.well-known/acme-challenge/letsencrypt_ is not reachable HTTP/1.1 403 Forbidden

C

cDGo

Verified User
Joined
Sep 21, 2012
Messages
84
Hi, Still struggeling with let's encrypt.

I followed the installation instructions.

Tried to create a certificate for a domain (and subdomain without www).
And getting the error:
Getting challenge for domain.com from acme-server...
Error: http://domain.com/.well-known/acme-challenge/letsencrypt_1469871296 is not reachable. Aborting the script.
Please make sure /.well-known alias is setup in WWW server.

So tried to manually check the response and got:
HTTP/1.1 403 Forbidden
Server: nginx
Date: Sat, 30 Jul 2016 09:54:52 GMT
Content-Type: text/html
Content-Length: 162
Connection: close
Vary: Accept-Encoding

Did some google-ing found a lot of answers, but didn't come across the one to solve my problem.

What I checked:
In directadmin.conf:
enable_ssl_sni=1
letsencrypt=1

All files and folders from .well-known are set to 777

Opening http://domain.com/.well-known/acme-challenge/test.txt also gives a 304
Verified these files/folder are in /var/www/html

Than had in idea and checked the home folder, and found the .well-known folder + files there too.
So set them to 777 too and now the browser showed "test", so that worked.
Now tried to create a certificate again, but still the initial error.
I do have an external DNS server, I do not know if it is relevant.

I think I've read some where that the adding of enable_ssl_sni=1 causes a change for the location of where the .well-known folder should be.
But with .well-known in both locations, I still get the letsencrypt_1469871296 is not reachable error.

Hope someone can help
 
Hello,

If you have customized nginx templates you need to get them reviewed and updated, or use defaults.
 
Hi Alex,

Thanks for your answer.
If I would have custom templates, it was you who have set them up.

According to your post here I do have custom templates.

But unfortunately, I could not find what to add/alter to them.
 
Hi,

Can anyone tell me what to change and in what files?
 
Still having this problem on 1 of my servers, on all others it works like a charm.

When activating the letsencrypt certificate I get this error:

Getting challenge for domein.com from acme-server...
Error: http://domein.com/.well-known/acme-challenge/letsencrypt_1472921176 is not reachable. Aborting the script.
Please make sure /.well-known alias is setup in WWW server.

After this I do have a file in the /var/www/html/.well-known/acme-challenge folder, but it's call differently.
Instead of letsencrypt_1472921176 it's called 5XQJp5WQZ-_sH7y9xJYKkachWJK4WxTfL9qAfDOUyGo.

On this server there are no sub folders in /usr/local/directadmin/custombuild/custom
Only the file config.inc.php

in /usr/local/directadmin/data/templates I have these files:
nginx_ips.conf
nginx_php.conf
nginx_protected_directory.conf
nginx_redirect.conf
nginx_server.conf
nginx_server_redirect.conf
nginx_server_secure.conf
nginx_server_secure_sub.conf
nginx_server_sub.conf
user_virtual_host.conf
virtual_host.conf
virtual_host_secure.conf
virtual_host_secure_sub.conf
virtual_host_sub.conf
virtual_host2.conf
virtual_host2_secure.conf
virtual_host2_secure_sub.conf
virtual_host2_sub.conf


In /usr/local/directadmin/data/templates/custom I do have some files:
nginx_server.conf
nginx_server_secure.conf
nginx_server_secure_sub.conf
nginx_server_sub.conf
virtual_host2.conf
virtual_host2_secure.conf
virtual_host2_secure_sub.conf
virtual_host2_sub.conf

In /etc/nginx/webapps.conf:
location ^~ /.well-known {
root /var/www/html/;
index index.php index.html index.htm;
location ~ ^/.well-known/ {
access_log off;
set $my_server_addr $server_addr;
if ($server_addr ~ ^[0-9a-fA-F:]+$) { set $my_server_addr [$server_addr]; }
proxy_pass http://$my_server_addr:8080;
proxy_set_header X-Client-IP $remote_addr;
proxy_set_header X-Accel-Internal /.well-known/nginx_static_files;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location ~ ^/.well-known/nginx_static_files/ {
access_log /var/log/nginx/access_log_proxy;
alias /var/www/html/;
internal;
}
}

In /etc/nginx/webapps.ssl.conf:
location ^~ /.well-known {
root /var/www/html/;
index index.php index.html index.htm;
location ~ ^/.well-known/ {
access_log off;
set $my_server_addr $server_addr;
if ($server_addr ~ ^[0-9a-fA-F:]+$) { set $my_server_addr [$server_addr]; }
proxy_pass https://$my_server_addr:8081;
proxy_set_header X-Client-IP $remote_addr;
proxy_set_header X-Accel-Internal /.well-known/nginx_static_files;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location ~ ^/.well-known/nginx_static_files/ {
access_log /var/log/nginx/access_log_proxy;
alias /var/www/html/;
internal;
}
}

Any help is appreaciated
 
Using debug of Direct admin I can see this is being sended:

Post string:
domain=mydomain.com&
action=save&
type=create&
request=letsencrypt&
country=&
province=&
city=&
company=&
division=&
name=www.mydomain.com&
[email protected]&&
keysize=4096&
encryption=sha256&
le_select0=mydomain.com&
le_select5=www.mydomain.com&
certificate=&
submit=Save
isDir(/var/www/html/webmail): is a symbolic link

So probably /var/www/html/webmail should be /var/www/html/.well-known/acme-challenge

But what is causing this?
 
You must log in or register to reply here.
Back
Top