Hello,
I’m having the following problem: when I try to install a SSL Certificate via Let’s Encrypt I get the following error:
mywebsite.com challenge did not pass: Invalid response from http://mywebsite.com/.well-known/acme-challenge/dliVUxI70M8nAmgaUduK0cCi7PSxOq-plNq5nAl0W4E: "
404 Not Found
Not Found
<p"
I have two virtual servers installed, does it for both sites. One already has an SSL certificate but when I try to get a new certificate for it (just like the other one) I get this error. If I remember correctly, I installed the SSL certificate when PHP script execution mode was still set to Apachemod_php, however I subsequently set it to FCGId.
I have tried to manually create a “.well-known/acme-challenge/” folder and placed and empty file inside - I can download it no problem.
Can anybody give me a clue how to fix this?
EDIT:
SOLUTION
What solved the problem for me was installing certbot through the command line, following this tutorial (note it’s a Digital Ocean tutorial, but I’m on OVH, so it should be completely host agnostic). “sudo certbot” and choosing the sites I want to install certificate to did the job and that was literally it. It was shockingly easy for a CLI operation :).
Sorry, for the late reply - was away for a few days. Unfortunately, nothing changed. I even tried setting everything to 777, just to test it out, but the problem persisted.
My certificates have been renewing properly over the last year but my latest one is displaying the same error as yours. The challenges are being written to the acme-challenge directory and I can access the directory without difficulty. Not sure why the change unless some update has caused a problem.
Operating system CentOS Linux 7.5.1804
Webmin version 1.890
Usermin version 1.741
Virtualmin version 6.03
Theme version Authentic Theme 19.19
Firewall version ConfigServer Security & Firewall 12.06
Your PHP execution mode has no relation to this error.
You probably have a redirect or proxy rule happening that prevents access to the well-known directory. If you’ve got some sort of web app that sucks up all requests check your .htaccess file. You probably need to exclude redirecting or proxying the .well-known directory.
You can check this by simply trying to load that URL in your browser. You need to sort out why it’s a 404…it’s gotta be web server configuration, if the file exists.
Never set permissions to 777. If the owner:group is correct, and it is group readable (and group x all the way up the path, so Apache can see the directories), your permissions are fine.
But, this is definitely not a permissions problem. Permissions problem would be a 403 Forbidden error. 404 indicates something is making the path inaccessible in the configuration.
I have had this problem in the past…ive unfortunately forgotten what the cause was.
i would check to ensure your webserver permissions to the directory in question are correct
Has the directory outlined in the error above actually been created? If not then that may help in the problem solving process.
This may be a result of my inexperience, but can i throw it out there anyway…i note the URL in the error is http …shouldnt it be putting the challenge in https?
Have you opened port 443 for https? (once again i dont know what error this throws in terms of the acme challenge passing)
<p", reformascarlos.es (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://reformascarlos.es/.well-known/acme-challenge/YjVWcCyk65qr6QZHHFUKiuxwXCsE0sndBxv-P3fkHd0: "
404 Not Found
Not Found
I can not access to the new virtual server http://reformascarlos.es, I get another virtual server previously configurated.
I finally figured out my problem after another of my domains updated successfully. Somehow I had managed to change the ownsership of the acme-challenge directory of the problem account to root instead of the domain owner. After setting it back the renewal updated as expected.
Hey, everybody. I think I finally solved the problem. I just installed certbot, had it set the certificate and… it just worked. It shows that my SSL Certificate will expire on December 5th, rather than September 11th, as it was. Honestly, I’ll just leave it at that for the moment and be content with it just working. One day, when I have more time, I might actually investigate what the problem was, but for now I’m just happy to have a valid certificate :). Thanks to everybody for the suggestions. Cheers.
In addition - just meet same issue - virtual host with Drupal 7 on it, was not able to pass acme chalange, after investigation I found out that it was because of .htaccess file (so perhaps if you have similar issue even if not using Drupal, check that)
When creating certificates using LetsEncrypt a folder called “.well-known” is created in the websites public folder (which is typically Drupal’s root folder).
The line RewriteRule “(^|/).” - [F] in Drupal’s default .htaccess file specifically prohibits files and folders starting with dots being accessed.
This causes LetsEncrypt to fail when issuing certificates and provide error messages about authorisation (403 Forbiden).
To fix that is needed to replace this line in .htaccess: RewriteRule “(^|/).” - [F]
by RewriteRule “(^|/).(?!well-known)” - [F]
This allows access to the .well_known folder but denies all other dot-paths.
After that fix certificate has been updated without any issues.
Joe, perhas it will be worth to add check in script to see if its a .htaccess restriction in place to create acme-challenge folder?
I’m not trying to hijack the thread, but I’m commenting in case people come here because of the same problem in the future, in case it helps.
I also had the same problem as you guys, a letsencrypt unable to properly renew itself.
In my case, the only fix that worked was to basically delete every certificate-related file at the root of this virtualhost’s storage directory, ssl.ca, ssl.cert, ssl.combined, ssl.everything, ssl.key. Once the files were deleted (backup first!), virtualmin finally managed to properly set up letsencrypt.
We had a similar problem on one of our servers which seemed a bit odd because we host many Drupal 7 sites. What stood out and what different about this server is the the domain name, and there home directory and username, and a “.” (dot) in it. It was something like ourdomain.co.whatever. So then we renamed the domain to something temporary, like ourdomain1.co.whatever, and then we renamed it back. But when renaming it back we made sure that the three sections, namely:
Administration username
Home directory
User name suffix and group
did not have a “.” (dot) in anymore. Not really sure if the rename also maybe fixed some unknown permissions issue. But all good now, even with the original .HTACCESS the site is renewing.