Koozali.org: home of the SME Server

let's encrypt question

Offline JRBATM20192021

  • ***
  • 111
  • +0/-0
Re: let's encrypt question
« Reply #60 on: January 19, 2023, 10:13:12 AM »
Here are these two
[root@www ~]# ll -d /home/e-smith/files/ibays/Primary/html/.well-known
drwxrwsr-x 3 apache shared 28 Oct 14  2021 /home/e-smith/files/ibays/Primary/html/.well-known
[root@www ~]#


[root@www ~]# ll -d /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
drwxrwsr-x 2 apache shared 6 Jan 19 02:08 /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
[root@www ~]#

Let me know what else you need because I can likely provide it.

Offline bunkobugsy

  • *
  • 274
  • +4/-0
Re: let's encrypt question
« Reply #61 on: January 19, 2023, 12:16:08 PM »
http://www.brendasgetzlaw.com and http://brendasgetzlaw.com both give 403 Forbidden
You don't have permission to access brendasgetzlaw.com on this server.

Any relevant error in httpd/error_log or is there something you customized?

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: let's encrypt question
« Reply #62 on: January 19, 2023, 01:24:10 PM »
start by updating your server that has a lot issues fixed in the last 2 years as you never updated it.
Quote
anaconda/10.0


do
Code: [Select]
yum update --enablerepo=smecontribs

Offline JRBATM20192021

  • ***
  • 111
  • +0/-0
Re: let's encrypt question
« Reply #63 on: January 20, 2023, 02:08:10 AM »
Okay I will get that done.

Offline JRBATM20192021

  • ***
  • 111
  • +0/-0
Re: let's encrypt question
« Reply #64 on: January 20, 2023, 07:27:24 AM »
Okay update is now complete and access to the second domain has been restored.

Offline bunkobugsy

  • *
  • 274
  • +4/-0
Re: let's encrypt question
« Reply #65 on: January 20, 2023, 08:38:27 AM »
please show output of

rpm -q smeserver-letsencrypt

and

dehydrated -c -x

Offline JRBATM20192021

  • ***
  • 111
  • +0/-0
Re: let's encrypt question
« Reply #66 on: January 20, 2023, 08:44:23 AM »
Done.

[root@www ~]# rpm -q smeserver-letsencrypt
smeserver-letsencrypt-0.5-24.noarch
[root@www ~]#

[root@www ~]# dehydrated -c -x
# INFO: Using main config file /etc/dehydrated/config
+ Fetching account URL...
Processing kspk.com with alternative names: brendasgetzlaw.com www.brendasgetzlaw.com mail.kspk.com www.kspk.com
 + Checking domain name(s) of existing cert... changed!
 + Domain name(s) are not matching!
 + Names in old certificate: kspk.com mail.kspk.com www.kspk.com
 + Configured names: brendasgetzlaw.com kspk.com mail.kspk.com www.brendasgetzlaw.com www.kspk.com
 + Forcing renew.
 + Checking expire date of existing cert...
 + Valid till Apr 19 02:58:53 2023 GMT (Longer than 30 days). Ignoring because renew was forced!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 5 authorizations URLs from the CA
 + Handling authorization for kspk.com
 + Handling authorization for mail.kspk.com
 + Handling authorization for www.kspk.com
 + Handling authorization for brendasgetzlaw.com
 + Handling authorization for www.brendasgetzlaw.com
 + 5 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for kspk.com authorization...
 + Challenge is valid!
 + Responding to challenge for mail.kspk.com authorization...
 + Challenge is valid!
 + Responding to challenge for www.kspk.com authorization...
 + Challenge is valid!
 + Responding to challenge for brendasgetzlaw.com authorization...
 + Cleaning challenge tokens...
 + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]      "http-01"
["status"]      "invalid"
["error","type"]        "urn:ietf:params:acme:error:unauthorized"
["error","detail"]      "Public IP: Invalid response from http://brendasgetzlaw.com/.well-known/acme-challenge/k23xi2XOM4SXPfrYfnGT1oIEu1_uoYoJiAPQ-nnAqWc: 403"
["error","status"]      403
["error"]       {"type":"urn:ietf:params:acme:error:unauthorized","detail":"Public IP: Invalid response from http://brendasgetzlaw.com/.well-known/acme-challenge/k23xi2XOM4SXPfrYfnGT1oIEu1_uoYoJiAPQ-nnAqWc: 403","status":403}
["url"] "https://acme-v02.api.letsencrypt.org/acme/chall-v3/196457154087/29hvzQ"
["token"]       "k23xi2XOM4SXPfrYfnGT1oIEu1_uoYoJiAPQ-nnAqWc"
["validationRecord",0,"url"]    "http://brendasgetzlaw.com/.well-known/acme-challenge/k23xi2XOM4SXPfrYfnGT1oIEu1_uoYoJiAPQ-nnAqWc"
["validationRecord",0,"hostname"]       "brendasgetzlaw.com"
["validationRecord",0,"port"]   "80"
["validationRecord",0,"addressesResolved",0]    "Public IP"
["validationRecord",0,"addressesResolved"]      ["Public IP"]
["validationRecord",0,"addressUsed"]    "Public IP"
["validationRecord",0]  {"url":"http://brendasgetzlaw.com/.well-known/acme-challenge/k23xi2XOM4SXPfrYfnGT1oIEu1_uoYoJiAPQ-nnAqWc","hostname":"brendasgetzlaw.com","port":"80","addressesResolved":["public IP"],"addressUsed":"public IP"}
["validationRecord"]    [{"url":"http://brendasgetzlaw.com/.well-known/acme-challenge/k23xi2XOM4SXPfrYfnGT1oIEu1_uoYoJiAPQ-nnAqWc","hostname":"brendasgetzlaw.com","port":"80","addressesResolved":["public IP"],"addressUsed":"public IP"}]
["validated"]   "2023-01-20T07:41:10Z")
[root@www ~]#


Offline bunkobugsy

  • *
  • 274
  • +4/-0
Re: let's encrypt question
« Reply #67 on: January 20, 2023, 11:35:21 AM »
2/ regarding your issue with http://www.brendasgetzlaw.com, you will have the same with  http://brendasgetzlaw.com
 "status": 403 means your server refuse the access to read the validation file/folder

if you try to access https://www.kspk.com/.well-known/ you will be able to see the content of the directory
on the opposite  http://www.brendasgetzlaw.com/.well-known/ you hit a 403 error.
And if you try to access a non existing file you will get:
www.kspk.com : Not Found The requested URL /.well-known/acme-challenge/jpp
www.brendasgetzlaw.com : Forbidden You don't have permission to access /.well-known/acme-challenge/jpp on this server.

those behaviours is because of some modifications you did on your server.

both behaviours are not expected on a standard SME Server, as you should not be able to browse the content of the folder (i.e. list the content of the folder)  for security reason as you are able in https://www.kspk.com/.well-known/ (you should indeed get a 403) but you should be able to read the content of a file you know the path in it, or get a 404 not found if the file does not exist (and not a 403).

So when Let's Encrypt try to validate the token it can not get to it because something has been modified and this is probably one of those:
- chown / chmod of the folder /home/e-smith/files/ibays/Primary/html/.well-known/ (or below)
- a .htaccess in /home/e-smith/files/ibays/Primary/html/ or in the ibay of brendasgetzlaw.com preventing access to .well-known/ and subfolder
- a custom template hidding the fragments intended to allow access to .well-known/ from any virtualhost ibays or any virtualhost related to a webapp installed with a contrib.

Offline JRBATM20192021

  • ***
  • 111
  • +0/-0
Re: let's encrypt question
« Reply #68 on: January 20, 2023, 12:34:17 PM »
Okay the problem makes sense. However I don't know how to fix that. Since these folders are read only I don't know what I did to change that unless when I had the Lets encrypt SSL renewal errors in late 2021 that's when things went hay-wire I don't know. Like I have said I am still green. I don't understand what might be turned off here with the acme-challenge???

Offline JRBATM20192021

  • ***
  • 111
  • +0/-0
Re: let's encrypt question
« Reply #69 on: January 20, 2023, 12:52:20 PM »
Okay you guys need an emoji on here for some eating crow because its my turn to eat that.
I have a Security Certificate now feel free to see for yourselves. Two commands for the I-bay Execution of Dynamic content and Force Secure Connections were set to Disabled NEVER thought in a million years that would be the issue at play here.
Thank you ALL for your help. Yes I feel Capitals was warranted here :) Now lets Talk Hypothetically if I were too add a 3rd domain will the lets encrypt Certificate Support that?? I remember something about 5 domains somewhere......

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: let's encrypt question
« Reply #70 on: January 20, 2023, 12:55:28 PM »
please give output of

Code: [Select]
db accounts show Primary

and also for the ibay name where the law site is.

Offline JRBATM20192021

  • ***
  • 111
  • +0/-0
Re: let's encrypt question
« Reply #71 on: January 21, 2023, 03:10:07 AM »
Done

[root@www ~]# db accounts show Primary
Primary=ibay
    CgiBin=enabled
    Group=shared
    Modifiable=no
    Name=Primary i-bay
    PasswordSet=no
    Passwordable=no
    PublicAccess=global
    Removable=no
    SSLRequireSSL=enabled
    UserAccess=wr-admin-rd-group
[root@www ~]#

[root@www ~]# db accounts show bsg
bsglawoffice=ibay
    CgiBin=enabled
    Gid=5021
    Group=shared
    Name=bsg
    PasswordSet=no
    PublicAccess=global
    SSLRequireSSL=enabled
    Uid=5021
    UserAccess=wr-group-rd-group
[root@www ~]#