acme.sh can't use http authentication (.well-known/acme-challenge directory can't be accessed)

S

shira2

New member
Joined
Jan 6, 2024
Messages
3
Hi

I tried to use acme.sh to issue a certificate from google
But I found a problem
Any files placed in the .well-known/acme-challenge directory cannot be accessed, they all return 404


Troubleshooting Let's Encrypt Errors | Directadmin Docs

DirectAdmin Knowledge Base
docs.directadmin.com

I made a speculation after reading this article
That directadmin hijacks the .well-known/acme-challenge directory on all sites

In this case, how can I make the .well known/acme-challenge directory on some sites accessible?
 
Richard G said:
I'm not into that, but external certificates are installed another way in DA.

Automatic TLS Certificate For Server Hostname | Directadmin Docs

DirectAdmin Knowledge Base
docs.directadmin.com

Or maybe this can be of some help to you otherwise.

Automatic TLS Certificate For Server Hostname | Directadmin Docs

DirectAdmin Knowledge Base
docs.directadmin.com
Click to expand...
Hi
The 2 methods mentioned here require administrator rights to directadmin
What I mean is how to do it without administrator intervention.
 
Are you a reseller then?
Because if you are a hosting customer, you need to contact your host for support. This forum is only intended for Directadmin license holders, not for hosting customers, sorry.

This is not possible to do without administrator intervention if you can't paste your SSL certificate in the SSL part of your user configuration.
 
Richard G said:
Are you a reseller then?
Because if you are a hosting customer, you need to contact your host for support. This forum is only intended for Directadmin license holders, not for hosting customers, sorry.

This is not possible to do without administrator intervention if you can't paste your SSL certificate in the SSL part of your user configuration.
Click to expand...
Hi
I think you're misunderstanding the point I'm trying to make.

------------------------------------
I have a Web site is abc.com.

I created the file test.txt in the directory .well-known/acme-challenge
Then, I visit http://abc.com/.well-known/acme-challenge/test.txt
In this case, the page displays 404 instead of test.txt.

-------------------------------------


I try make a deploy script for acme.sh
Then I realized that when I use acme.sh to request a certificate, I can't authenticate via http
because the .well-known/acme-challenge directory has been hijacked to a different path

I'm currently using cpanel, and I'm in the process of migrating to directadmin.
But at the moment I'm having this problem.

Currently there are only 2 ways I know of to solve this problem

1. disable letsencrypt in directadmin
Then all users will not be able to use letsencrypt in the panel to issue certificates.

2. keep the status quo
all users can't use acme.sh to get certificates.
 
shira2 said:
I think you're misunderstanding the point I'm trying to make.
Click to expand...
I didn't misunderstand your point. You misunderstood mine. We can't help you on user (customer) level if you're not an admin or reseller! You were not clear enough about the rest, hence my answer.

shira2 said:
I'm currently using cpanel, and I'm in the process of migrating to directadmin.
Click to expand...
You should have stated that as first thing after my reply. ;)

Directadmin works a bit different than cPanel.
The .well-known/acme-challenge directory is defined by the virtualhost settings and will point to the /var/www/html/.well-known/acme-challenge directory.

How this works exactly I don't know but you probably need the letsencrypt.sh script to figure it out, part of it looks like this:
Code: 
challenge_check() {
    if [ ! -d "${WELLKNOWN_PATH}" ]; then
        mkdir -p "${WELLKNOWN_PATH}"
        chown "${USER}:${USER}" "${HOSTNAME_DIR}/.well-known"
        chown "${USER}:${USER}" "${WELLKNOWN_PATH}"

So if you want to create a script to use an external certificate instead of the choice between Letsencrypt or ZeroSSL for the users, there is a lot more to look at. However, I can't help you with that as I'm no scripter, sorry.

Maybe @jamgames2 or @zEitEr can help you on your way.
 
shira2 said:
What I mean is how to do it without administrator intervention.
Click to expand...

The fact is: a shared hosting user may not re-define the alias for the ".well-known" requests. It can be done only by an administrator server-wide or on per domain bases.
 
You must log in or register to reply here.
Back
Top