.well-known/acme-challenge/letsencrypt_ is not reachable HTTP/1.1 403 Forbidden

[cDGo]

Hi, Still struggeling with let's encrypt.

I followed the installation instructions.

Tried to create a certificate for a domain (and subdomain without www).
And getting the error:
Getting challenge for domain.com from acme-server...
Error: http://domain.com/.well-known/acme-challenge/letsencrypt_1469871296 is not reachable. Aborting the script.
Please make sure /.well-known alias is setup in WWW server.

So tried to manually check the response and got:
HTTP/1.1 403 Forbidden
Server: nginx
Date: Sat, 30 Jul 2016 09:54:52 GMT
Content-Type: text/html
Content-Length: 162
Connection: close
Vary: Accept-Encoding

Did some google-ing found a lot of answers, but didn't come across the one to solve my problem.

What I checked:
In directadmin.conf:
enable_ssl_sni=1
letsencrypt=1

All files and folders from .well-known are set to 777

Opening http://domain.com/.well-known/acme-challenge/test.txt also gives a 304
Verified these files/folder are in /var/www/html

Than had in idea and checked the home folder, and found the .well-known folder + files there too.
So set them to 777 too and now the browser showed "test", so that worked.
Now tried to create a certificate again, but still the initial error.
I do have an external DNS server, I do not know if it is relevant.

I think I've read some where that the adding of enable_ssl_sni=1 causes a change for the location of where the .well-known folder should be.
But with .well-known in both locations, I still get the letsencrypt_1469871296 is not reachable error.

Hope someone can help

 

[zEitEr]

Hello,

If you have customized nginx templates you need to get them reviewed and updated, or use defaults.

 

[cDGo]

Hi Alex,

Thanks for your answer.
If I would have custom templates, it was you who have set them up.

According to your post here I do have custom templates.

But unfortunately, I could not find what to add/alter to them.

 

[cDGo]

Hi,

Can anyone tell me what to change and in what files?

 

[cDGo]

Still having this problem on 1 of my servers, on all others it works like a charm.

When activating the letsencrypt certificate I get this error:

Getting challenge for domein.com from acme-server...
Error: http://domein.com/.well-known/acme-challenge/letsencrypt_1472921176 is not reachable. Aborting the script.
Please make sure /.well-known alias is setup in WWW server.

After this I do have a file in the /var/www/html/.well-known/acme-challenge folder, but it's call differently.
Instead of letsencrypt_1472921176 it's called 5XQJp5WQZ-_sH7y9xJYKkachWJK4WxTfL9qAfDOUyGo.

On this server there are no sub folders in /usr/local/directadmin/custombuild/custom
Only the file config.inc.php

in /usr/local/directadmin/data/templates I have these files:
nginx_ips.conf
nginx_php.conf
nginx_protected_directory.conf
nginx_redirect.conf
nginx_server.conf
nginx_server_redirect.conf
nginx_server_secure.conf
nginx_server_secure_sub.conf
nginx_server_sub.conf
user_virtual_host.conf
virtual_host.conf
virtual_host_secure.conf
virtual_host_secure_sub.conf
virtual_host_sub.conf
virtual_host2.conf
virtual_host2_secure.conf
virtual_host2_secure_sub.conf
virtual_host2_sub.conf


In /usr/local/directadmin/data/templates/custom I do have some files:
nginx_server.conf
nginx_server_secure.conf
nginx_server_secure_sub.conf
nginx_server_sub.conf
virtual_host2.conf
virtual_host2_secure.conf
virtual_host2_secure_sub.conf
virtual_host2_sub.conf

In /etc/nginx/webapps.conf:
location ^~ /.well-known {
root /var/www/html/;
index index.php index.html index.htm;
location ~ ^/.well-known/ {
access_log off;
set $my_server_addr $server_addr;
if ($server_addr ~ ^[0-9a-fA-F:]+$) { set $my_server_addr [$server_addr]; }
proxy_pass http://$my_server_addr:8080;
proxy_set_header X-Client-IP $remote_addr;
proxy_set_header X-Accel-Internal /.well-known/nginx_static_files;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location ~ ^/.well-known/nginx_static_files/ {
access_log /var/log/nginx/access_log_proxy;
alias /var/www/html/;
internal;
}
}

In /etc/nginx/webapps.ssl.conf:
location ^~ /.well-known {
root /var/www/html/;
index index.php index.html index.htm;
location ~ ^/.well-known/ {
access_log off;
set $my_server_addr $server_addr;
if ($server_addr ~ ^[0-9a-fA-F:]+$) { set $my_server_addr [$server_addr]; }
proxy_pass https://$my_server_addr:8081;
proxy_set_header X-Client-IP $remote_addr;
proxy_set_header X-Accel-Internal /.well-known/nginx_static_files;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location ~ ^/.well-known/nginx_static_files/ {
access_log /var/log/nginx/access_log_proxy;
alias /var/www/html/;
internal;
}
}

Any help is appreaciated

 

[cDGo]

Using debug of Direct admin I can see this is being sended:

Post string:
domain=mydomain.com&
action=save&
type=create&
request=letsencrypt&
country=&
province=&
city=&
company=&
division=&
name=www.mydomain.com&
[email protected]&&
keysize=4096&
encryption=sha256&
le_select0=mydomain.com&
le_select5=www.mydomain.com&
certificate=&
submit=Save
isDir(/var/www/html/webmail): is a symbolic link

So probably /var/www/html/webmail should be /var/www/html/.well-known/acme-challenge

But what is causing this?