Hi all,
I requested LE cert for webmin and virtual hosts, but it shows error 403 when challenged.
I am using fresh install centos 8 on Digital Ocean.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for to.website.id
Using the webroot path /home/to/public_html for all unmatched domains.
Waiting for verification...
Challenge failed for domain to.website.id
http-01 challenge for to.website.id
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: to.site.id
Type: unauthorized
Detail: Invalid response from
http://to.website.id/.well-known/acme-challenge/GBHA46mREDUe7RQ9k82OkBySRWD8QUyS7aZBDTrRxIQ
[165.22.52.184]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
2.0//EN\">\n<html><head>\n<title>403
Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
I too have been recently experiencing Lets Encrypt certificate generation failures on fresh installs of Webmin 1.492 and Virtualmin 6.09. Thought I should mention it, for what it’s worth.
@technicalw accessing that IP (not the FQDN as you didn’t provide it), shows that you’ve edited the config and (currently) returning a custom 403 response:
Forbidden to enter
You don’t have permission to access / on this server. and so on and so on
This makes me think that you’ve done this in a way which is overriding Apache’s default web serving ability (did you edit a *:80 virtualhost:). Certbot (LE certificate renewer) relies on public_html public access for the domain to complete web authentication.
Either use DNS-based challenge/response or fix your Apache configuration to permit access by the Let’s Encrypt servers.
For the default server (Webmin GUI), Webmin > Webmin Configuration > SSL Encryption > Let’s Encrypt tab, choose “Use DNS domains for validation”.
For Virtualmin sites, each uses their own Let’s Encrypt setup, in Virtualmin > Server Configuration > SSL Certificate > Let’s Encrypt.
As far as I can tell from using Virtualmin, the virtualhost Let’s Encrypt section only offers HTTP challenge-response. I’ve never tested to see if it falls back to DNS because I have public sites on every virtualhost.
It would be nice if virtual site Let’s Encrypt configuration could obviously support DNS challenge-response, so we could request wildcard domains for virtualhosts.
DNS is set correctly with cloudflare with A record of site.com = my IP
*.site.com = my IP
All of them using DNS only, not proxied. If I use proxied, then it end up on too many redirect error (when I see on console it is error 302)
I can open my websites using domain normally.
It is actually an index.html with html code copied from Chrome error page and modified a bit so I know that it is able to open html page normally. So, no, I don’t have ability to override Apache default web serving ability
I don’t find the guide to use LE’s DNS based challenge helpful. If you can help to direct me to a good tutorial of LE’s DNS based challenge it will be much appreciated.
It was because of .well-known folder does not exist. I create .well-known folder with permission 0755 on public_html then request certificate. Now I add .well-known folder on skel directory and every virtual server is able to get LE’s certificate.
I use DNS challenges on another server (not Virtualmin) because I need wildcards. I have to do it in manual mode, so a nice little activity every 3 months…
You run certbot to request an updated certificate (or to issue a new one) and provide the domains/wildcard domains. For each unique domain certbot provides an alphanumeric string which you must add to a TXT record for the domain called _acme-challenge.<domain.tld>.
When done, certbot instructs the LE verification servers to query each domain’s nameserver to check for a matching record and if it exists, certbot is issued the certificate. Certbot does the rest automatically, generating and replacing the private key and cert chain in your system’s PKI folder. Then you just have to restart services using the cert and off you go.
It’s more involved than web-based verification but AFAIK it’s still the only way you can get wildcards (*.example.com to cover all subdomain permutations).
Your problem with .well-known not existing is odd, when I’ve used Virtualmin to request new LE certificates for new domains it’s always been able to create the folder structure automatically. What are your permissions on the public_html dirs?