Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ACME Letsencrypt + sftp webroot, 404 error when trying to issue cert

    Scheduled Pinned Locked Moved ACME
    2 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      StarkJohan
      last edited by

      ACME: 0.1.20
      pfsense; 2.4.0-RELEASE (amd64)

      I followed the guide at https://doc.pfsense.org/index.php/ACME_package

      Account keys: All seems fine, staging key generates (CA: letsencrypt-staging). Hit save.

      Certificates: Created the certificate using staging key. Active, key size 2048.
      Domain SAN list: subdomain.domain.com (behind reverse proxy, fully accessible from the internet). Checkbox on the left is checked. Mode: Enabled, method webroot ftp. sftp server (local ip) entered. Full path to web server root. sftp access and permissions for this user confirmed. Renex 60 days. Hit save.

      Attempting to issue the certificate fails with a 404 error when trying to validate. The domain key is generated and can be found in the pfsense temp dir.

      From acme_createdomainkey.log: "The domain key is here: /tmp/acme/Testa_acme//subdomain.domain.com/subdomain.domain.com.key"

      When checking the log the error seems to be that the letsecrypt validation server runs into a 404 when trying to validate via http.

      [Thu Oct 19 15:12:28 CEST 2017] subdomain.domain.com:Verify error:Invalid response from http://subdomain.domain.com/.well-known/acme-challenge/zyL2UkCIb709ojdBLAHBLAHwqojpdoqw09i55_PCnSnY:

      cat /tmp/acme/Testa_acme/acme_issuecert.log | grep sftp

      I can't see any proof in the log of any sftp activity. If this is true it's no surprise that the validation server cannot find any files.

      Am I missing something obvious? Why is there no sftp entries in the log? Is the sftp-query perhaps logged somewhere else?

      Tried manually creating the /.well-known/acme-challenge/ in the web root. Same same, no diff with or without.

      The lets encrypt server is accessing the web server as can be seen inte the access log: <internal ip="">- - [19/Oct/2017:15:36:05 +0200] "GET /.well-known/acme-challenge/4C4lgY6OBLAHBLABHALBAHBLAHTTrlASMsWFQ HTTP/1.1" 404 161 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"</internal>

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        What exactly did you enter for the SFTP server? It should be sftp://x.x.x.x not just a bare IP address. See https://doc.pfsense.org/index.php/ACME_package#FTP_Webroot

        Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.