Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ACME sftp webroot validation fails / path issue?

    Scheduled Pinned Locked Moved ACME
    16 Posts 2 Posters 2.0k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GertjanG Online
      Gertjan @pfSense_user 0
      last edited by

      @pfsense_user-0 said in ACME sftp webroot validation fails / path issue?:

      sdaQTOOENK9boBB6qzZf9fnRLOVhrRqzMQvc7_OXiFg

      The .well-known folder should be places in the webroot (often called 'www' folder)
      In there, there should be the 'acme-challenge' folder.
      In that folder, the random file name (your example) sdaQTOOENK9boBB6qzZf9fnRLOVhrRqzMQvc7_OXiFg should be placed - I've put 'Hi !' in that file ;)

      I own the domain name test-domaine.fr.
      So I tested :
      https://www.test-domaine.fr/.well-known/acme-challenge/sdaQTOOENK9boBB6qzZf9fnRLOVhrRqzMQvc7_OXiFg

      The thing is : sftp should place the file in the web server's root folder.

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      P 2 Replies Last reply Reply Quote 1
      • P Offline
        pfSense_user 0 @Gertjan
        last edited by

        @gertjan
        Thanks for your reply!!!

        I do not have access to the "true" root folder of the server, because I merely have rented a webspace from a provider.

        However, in my understanding, on the webspace administration webpage, I have associated each domain that I host with them, with a specific subfolder on my webspace, which becomes the root folder for the logical webserver. Or is this thinking flawed?

        Screenshot 1 shows my domains (only one SSL certificate is included in my contract ["Vertrag"]). The status column shows the respective folder, where all files of the domain in question reside (e.g. index.html, /css/... and so on)
        Snsht_provider_1.png

        Screenshot 2 shows the details for the one domain, for which I have tried ACME verification. The row "destination" ["Ziel"] again denotes the webspace folder, where all the domain's data reside.
        Scnsht_provider_2.png

        I have tried to duplicate your example, and have exchanged the original token file for a file containing "Hi, too!" ;-) which can be seen in the appropriate location of the directory tree.Snsht_FileZilla.png

        However, I can not view this file from a browser, although it is in the same directory (domain blued out), where index.html etc. work as expected.

        GertjanG 1 Reply Last reply Reply Quote 0
        • P Offline
          pfSense_user 0 @Gertjan
          last edited by

          @gertjan
          Addendum:

          I have confirmed, that my .htaccess file for this domain does not include any prohibitions.

          I can list the content of another subfolder (which is on the same file system hierarchy level as the .well-known folder) without problems:
          Bildschirm­foto 2023-03-06 um 10.01.36.png

          For testing purposes, I have put an .htaccess file into the .well-known folder, which only contains "Options +Indexes". I am then able to view it's content (and thus it should be in the logical webroot of my domain):
          Bildschirm­foto 2023-03-06 um 10.08.55.png

          However, I cannot enter the /acme-challenge folder from my webbrowser, even when I put another .htaccess with "Options +Indexes" there. whenever I click on the /acme-challenge link, nothing happens, the same as when I try to open any file contained within that directory by specifyint it's name un the URL.

          1 Reply Last reply Reply Quote 0
          • GertjanG Online
            Gertjan @pfSense_user 0
            last edited by

            @pfsense_user-0 said in ACME sftp webroot validation fails / path issue?:

            However, I can not view this file from a browser, although it is in the same directory (domain blued out), where index.html etc. work as expected

            That might be an issue.
            If the web server, your host is controlling it - doesn't not 'want' to show files with unknown extensions, then the "web browser request" that LE makes when checking the file and it content won't work neither.

            You have a domain name.
            Most registrars these days give you an API access. Isn't it way easier to use some more classic DNS acme solution ?

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            P 2 Replies Last reply Reply Quote 1
            • P Offline
              pfSense_user 0 @Gertjan
              last edited by pfSense_user 0

              @gertjan
              It gets even more weird: Once I move my test file (still without extension) one level up into the /.well-known folder itself, i can view and access it...well-known.png

              And:
              token.png

              The access problem seems to be limited to the /acme-challenge subfolder ::scratching head::

              Unfortunately, the provider does not give access to API or automated DNS record changes with their affordable hosting contracts. Of course, they want customers to upgrade or to buy their SSL-certificates, both of which, however, are not competitively priced. I shy away from switching providers, because many e-mail adresses in use by the whole family depend on my domains, thus moving house would be a pain.

              Thus, I am stuck with ftp validation, getting it to work would really, really be great!

              [edited typos]

              1 Reply Last reply Reply Quote 0
              • P Offline
                pfSense_user 0 @Gertjan
                last edited by pfSense_user 0

                @gertjan THANKS for pointing me towards the API!

                Although fiendishly hidden away on their website, my provider IONOS offers free of charge sign-up to "developer APIs".

                Now that I have a valid API key, and luckily, pfSense-acme has a preset for IONOS, I have tried that.

                Both staging and production went through without an error message from pfSense-acme package.

                Concurrent with validation
                pfSense-ACME_ionos-API_a.png
                I could see a temporary TXT record in my administrative hosting page, which disappeared after validation finalized, which seems normal cleanup behaviour.
                pfSense-ACME_ionos-API_b.png
                I just presume that the broken symbol on the first screenshot will be present during validation, whereas the tick indicates successful validation

                However, I still get an SSL error when trying to access my domain [sorry, screenshot is in German, but it is the generic Firefox SSL error page; a corresponding error also shows up in Safari and in google chrome ("ERR_SSL_PROTOCOL_ERROR")
                webbrowser_error.png

                I have already

                • flushed my pfSense resolver cache,

                • flushed the browser cache,

                • tried viewing the domain from my mobile over LTE,

                same result.

                Could this be a question of DNS-propagation? I presumed that the tick implied finalized verification and propagation, but I might be wrong.

                @gertjan Thanks for bearing with me!

                GertjanG 1 Reply Last reply Reply Quote 0
                • GertjanG Online
                  Gertjan @pfSense_user 0
                  last edited by

                  @pfsense_user-0

                  Where is this web server ?
                  The certificate(s) is ready to be used, and you can see it here :
                  System > Certificate Manager > Certificates

                  Now yo have to export it, and bring them over to server, there where the web server (like apache2, nginx, etc) runs, so it can use that certificate.

                  The acme pfsense package was created so you could get a cert for pfSense, the web GUI. For any other device, you have to copy the certificate over to that device.
                  Or write a script that automates that process, and restarts the web server on that device so the the new cert is taken in account.
                  The effect will be immediate.

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  P 2 Replies Last reply Reply Quote 1
                  • P Offline
                    pfSense_user 0 @Gertjan
                    last edited by

                    @gertjan Ehemm... It is hard for me to admit 😖 that I was so naive to think that, with a IONOS preset and an API key, pfSense-acme would also magically, on validation, put the certificate onto the server.

                    Thanks for the clarification and all your help!

                    1 Reply Last reply Reply Quote 0
                    • P Offline
                      pfSense_user 0 @Gertjan
                      last edited by

                      @gertjan Unfortunately, after all this work, there seems to be no way for me to upload the letsencrypt certificate to my IONOS webspace.

                      The API only allows for management of certificates purchased from IONOS. And I do not have access to the SSL root, nor can I restart the server.

                      Bildschirm­foto 2023-03-06 um 15.31.17.png

                      GertjanG 1 Reply Last reply Reply Quote 0
                      • GertjanG Online
                        Gertjan @pfSense_user 0
                        last edited by

                        @pfsense_user-0 said in ACME sftp webroot validation fails / path issue?:

                        IONOS webspace.

                        If the webserver is controlled by the host, then you can't do things like 'add' a certificate.
                        For the certificate to be taken in account, the web server has to be restarted.
                        Or, 'your' web server is shared with hundreds if not thousand other users ....

                        But : there is still good news : every web hosting company offers signed certs (mostly from LE) as every web server is using https these days. The host company will take care of everything.
                        "http" isn't used any more, Google (and others) isn't even indexing them.

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        P 1 Reply Last reply Reply Quote 1
                        • P Offline
                          pfSense_user 0 @Gertjan
                          last edited by

                          @gertjan I know about http pointing to Nirvana these days ;-) That's why I am desperately looking for a solution...

                          Unfortunately, the good news ist not so good with IONOS, as they know about their customer's desperation for SSL certificates. Their pricing policy for adding certificates to existing domains is rather steep. All my websites are hobby projects, so they don't create any revenue. IONOS exclusively offers GeoTrust QuickSSL certificates and offers them in bundles at a hefty premium.

                          Maybe it is time to cancel some of my domains...

                          GertjanG 1 Reply Last reply Reply Quote 0
                          • GertjanG Online
                            Gertjan @pfSense_user 0
                            last edited by

                            @pfsense_user-0

                            I'm not affiliated with these guys, but https://www.ovhcloud.com/de/web-hosting/ and you have it all - and even more.
                            Certs are LE so not your issue.

                            I was using them for years (web hosting), but then my web sites became to big - their mail (MX) handling is good for average guy, but not for a company. I went bare bone 'dedicated server' (not some fog based device). Solved many issued.

                            No "help me" PM's please. Use the forum, the community will thank you.
                            Edit : and where are the logs ??

                            P 1 Reply Last reply Reply Quote 1
                            • P Offline
                              pfSense_user 0 @Gertjan
                              last edited by

                              @gertjan Thanks for the provider info, and also for all of your replies, which were extremely helpful to me! Kind regards.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.