Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issues with Let's Encrypt #4

Closed
tremby opened this issue May 6, 2016 · 8 comments

Comments

Projects
None yet
3 participants
@tremby
Copy link

commented May 6, 2016

I've found that when Let's Encrypt is enabled in Trellis as well as bedrock-site-protect, getting an SSL certificate fails since Let's Encrypt fails the authentication challenge when trying to validate the domain's ownership.

See the latter half of https://discourse.roots.io/t/letsencrypt-acme-challenge-error/6295/9 for where I raised the issue with Trellis before realizing it was to do with auth.

Perhaps an exception can be made, in order to not require auth on the Let's Encrypt routes? It seems that that route is /.well-known/acme-challenge.

See also certbot/certbot#1744

@louim

This comment has been minimized.

Copy link
Owner

commented May 6, 2016

Hey thanks for bringing this up! I'm not currently set-up with Let's Encrypt because I don't have a domain to test, but I think I know how to fix your issue.

Are you comfortable with SSH'ing to your live server which is running Let's Encrypt are trying something for me?

If so: while the Htpasswd is enabled

SSH to your server.

cd /etc/nginx/sites-available/

Inside that folder there should be a file named letsencrypt-yourtsitename.conf
Edit it (sudo nano filename)

server {
  listen 80;
  server_name something something;
  auth_basic off; #add this line!
  include acme-challenge-location.conf;
}

Reload Nginx: sudo service nginx reload

Check that you can access the path of the challenge file from your web browser. The ping.txt should already exist: yourdomain.com/.well-known/acme-challenge/ping.txt

Let me know if it work or if you're encountering problem. If it work I'll know how to fix it permanently. All this is speculation from reading the Let's encrypt code so your input is appreciated.

@tremby

This comment has been minimized.

Copy link
Author

commented May 6, 2016

Here's something weird.

With Htpasswd enabled, I can actually already get a 200 on that ping.txt file without sending auth via HTTP, but I get a 401 when trying to get it via HTTPS.

It's no different after adding the auth_basic off; line and restarting nginx.

In case it helps, the full conf file looks like this:

server {
  listen 443 ssl http2;

  server_name   staging.PRIMARY.DOMAIN   staging.SECONDARY.DOMAIN  ;
  access_log   /srv/www/PRIMARY.DOMAIN/logs/access.log;
  error_log    /srv/www/PRIMARY.DOMAIN/logs/error.log;

  root  /srv/www/PRIMARY.DOMAIN/current/web;
  index index.php index.htm index.html;
  auth_basic 'Restricted';
  auth_basic_user_file /etc/htpasswd/PRIMARY.DOMAIN;

  charset utf-8;



  add_header Fastcgi-Cache $upstream_cache_status;

  include h5bp/directive-only/ssl.conf;
include h5bp/directive-only/ssl-stapling.conf;

ssl_dhparam /etc/nginx/ssl/dhparams.pem;
ssl_buffer_size 1400; # 1400 bytes to fit in one MTU

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

ssl_certificate         /etc/nginx/ssl/letsencrypt/PRIMARY.DOMAIN-bundled.cert;
  ssl_certificate_key     /etc/nginx/ssl/letsencrypt/PRIMARY.DOMAIN.key;


  include includes.d/PRIMARY.DOMAIN/*.conf;
  include wordpress.conf;

  location ~ \.php$ {
    try_files $uri =404;
    error_page 404 /index.php;

    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
    fastcgi_param DOCUMENT_ROOT $realpath_root;
    fastcgi_pass unix:/var/run/php-fpm-wordpress.sock;
  }
}

server {
  listen 80;

  server_name staging.PRIMARY.DOMAIN staging.SECONDARY.DOMAIN;

auth_basic off; # this is the line I added
  include acme-challenge-location.conf;

  location / {
    return 301 https://$host$request_uri;
  }
  }

server {
  listen 443 ssl http2;

    include h5bp/directive-only/ssl.conf;
include h5bp/directive-only/ssl-stapling.conf;

ssl_dhparam /etc/nginx/ssl/dhparams.pem;
ssl_buffer_size 1400; # 1400 bytes to fit in one MTU

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

ssl_certificate         /etc/nginx/ssl/letsencrypt/PRIMARY.DOMAIN-bundled.cert;
  ssl_certificate_key     /etc/nginx/ssl/letsencrypt/PRIMARY.DOMAIN.key;
  server_name staging.PRIMARY.DOMAIN;

      return 301 $scheme://staging.PRIMARY.DOMAIN$request_uri;
  }
server {
  listen 443 ssl http2;

    include h5bp/directive-only/ssl.conf;
include h5bp/directive-only/ssl-stapling.conf;

ssl_dhparam /etc/nginx/ssl/dhparams.pem;
ssl_buffer_size 1400; # 1400 bytes to fit in one MTU

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

ssl_certificate         /etc/nginx/ssl/letsencrypt/PRIMARY.DOMAIN-bundled.cert;
  ssl_certificate_key     /etc/nginx/ssl/letsencrypt/PRIMARY.DOMAIN.key;
  server_name staging.SECONDARY.DOMAIN;

      return 301 $scheme://staging.SECONDARY.DOMAIN$request_uri;
  }
@louim

This comment has been minimized.

Copy link
Owner

commented May 6, 2016

I'm pretty sure that it's the correct behaviour. The Let's Encrypt challenge server is supposed to be accessed on port 80 only (the challenge is HTTP only). Since the website itself and the LE server block are totally separated, this playbook should not affect the way the LE challenge is resolved. I'm gonna have to investigate more, but I think the error may not be related to the basic auth.

Can you try renewing the certificates manually when the htpasswd is enabled?

cd /var/lib/letsencrypt && sudo ./renew-certs.py
@tremby

This comment has been minimized.

Copy link
Author

commented May 6, 2016

I had to disable the bit of code which aborts if the cert is less than 60 days old, but once I did that the script exited with a success code.

So do you think the issue is with Trellis after all?

@louim

This comment has been minimized.

Copy link
Owner

commented May 6, 2016

It may be from some kind of race condition. The error in the log you posted show a missing bundle certificate, if the activation with Lets encrypt failed, I think it would have aborted before that.

Did you try it multiple times and got the same error? Also it would be interesting to try to reproduce from scratch.

@tremby

This comment has been minimized.

Copy link
Author

commented May 6, 2016

Yes, I did try a lot of times. I'll comment further in the other thread.

@alexandcote

This comment has been minimized.

Copy link
Contributor

commented Sep 15, 2016

@louim I think we can close this issue

@louim

This comment has been minimized.

Copy link
Owner

commented Sep 26, 2016

Closing as I think it's not related to this role. Feel free to reopen with details if you still see the problem.

@louim louim closed this Sep 26, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.