Author Topic: acme.sh fails to renew domain certs due to 404 error - file does not exist  (Read 980 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
So I have found an issue since the last few days as well. I believe it is related to this issue at the following link: https://forum.centos-webpanel.com/index.php?topic=13474.0. This is NOT a DNS problem, that is incorrectly reported by acme.sh. The challenge file that is placed in:
Code: [Select]
/usr/local/apache/autossl_tmp/.well-known/acme-challengeis not the same as what Letsencrypt is looking for resulting in a 404 error. That's why it's reporting a connection/DNS issue. I'm using Nginx->varnish->Apache setup. Not sure what happened but it looks like the file names are not being generated properly.

Example:
Letsencrypt is looking for the challenge in:
Code: [Select]
https://showme.laptop-pitstop.net/.well-known/acme-challenge/aedMkvm4D2h7A9T0MkGBsdTZya_IGEsu3uV7wjMB6H4
when it should be looking for the challenge in:
Code: [Select]
https://showme.laptop-pitstop.net/.well-known/acme-challenge/<actual file name for challenge>
If they wanted it fixed...then you wouldn't have to fight so hard for them to fix it. Money is made on problems.....problems that you pay them to fix....but they created themselves. Why should you pay CWP to fix their own software? Is that their business model?

Offline
*****
If you are 301 redirecting http traffic to https, then LetsEncrypt will not validate the challenge file. You need to temporarily allow the http traffic in without encryption to validate the .well-known acme challenge. Then you can put back in place the http -> https redirect.

Offline
*
I'm already aware of this...the links I provided were just directly from my browser and still showed the 404 error. The 301 redirects must also be in the vhost file for the domain in nginx for an issue to happen. The problem is the FILE that is requested does not exist. The file must exist for the challenge to succeed. The issue is A file is created but with the wrong filename to complete the challenge.
If they wanted it fixed...then you wouldn't have to fight so hard for them to fix it. Money is made on problems.....problems that you pay them to fix....but they created themselves. Why should you pay CWP to fix their own software? Is that their business model?

Offline
*****
If you use Cloudflare, you can authenticate via DNS challenge with an API key/token. That's what I do.

Offline
*
How would you configure that in CWP?
If they wanted it fixed...then you wouldn't have to fight so hard for them to fix it. Money is made on problems.....problems that you pay them to fix....but they created themselves. Why should you pay CWP to fix their own software? Is that their business model?

Offline
*****
Actually, it's on another server that uses certbot instead of acme.sh, so you would have to either switch to cerbot as your ACME client or adapt it over to acme.sh. Here's a snippet from a domain.conf to give you an idea:

Code: [Select]
# Options used in the renewal process
[renewalparams]
authenticator = dns-cloudflare
account = aedMkvm4D2h7A9T0MkGBsdTZ
server = https://acme-v02.api.letsencrypt.org/directory
dns_cloudflare_propagation_seconds = 60
dns_cloudflare_credentials = /path/to/conf/credentials.key

Offline
*
I think this is closer to being the actual issue. I'm also seeing the ECC issues in the webserver and and challenge file ending with dkey.

https://github.com/acmesh-official/acme.sh/issues/5044
If they wanted it fixed...then you wouldn't have to fight so hard for them to fix it. Money is made on problems.....problems that you pay them to fix....but they created themselves. Why should you pay CWP to fix their own software? Is that their business model?