I recently purchased the pro version and installed in on a fresh server. I am attempting to set up a fresh copy using on of my domains from my old virtualmin. So I set the DNS to point to the new server and set it up, now I am trying to use the letsencrypt interface to create new keys to secure the site and web interface but keep getting the folowing:
Parsing account key... Parsing CSR... Registering account... Already registered! Verifying tsaust.in... Traceback (most recent call last): File "/usr/libexec/webmin/webmin/acme_tiny.py", line 203, in main(sys.argv[1:]) File "/usr/libexec/webmin/webmin/acme_tiny.py", line 199, in main signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca) File "/usr/libexec/webmin/webmin/acme_tiny.py", line 128, in get_crt wellknown_path, wellknown_url)) ValueError: Wrote file to /home/tsaustin/public_html/.well-known/acme-challenge/fkZIlj4bYjD3Q4YR3HH7fpFlY7WWdxnmmQucJFT_k-M, but couldn't download http://tsaust.in/.well-known/acme-challenge/fkZIlj4bYjD3Q4YR3HH7fpFlY7WW...
Looking at previous threads I've tried everything:
I've verified the directory is working as expected by echoing an index.html
http://tsaust.in/.well-known/acme-challenge/
I've verified my hostname is correct and that both www and without load fine. I have the both hostnames in my virtualhost (automatically set correctly)
SuexecUserGroup "#500" "#500" ServerName tsaust.in ServerAlias www.tsaust.in
I've added this to hosts:
138.68.10.126 tsaust.in 138.68.10.126 www.tsaust.in
Yet the error persists, any ideas?
Comments
Submitted by andreychek on Fri, 07/22/2016 - 22:43 Comment #1
Howdy -- hmm, that is indeed odd. I know you've tested some of this already, but just out of curiosity, what is the output of this command:
ls -la /home/tsaustin/public_html/.well-known/acme-challenge/Jamie may have some additional thoughts as well.
Submitted by netburnr on Sat, 07/23/2016 - 11:16 Comment #2
[root@tsaust ~]# ls -la /home/tsaustin/public_html/.well-known/acme-challenge/ total 12 drwxr-xr-x 2 tsaustin tsaustin 4096 Jul 23 00:56 . drwxr-xr-x 3 tsaustin tsaustin 4096 Jul 23 00:40 .. -rw-rw-r-- 1 tsaustin tsaustin 5 Jul 23 00:56 index.html
Submitted by netburnr on Sat, 07/23/2016 - 14:46 Comment #3
Don't know if it this helps, but domains transferred already setup with lets encrypt moved over just fine, and domains moved over and then setup with lets encrypt for the first time worked as well. only the server domain and initial domain setup of tsaust.in won't work
Submitted by andreychek on Sat, 07/23/2016 - 15:02 Comment #4
That is indeed very odd! We might need to take a closer look at this one to figure out what's going on, but just to verify -- do you see this issue when trying it again? That is, have you verified that it's not just a one-time issue?
Submitted by JamieCameron on Sat, 07/23/2016 - 15:38 Comment #5
Another thing to check is if your server is behind some kind of NAT device that would prevent it from accessing it's own domain names.
For example, if you run
curl http://tsaust.in/on your Virtualmin server, does it output the correct HTML for that domain's website?Submitted by netburnr on Sat, 07/23/2016 - 16:48 Comment #6
Server is digital ocean, no firewalls
Site loads fine from the host server and another server using curl, including the test index file I generated in the lets encrypt directory
Example from outside server [root@netburnr public_html]# curl http://tsaust.in/.well-known/acme-challenge/index.html test
Submitted by netburnr on Sat, 07/23/2016 - 16:52 Comment #7
Per your request I tried again, here is the full output:
Parsing account key...Parsing CSR...
Registering account...
Already registered!
Verifying tsaust.in...
Traceback (most recent call last):
File "/usr/libexec/webmin/webmin/acme_tiny.py", line 203, in <module>
main(sys.argv[1:])
File "/usr/libexec/webmin/webmin/acme_tiny.py", line 199, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
File "/usr/libexec/webmin/webmin/acme_tiny.py", line 128, in get_crt
wellknown_path, wellknown_url))
ValueError: Wrote file to /home/tsaustin/public_html/.well-known/acme-challenge/_XtMzIzYk_6_dAMdlH-2hDkqqHapumelrPk61PalVLU, but couldn't download http://tsaust.in/.well-known/acme-challenge/_XtMzIzYk_6_dAMdlH-2hDkqqHapumelrPk61PalVLU
Submitted by JamieCameron on Sat, 07/23/2016 - 20:25 Comment #8
Do you have any redirects or .htaccess files setup that could be blocking access to that directory?
One simple test is to create a file call
test.txtin/home/tsaustin/public_html/.well-known/acme-challenge/, and then try to access the URLhttp://tsaust.in/.well-known/acme-challenge/test.txtSubmitted by netburnr on Sat, 07/23/2016 - 23:05 Comment #9
You pointed me in the right direction
local server curl doesn't see the test file
[root@tsaust ~]# curl tsaust.in/.well-known/acme-challenge/index.html<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /.well-known/acme-challenge/index.html was not found on this server.</p>
</body></html>
and from another server it works
[root@netburnr public_html]# curl tsaust.in/.well-known/acme-challenge/test
Found that if I switch the apache document root to the homedir of the website I was trying to create the certificate on itw orked properly
/etc/httpd/conf/httpd.conf changed
DocumentRoot "/var/www/html/"
to
DocumentRoot "/home/tsaustin/public_html/"
Submitted by netburnr on Sat, 07/23/2016 - 23:12 Comment #10
Also have to adjust the certs to point to the new ones created and restart apache
/etc/httpd/conf.d/ssl.conf
SSLCertificateFile /home/tsaustin/ssl.cert
SSLCertificateKeyFile /home/tsaustin/ssl.key
SSLCACertificateFile /home/tsaustin/ssl.ca
service httpd restart
Submitted by andreychek on Sun, 07/24/2016 - 10:10 Comment #11
I'm glad to hear you got it working!
Is your server by chance running behind a NAT router? That is, does your server have an internal IP address?
Submitted by netburnr on Tue, 07/26/2016 - 17:01 Comment #12
Nope, they are digital ocean hosts on the internet using real IPs