No exception for .well-known... for certbot

toksoi · February 6, 2019, 10:36am

`
longer
example
here

Some or all of the below information will be requested if it isn't supplied; for fastest response please provide as much as you can :heart:

[/details]

Nextcloud version _(eg, 12.0.2)_: 15.0.2
Operating system and version _(eg, Ubuntu 17.04)_: Debian 9
Apache or nginx version _(eg, Apache 2.4.25)_:   Apache2 2.4.25-3+deb9u6
PHP version _(eg, 7.1)_: 7.2

The issue you are facing: Nextcloud does not exclude Acme-Challenge from redirect to loginpage


Is this the first time you've seen this error? _(Y/N)_: Y

Steps to replicate it:

1.  Run certbot (version 0.28): sudo certbot renew --dry-run
2. Certbot creates a file in /.well-known/acme-challenge, Letsencrypt checks this file.
3. Creating cert fails with error: Domain: [mydomain)
Type: unauthorized
Detail: Invalid response from
mydomain/.well-known/acme-challenge/G1Gf7h2lhuipYcRa7T6wKpgDvrR_caZnrFeIsjbV7uU:
“\n\n403
Forbidden\n\n


The output of your Nextcloud log in **Admin > Logging**:


The output of your config.php file in `/path/to/nextcloud` (make sure you remove any identifiable information!):

<?php $CONFIG = array ( 'instanceid' => 'XXX', 'passwordsalt' => 'XXX', 'secret' => 'XXX', 'trusted_domains' => array ( 0 => 'website.de', 1 => 'websitealt.de', 2 => 'cloud', 3 => '192.168.178.71', ), 'datadirectory' => '/data', 'overwrite.cli.url' => 'https://website.de', 'dbtype' => 'mysql', 'version' => '15.0.2.0', 'dbname' => 'XXX', 'dbhost' => 'localhost', 'dbport' => '', 'dbtableprefix' => 'oc_', 'dbuser' => 'XXX', 'dbpassword' => 'XXX', 'installed' => true, 'memcache.local' => '\\OC\\Memcache\\APCu', 'memcache.locking' => '\\OC\\Memcache\\Redis', 'redis' => array ( 'host' => 'localhost', 'port' => XXX, ), 'maintenance' => false, 'theme' => '', 'loglevel' => 2, 'filesystem_check_changes' => 0, 'filelocking.enabled' => true, 'updater.release.channel' => 'stable', 'mail_smtpmode' => 'smtp', 'mail_smtpsecure' => 'ssl', 'mail_smtpauthtype' => 'LOGIN', 'mail_smtpauth' => 1, 'twofactor_enforced' => 'false', 'twofactor_enforced_groups' => array ( ), 'twofactor_enforced_excluded_groups' => array ( ), ); ``` The output of your Apache/nginx/system log in `/var/log/____`: ``` [Wed Feb 06 11:13:48.263735 2019] [access_compat:error] [pid 29196] [client 17.58.81.142:50204] AH01797: client denied by server configuration: /var/www/html/index.php [Wed Feb 06 11:13:48.720440 2019] [access_compat:error] [pid 29185] [client 17.58.81.142:50250] AH01797: client denied by server configuration: /var/www/html/.well-known [Wed Feb 06 11:13:48.720742 2019] [access_compat:error] [pid 29185] [client 17.58.81.142:50250] AH01797: client denied by server configuration: /var/www/html/index.php [Wed Feb 06 11:13:49.563727 2019] [access_compat:error] [pid 29214] [client 17.58.81.142:50342] AH01797: client denied by server configuration: /var/www/ html/index.php [Wed Feb 06 11:13:49.563895 2019] [access_compat:error] [pid 29214] [client 17.58.81.142:50342] AH01797: client denied by server configuration: /var/www/html/ [Wed Feb 06 11:22:27.128936 2019] [access_compat:error] [pid 29864] [client 17.58.85.99:44628] AH01797: client denied by server configuration: /var/www/html/.well-known [Wed Feb 06 11:22:27.130089 2019] [access_compat:error] [pid 29864] [client 17.58.85.99:44628] AH01797: client denied by server configuration: /var/www/html/index.php [Wed Feb 06 11:22:28.018894 2019] [access_compat:error] [pid 29868] [client 17.58.85.99:44682] AH01797: client denied by server configuration: /var/www/html/.well-known ```

eehmke · February 6, 2019, 5:42pm

Are you using http or https? Is the URL

http://ok.fahmed.de/.well-known/acme-challenge/G1Gf7h2lhuipYcRa7T6wKpgDvrR_caZnrFeIsjbV7uU:

Accessible in a browser or via a local curl command? Where is the

.well-known/acme-challenge

directory located?

toksoi · February 9, 2019, 9:14am

I am using https, but Port 80 is open. When I try to access the URL I am forwarded to the Nextcloud login.
I am not sure how to find the location of .well-known/acme-challenge .

Curl gives me:

301 Moved Permanently

Moved Permanently

The document has moved here.

Apache/2.4.25 (Debian) Server at website.de Port 80

eehmke · February 9, 2019, 4:49pm

Most likely the file is in your nextcloud directory, have you checked? The 301 means the http request is redirected to https. Check the location of your .well-known directory, and make sure it can be seen via http.

toksoi · February 9, 2019, 5:00pm

Thanks eehmke, but it was absolutely my fault. I had a Geo-IP lock installed which prevented the challenge file from being accessed by the authority.