Apache 2.4 and letsencrypt challenge setup issue?

David Mehler <dave.mehler@xxxxxxxxx> · Tue, 20 Jun 2017 20:29:12 -0400

Hello,

I'm trying to get letsencrypt certificates working with
security/acme-client on FreeBSD 10.3, which I like much better than
the python certbot client.

That being said I'm having a problem where authentication is failing,
account keys are created, and from the output below it looks like the
tokens are being successfully generated, not retrieved.  I'm thinking
an apache configuration problem.
I've got two different runs with two different messages.

Any help appreciated.

Thanks.
Dave.

# Domain letsencrypt creation
export DS="example.com www.example.com webmail.example.com"; \
  acme-client -mvnNOC /usr/local/www/.well-known/ \
 $DS && echo $DS >> /usr/local/etc/acme/domains.txt
acme-client: /usr/local/etc/ssl/acme/example.com: creating directory
acme-client: /usr/local/etc/ssl/acme/private/example.com: creating directory
acme-client: /usr/local/etc/acme/example.com: creating directory
acme-client: /usr/local/etc/ssl/acme/private/example.com/privkey.pem:
generating RSA domain key
acme-client: /usr/local/etc/acme/example.com/privkey.pem: generating
RSA account key
acme-client: adding SAN: www.example.com
acme-client: adding SAN: webmail.example.com
acme-client: adding OCSP stapling
acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
acme-client: acme-v01.api.letsencrypt.org: DNS: 23.217.173.130
acme-client: acme-v01.api.letsencrypt.org: DNS: 2600:1400:a:196::3d5
acme-client: acme-v01.api.letsencrypt.org: DNS: 2600:1400:a:197::3d5
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-reg: new-reg
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz:
req-auth: example.com
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz:
req-auth: www.example.com
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz:
req-auth: webmail.example.com
acme-client: /usr/local/www/acme//PL_5ypf44x6hPtkTahuhiGvbdbHti0lnW2jwZegIq5c:
created
acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/N5-IIl5WRsCfSQfwuEu4dWmvLQY5wYLoW1_MMKUgRDo/1381988522:
challenge
acme-client: /usr/local/www/acme//Y8JozYRWNboKZcs1PNDoeMxw0bcQsMjFpRU4Z-10ov4:
created
acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/TwCh4pIh3OsrT1ao6nb3THypuMeKMYyXRfKQeI711Uw/1381988564:
challenge
acme-client: /usr/local/www/acme//k5bqluXjn_93UknVNwhYv7VIT6eje9E9JzYcM4JDKtQ:
created
acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/4AtVqZWIXB-rp87DTgLos79h5yMbO-g4FeOvldpcC9s/1381988597:
challenge
acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/N5-IIl5WRsCfSQfwuEu4dWmvLQY5wYLoW1_MMKUgRDo/1381988522:
status
acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/N5-IIl5WRsCfSQfwuEu4dWmvLQY5wYLoW1_MMKUgRDo/1381988522:
bad response
acme-client: transfer buffer: [{ "type": "http-01", "status":
"invalid", "error": { "type": "urn:acme:error:unauthorized", "detail":
"Invalid response from
http://example.com/.well-known/acme-challenge/PL_5ypf44x6hPtkTahuhiGvbdbHti0lnW2jwZegIq5c:
\"\u003c!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\"
\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\"\u003e\r\n\u003chtml
xmlns=\"http\"", "status": 403 }, "uri":
"https://acme-v01.api.letsencrypt.org/acme/challenge/N5-IIl5WRsCfSQfwuEu4dWmvLQY5wYLoW1_MMKUgRDo/1381988522";,
"token": "PL_5ypf44x6hPtkTahuhiGvbdbHti0lnW2jwZegIq5c",
"keyAuthorization":
"PL_5ypf44x6hPtkTahuhiGvbdbHti0lnW2jwZegIq5c.af3ncVsUzcTQuGUzKGx9RoPA5jbhTlVq8PQocLc0-o0",
"validationRecord": [ { "url":
"http://www.example.com/.well-known/acme-challenge/PL_5ypf44x6hPtkTahuhiGvbdbHti0lnW2jwZegIq5c";,
"hostname": "www.example.com", "port": "80", "addressesResolved": [
"66.228.47.34" ], "addressUsed": "66.228.47.34", "addressesTried": []
}, { "url": "http://example.com/.well-known/acme-challenge/PL_5ypf44x6hPtkTahuhiGvbdbHti0lnW2jwZegIq5c";,
"hostname": "example.com", "port": "80", "addressesResolved": [
"66.228.47.34" ], "addressUsed": "66.228.47.34", "addressesTried": []
} ] }] (1350 bytes)
acme-client: bad exit: netproc(30353): 1

# second run
export DS="example.com www.example.com webmail.example.com"; \
   acme-client -mvnNOC /usr/local/www/.well-known/ \
  $DS && echo $DS >> /usr/local/etc/acme/domains.txt
acme-client: /usr/local/etc/ssl/acme/example.com: creating directory
acme-client: /usr/local/etc/ssl/acme/example.com: No such file or directory

# httpd configuration
mkdir -pm750 /usr/local/www/.well-known && chown -R www:www
/usr/local/www/.well-known
# httpd.conf
<Directory "/usr/local/www/.well-known/">
        Options None
        AllowOverride None
        Require all granted
        Header add Content-Type text/plain
</Directory>

# virtual hosts
# The example.com http virtual host
<VirtualHost *:80>
    ServerName example.com
    RewriteEngine On
    RewriteRule ^/?(.*) http://www.example.com/$1 [R,L]
</VirtualHost>
<VirtualHost *:80>
    ServerAdmin nick@xxxxxxxxxxx
    DocumentRoot "/usr/vhosts/example.com/htdocs/"
    ServerName www.example.com
    ServerAlias www.example.com

    ErrorDocument 404 /errordocs/error404.htm
    # share well-known for renewal via Let's Encrypt!
    Alias /.well-known/ /usr/local/www/.well-known/

    # Anything that isn't going to example.com/.well-known gets
forwarded to the https site
#    RewriteEngine on
#    RewriteCond %{REQUEST_URI} !^/.well-known
#    RewriteRule (.*) https://www.davemehler.com/$1 [R=301,L]

    ErrorLog "/usr/vhosts/example.com/logs/error.log"
    <Directory "/usr/vhosts/example.com/htdocs/">
Options FollowSymLinks
AllowOverRide None
Require all granted
    </Directory>
    <IfModule mod_log_config.c>
        CustomLog "|/usr/local/sbin/rotatelogs -l
/usr/vhosts/example.com/logs/access.log-%Y-%m-%d.log 86400" combined
    </IfModule>

# Disc cache setup
    CacheQuickHandler off
    CacheLock on
    CacheLockPath /tmp/mod_cache-lock
    CacheLockMaxAge 5
    CacheIgnoreHeaders Set-Cookie
    <Location />
        CacheEnable disk
        CacheHeader on
        CacheDefaultExpire 600
        CacheMaxExpire 86400
        CacheLastModifiedFactor 0.5
        ExpiresActive on
        ExpiresDefault "access plus 5 minutes"
        Header merge Cache-Control public
        FileETag All
    </Location>
</VirtualHost>

<VirtualHost *:80>
    ServerAdmin nick@xxxxxxxxxxx
    DocumentRoot "/usr/vhosts/webmail.example.com/htdocs/"
    ServerName webmail.example.com
    ServerAlias webmail.example.com

    ErrorDocument 404 /errordocs/error404.htm
    # share well-known for renewal via Let's Encrypt!
    Alias /.well-known/ /usr/local/www/.well-known/

    # Anything that isn't going to webmail.example.com/.well-known
gets forwarded to the https site
    RewriteEngine on
    RewriteCond %{REQUEST_URI} !^/.well-known
    RewriteRule (.*) https://webmail.example.com/$1 [R=301,L]

    ErrorLog "/usr/vhosts/webmail.example.com/logs/error.log"
    <Directory "/usr/vhosts/webmail.example.com/htdocs/">
Options FollowSymLinks
AllowOverRide None
Require all granted
    </Directory>
    <IfModule mod_log_config.c>
        CustomLog "|/usr/local/sbin/rotatelogs -l
/usr/vhosts/webmail.example.com/logs/access.log-%Y-%m-%d.log 86400"
combined
    </IfModule>

# Disc cache setup
    CacheQuickHandler off
    CacheLock on
    CacheLockPath /tmp/mod_cache-lock
    CacheLockMaxAge 5
    CacheIgnoreHeaders Set-Cookie
    <Location />
        CacheEnable disk
        CacheHeader on
        CacheDefaultExpire 600
        CacheMaxExpire 86400
        CacheLastModifiedFactor 0.5
        ExpiresActive on
        ExpiresDefault "access plus 5 minutes"
        Header merge Cache-Control public
        FileETag All
    </Location>
</VirtualHost>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx