Control Web Panel

WebPanel => CentOS 7 Problems => Topic started by: LPJon on April 10, 2024, 04:27:54 PM

Title: acme.sh fails to renew domain certs due to 404 error - file does not exist
Post by: LPJon on April 10, 2024, 04:27:54 PM

So I have found an issue since the last few days as well. I believe it is related to this issue at the following link: https://forum.centos-webpanel.com/index.php?topic=13474.0 (https://forum.centos-webpanel.com/index.php?topic=13474.0). This is NOT a DNS problem, that is incorrectly reported by acme.sh. The challenge file that is placed in:

Code: [Select]

/usr/local/apache/autossl_tmp/.well-known/acme-challengeis not the same as what Letsencrypt is looking for resulting in a 404 error. That's why it's reporting a connection/DNS issue. I'm using Nginx->varnish->Apache setup. Not sure what happened but it looks like the file names are not being generated properly.

Example:
Letsencrypt is looking for the challenge in:

Code: [Select]

https://showme.laptop-pitstop.net/.well-known/acme-challenge/aedMkvm4D2h7A9T0MkGBsdTZya_IGEsu3uV7wjMB6H4
when it should be looking for the challenge in:

Code: [Select]

https://showme.laptop-pitstop.net/.well-known/acme-challenge/<actual file name for challenge>


Title: Re: acme.sh fails to renew domain certs due to 404 error - file does not exist
Post by: overseer on April 10, 2024, 06:46:02 PM

If you are 301 redirecting http traffic to https, then LetsEncrypt will not validate the challenge file. You need to temporarily allow the http traffic in without encryption to validate the .well-known acme challenge. Then you can put back in place the http -> https redirect.

Title: Re: acme.sh fails to renew domain certs due to 404 error - file does not exist
Post by: LPJon on April 10, 2024, 07:47:12 PM

I'm already aware of this...the links I provided were just directly from my browser and still showed the 404 error. The 301 redirects must also be in the vhost file for the domain in nginx for an issue to happen. The problem is the FILE that is requested does not exist. The file must exist for the challenge to succeed. The issue is A file is created but with the wrong filename to complete the challenge.

Title: Re: acme.sh fails to renew domain certs due to 404 error - file does not exist
Post by: overseer on April 10, 2024, 08:30:17 PM

If you use Cloudflare, you can authenticate via DNS challenge with an API key/token. That's what I do.

Title: Re: acme.sh fails to renew domain certs due to 404 error - file does not exist
Post by: LPJon on April 10, 2024, 08:45:45 PM

How would you configure that in CWP?

Title: Re: acme.sh fails to renew domain certs due to 404 error - file does not exist
Post by: overseer on April 11, 2024, 01:58:22 AM

Actually, it's on another server that uses certbot instead of acme.sh, so you would have to either switch to cerbot as your ACME client or adapt it over to acme.sh. Here's a snippet from a domain.conf to give you an idea:

Code: [Select]

# Options used in the renewal process
[renewalparams]
authenticator = dns-cloudflare
account = aedMkvm4D2h7A9T0MkGBsdTZ
server = https://acme-v02.api.letsencrypt.org/directory
dns_cloudflare_propagation_seconds = 60
dns_cloudflare_credentials = /path/to/conf/credentials.key

Title: Re: acme.sh fails to renew domain certs due to 404 error - file does not exist
Post by: LPJon on April 12, 2024, 05:39:12 PM

I think this is closer to being the actual issue. I'm also seeing the ECC issues in the webserver and and challenge file ending with dkey.

https://github.com/acmesh-official/acme.sh/issues/5044 (https://github.com/acmesh-official/acme.sh/issues/5044)