModule mpm_itk_module> AssignUserId web10 client2 </IfModule> <IfModule mod_dav_fs.c> # Do not execute PHP files in webdav directory <Directory /var/www/clients/client2/web10/webdav> <ifModule mod_security2.c> SecRuleRemoveById 960015 SecRuleRemoveById 960032 </ifModule> <FilesMatch "\.ph(p3?|tml)$"> SetHandler None </FilesMatch> </Directory> DavLockDB /var/www/clients/client2/web10/tmp/DavLock # DO NOT REMOVE THE COMMENTS! # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE! # WEBDAV BEGIN # WEBDAV END </IfModule> <IfModule mod_fcgid.c> FcgidConnectTimeout 20 <IfModule mod_mime.c> AddHandler fcgid-script .fcgi MaxRequestLen 20971520 </IfModule> </IfModule> RewriteEngine On Alias /t1 /root/data <Directory /root/data> Options +FollowSymLinks AllowOverride All Require all granted </Directory> RewriteEngine On Alias /t2 /usr/share/me <Directory /usr/share/me> Options +FollowSymLinks AllowOverride All Require all granted </Directory> RewriteEngine On Alias /t3 /opt/me <Directory /opt/me> Options +FollowSymLinks AllowOverride All Require all granted </Directory> </VirtualHost> <VirtualHost *:443> This is the same as the http section </VirtualHost>
Here is a list of modules I'm running on my Apache server: Loaded Modules: core_module (static) so_module (static) watchdog_module (static) http_module (static) log_config_module (static) logio_module (static) version_module (static) unixd_module (static) access_compat_module (shared) actions_module (shared) alias_module (shared) auth_basic_module (shared) auth_digest_module (shared) authn_core_module (shared) authn_file_module (shared) authz_core_module (shared) authz_host_module (shared) authz_user_module (shared) autoindex_module (shared) cgi_module (shared) dav_module (shared) dav_fs_module (shared) deflate_module (shared) dir_module (shared) env_module (shared) fastcgi_module (shared) fcgid_module (shared) filter_module (shared) flvx_module (shared) headers_module (shared) include_module (shared) mime_module (shared) mpm_prefork_module (shared) negotiation_module (shared) php5_module (shared) python_module (shared) rewrite_module (shared) setenvif_module (shared) socache_shmcb_module (shared) ssl_module (shared) status_module (shared) suexec_module (shared) suphp_module (shared) unique_id_module (shared)
I don't have either SELinux or apparmor installed. My Apache error log shows the following errors: [Mon Feb 29 21:24:07.119019 2016] [authz_core:error] [pid 6512] [client ww.xx.yy.zz:65375] AH01630: client denied by server configuration: /var/www/letsencrypt/.well-known [Mon Feb 29 21:24:08.603192 2016] [authz_core:error] [pid 6512] [client ww.xx.yy.zz:65375] AH01630: client denied by server configuration: /var/www/letsencrypt/.well-known [Mon Feb 29 21:24:49.392338 2016] [authz_core:error] [pid 6574] [client ww.xx.yy.zz:47350] AH01630: client denied by server configuration: /var/www/mydomain.com/web/.well-known [Mon Feb 29 21:27:12.981786 2016] [authz_core:error] [pid 6894] [client ww.xx.yy.zz:16211] AH01630: client denied by server configuration: /var/www/mydomain.com/web/.well-known [Mon Feb 29 21:27:15.051538 2016] [authz_core:error] [pid 6894] [client ww.xx.yy.zz:16211] AH01630: client denied by server configuration: /var/www/mydomain.com/web/.well-known [Mon Feb 29 21:28:45.797448 2016] [core:error] [pid 6896] (13)Permission denied: [client ww.xx.yy.zz:11458] AH00035: access to /t1 denied (filesystem path '/root/data') because search permissions are missing on a component of the path [Mon Feb 29 22:02:04.920008 2016] [core:error] [pid 9045] (13)Permission denied: [client ww.xx.yy.zz:24853] AH00035: access to /t1 denied (filesystem path '/root/data') because search permissions are missing on a component of the path
I managed to get /root/data working by setting the execute flag for OTHERS on the root folder. However, /var/www/letsencrypt/.well-known has the flag set on all folders in the path. So the question now is what is special in my setup about how apache is handling this path?
At last I got it working. I needed to include Allow from all in the letsencrypt-ispconfig.conf settings. This is really weird as that is an apache2.2 directive. Having fixed this, my version of sjau's script is working fine and I have received and installed my first signed certificate for the domain I've been working with.
