1 (edited by pseudostem 2022-06-21 16:32:58)

Topic: Letsencrypt cannot find my .well-known

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.6.0 PGSQL edition.
- Deployed with iRedMail Easy or the downloadable installer? Downloadable bash script
- Linux/BSD distribution name and version: OpenBSD 7.1 AMD64
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): PGSQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

$doas certbot certonly --webroot --dry-run -w /opt/www/ -d maildotmyexampledomaindotcom
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: maildotmyexampledomaindotcom
  Type:   unauthorized
  Detail: My.IP.V4.Add: Invalid response from https://  maildotmyexampledomaindotcom/.well-known/acme-challenge/8h6_c4gDtPvseoVnX6r3nP0bCbF_v0WDdv-QWCctwug: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.


$ cat /var/www/logs/access.log
54.93.193.16 - - [21/Jun/2022:13:40:59 +0530] "GET /.well-known/acme-challenge/8h6_c4gDtPvseoVnX6r3nP0bCbF_v0WDdv-QWCctwug HTTP/1.1" 301 162 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https:// wwwdotletsencryptdotorg)"
66.133.109.36 - - [21/Jun/2022:13:40:59 +0530] "GET /.well-known/acme-challenge/8h6_c4gDtPvseoVnX6r3nP0bCbF_v0WDdv-QWCctwug HTTP/1.1" 301 162 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https:// wwwdotletsencryptdotorg)"

I created directory and file in /opt/www/.well-known/index.html. After creating .well-known I chowned it to iredadmin:iredadmin as well.
when I browse to myexampledomaindotcom/index.html I get relevant error log entries
$ cat /var/www/logs/error.log
2022/06/21 13:25:30 [error] 24305#0: *1 access forbidden by rule, client: 122.200.21.226, server: _, request: "GET /.well-known/index.html HTTP/2.0", host: "maildotmyexampledomaindotcom"

However, there's no error log for letsencrypt trying to access the resource


$cat /etc/nginx/templates/misc.tmpl
location ^~ /.well-known/acme-challenge/ {
    #alias /opt/www/.well-known/;
    allow all;
    access_log off;
    log_not_found off;
    autoindex off;
    #root /var/www/html;
}

# Deny all attempts to access hidden files such as .htaccess.
location ~ /\. { deny all; }

I am totally new to nginx and have tried searching elsewhere. Please help.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Letsencrypt cannot find my .well-known

update 1
-----------
I am unable to figure out where to serve my .well-known from and to use in certbot command. I believe there's a lot of URL rewriting for roundcubemail. I am not using subdomains. Possible locations are:

1) /opt/www - This is where iredadmin and roundcubemail reside - no luck
2) /opt/www/{iredadmin, roundcubemail} - again no luck
3) /var/www/html - the default as specified in the documentation for iredmail. No luck again.

3

Re: Letsencrypt cannot find my .well-known

did you try dehydrated instead?

4

Re: Letsencrypt cannot find my .well-known

Cthulhu wrote:

did you try dehydrated instead?

Thank you for your reply.

Whenever I got to ns1 dot mydomain dot com or to mail dot mydomain dot com the webpage redirects to https : // {ns1|mail} dot mydomain dot com/mail/
Hence I believe this more to be of an nginx related problem rather than certbot. I do not know how to serve a particular folder using nginx.

The relevant certbot error/warning message also points to the same. I have a link which may help, but I do not understand.
https : // dataswamp dot org/~solene/ 2019-07-04-nginx-acme dot html
Please remove spaces in above link and replace dot with '.' I am unable to post links for some reason.

Any help appreciated.

5

Re: Letsencrypt cannot find my .well-known

Cthulhu wrote:

did you try dehydrated instead?

I think it is indeed the LE client problem, certbot in this case.

/var/www/logs/error.log relevant bits
2022/06/22 08:00:43 [error] 23403#0: *4 open() "/var/www/acme/acme-challenge/2WHqWL7qx-qew6UZSdgEC6Q9CaMOSv4CRu-2FjxEMdQ" failed (2: No such file or directory), client: 66.133.109.36, server: _, request: "GET /.well-known/acme-challenge/2WHqWL7qx-qew6UZSdgEC6Q9CaMOSv4CRu-2FjxEMdQ HTTP/1.1", host: "mail dot mydomain dot com", referrer: "http : // mail dot  mydomain dot com/.well-known/acme-challenge/2WHqWL7qx-qew6UZSdgEC6Q9CaMOSv4CRu-2FjxEMdQ"

When I go to the directory, there's nothing in there. Will try with OpenBSD native LE client.

6

Re: Letsencrypt cannot find my .well-known

I tried with the native client: acme-client

still no luck. I am back to thinking my nginx isn't serving the directory

7

Re: Letsencrypt cannot find my .well-known

Eureka! Done.

Sleepless night. If there's any interest, let me know, will post the solution.

8

Re: Letsencrypt cannot find my .well-known

pseudostem wrote:

Eureka! Done.

Sleepless night. If there's any interest, let me know, will post the solution.

Now you have me curious! Please enlighten me (and the rest struggling with this well-know issue)

9

Re: Letsencrypt cannot find my .well-known

lebens wrote:

Now you have me curious! Please enlighten me (and the rest struggling with this well-know issue)

You give me far too much credit. I'm a stumbling idiot. I am on OpenBSD. I am a naive user.

${doas|sudo} certbot --nginx
is discouraged by iredmail as it changes the config files of nginx. nginx official link says to use it as certbot initiated with --nginx is a plugin. If you wish to read more about it, you can read here:
https : // www . nginx . com /blog/using-free-ssltls-certificates-from-lets-encrypt-with-nginx/
(please remove spaces)
And anyways I don't read too much before I jump in. Thankfully $certbot --nginx wasn't available on my platform as there is no nginx plugin. So I was saved before I screwed my config up. After that I landed on the iredmail page which said not to use --nginx switch.

my misc.tmpl is the same as the one on github. https : // github . com /iredmail/iRedMail/blob/master/samples/nginx/templates/misc . tmpl
(remove spaces). I landed on the github page after researching some undelete tools on OpenBSD, because, duh, I had deleted the .tmpl file(s). So I had to redownload (copy paste from browser into nvim, I can't use git to save my life) them again, almost reformatted my system, but thankfully iredmail has a github page with default file in there.

My misc.tmpl is:
location ~ ^/.well-known/acme-challenge {
    rewrite ^/.well-known/acme-challenge/(.*) /$1 break;
    autoindex off;
    root /var/www/acme;
    allow all;
}
location ~ /\. { deny all; }
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }

Note: root is changed because nginx is NOT chrooted to /var/www for some reason which I will investigate later.


I read the dataswamp . org (remove spaces) link which I posted above, and after some thought of another comment by a knowledgeable guy/girl/nonbinary who posted above decided to ditch certbot altogether and use some other client. I used acme-client which comes as a part of the OS on OpenBSD.

My /etc/acme-client.conf (would be different for your system when using another ACME client like certbot) was almost default, just changed my domain to mail . mydomain . com (remove spaces). I just ran the binary after that ($acme-client -idon'tknowtheswitch directory --idon'tknowtheswitch maildotmydomaindotcom). It downloaded the *.pem file and the *.crt file. I believe it's different in iredmail docs, there's a key file and a crt file. I am not a cryptographer. I don't know the difference. But from the dataswamp website, I gathered .pem works and used it according to how it is used there.

I was worried because my crt file was inside /etc/private/mydomaindotcom . something . crt and /etc/private on my system is {chmod) 700.

Regardless, I headed over to /etc/nginx/templates/ssl.tmpl
I made the following 2 changes to default(only 2 lines anyways, rest of the file is just comments):
ssl_certificate /etc/ssl/mail . mydomain . com . fullchain . pem; (remove spaces)
ssl_certificate_key /etc/ssl/private/mail . mydomain . com . key; (remove spaces)

$restart command for nginx
make relevant cron entry
BOOM!

I may have flipped a few things here and there and maybe restarted nginx 20000 times. But for the next 1 week, I will try and help you guys if you face any .well-known-devil issues. Please do post, will monitor.