Let's Encrypt - File Validation Fails

Hi, Pulling my hair out with this one. I know what the problem is but can't seem to find the right fix.

I'm using the virtualmin Let's Encrypt interface to generate some SSL certs. The script fails to create the certs though, see the output below.

What is happening is that the validation file is being created but it is being created with file permissions 700 so the URL cannot be accessed by the let's encrypt service. As soon as I change the permisssion to e.g. 755 then the URL works.

So, the problem is the the let's encrypt create SSL script creates the file with the wrong permissions. I've tried in various locations to change the umask for the root user but this has no effect. Any ideas??

Here's the output:

Parsing account key... Parsing CSR... Registering account... Already registered! Verifying somedomain.eu... Wrote file to /home/user/public_html/.well-known/acme-challenge/9vJPoBzlTLZHopaWTzQrFrw46c9JEY-cO5e8hzCAcz8, but couldn't download http://somedomain.eu/.well-known/acme-challenge/9vJPoBzlTLZHopaWTzQrFrw4... somedomain.eu verified! Verifying www.somedomain.net... Wrote file to /home/user/public_html/.well-known/acme-challenge/ok3EHjD7qjsSXLe-FP8UsPaabULgY15NJ9E1voDtuCg, but couldn't download http://www.somedomain.net/.well-known/acme-challenge/ok3EHjD7qjsSXLe-FP8... www.somedomain.net verified! Verifying somedomain.ie... Wrote file to /home/user/public_html/.well-known/acme-challenge/Xxm78_e6Q9l1Ntm7TjyE-n1KSv-uU5pKcyTZ83etXvs, but couldn't download http://somedomain.ie/.well-known/acme-challenge/Xxm78_e6Q9l1Ntm7TjyE-n1K... somedomain.ie verified! Verifying somedomain.co.uk... Wrote file to /home/user/public_html/.well-known/acme-challenge/yhNSVvMm_PciP_YfKEpSAYMRAenInJUGcgoQV1MZZaw, but couldn't download http://somedomain.co.uk/.well-known/acme-challenge/yhNSVvMm_PciP_YfKEpSA... Traceback (most recent call last): File "/usr/share/webmin/webmin/acme_tiny.py", line 202, in main(sys.argv[1:]) File "/usr/share/webmin/webmin/acme_tiny.py", line 198, in main signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca) File "/usr/share/webmin/webmin/acme_tiny.py", line 153, in get_crt domain, challenge_status)) ValueError: somedomain.co.uk challenge did not pass: {u'status': u'invalid', u'validationRecord': [{u'url': u'http://somedomain.co.uk/.well-known/acme-challenge/yhNSVvMm_PciP_YfKEpSA...', u'hostname': u'somedomain.co.uk', u'addressUsed': u’1.2.3.4’, u'port': u'80', u'addressesResolved': [u’1.2.3.4’]}], u'keyAuthorization': u'yhNSVvMm_PciP_YfKEpSAYMRAenInJUGcgoQV1MZZaw.rtjtd1CAoe5uFnlJeAx873c1hGRwqGxhSHlw3pWwCT8', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/STyfB15eP1f_DdVHYvfe...', u'token': u'yhNSVvMm_PciP_YfKEpSAYMRAenInJUGcgoQV1MZZaw', u'error': {u'status': 403, u'type': u'urn:acme:error:unauthorized', u'detail': u'Invalid response from http://somedomain.co.uk/.well-known/acme-challenge/yhNSVvMm_PciP_YfKEpSA... "\n\n403 Forbidden\n\n

Forbidden

\n<p"'}, u'type': u'http-01'}

Thanks, Patrick

Status: 
Closed (fixed)

Comments

This may be a umask problem - the default permissions on the validation files are determined by Webmin's umask, which is probably too strict.

If you go to Webmin -> Webmin Configuration -> Advanced Options, what is the "Umask (unset permission bits) for created files" set to?

Any more ideas on this???

Do you have the Let's Encrypt-supplied client program installed?

No, nothing other than virtualmin installed.

Can I login to your system to take a look at this? Because I haven't been able to reproduce it on our test systems.

Yep, that would be great thanks. How do you want to do this?

Sent you logon details last week Jamie. Any word?

What address did you send the email from?

Thanks ... looking now.

Ok, I found the bug - for some reason, the default perms on your system for new files was too strict.

I have patched this in your Webmin install, and future installs will include the fix. I also successfully requested a cert for your one domain with SSL enabled.

Status: Active » Fixed

Hello,

I solved it : there was a file permission problem. But also a directive in my nginx conf that give a 404 for /.well-known/acme-challenge/... url when updating certificate.

Thanks,

Eric

Hi Jamie, Could you please share the fix/patch that you applied in comment #14 ? I have the same issue on several domains (the challenge file is created with owner root and permissions ' -rw-------' instead of (same server other domain let's encrypt working) owner root:root but permissions '-rw-r--r--' (even on the same server).

Actually, the right permissions would be '-rw-r-----' with proper owner and group corresponding to the public_html folder (and webserver uid/gid for domain).

It's urgent for me, current ssl certs expiring tonight...

Ah, I see the fix in Webmin 1.830 !

It's the added line:

        os.chmod(wellknown_path, 0777)

in file

/usr/share/webmin/webmin/acme_tiny.py

I just succeeded with a same self-designed fix, but I used 0644 instead as a more safe permission.

Yes, this fix is included in the 1.830 release of Webmin.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.