Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ACME with webroot FTP not work

    HA/CARP/VIPs
    3
    7
    1.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pixel24
      last edited by

      Hi@all,

      I use PFSense as gateway/firewall between WAN and LAN PFSense has a fixed WAN IP: 10.20.30.40 and a fixed LAN IP: 192.168.24.254

      There is an FTP server in the LAN that should be used for the acme_challenge. This server has the IP 192.168.24.7 (internal Hostname: web01.intern.local)
      My external domain (this one is hosted by my provider) is: mydomain.de
      On the external webserver I have set a DNS entry (A-Record):

      web01.mydomain.de -> 10.20.30.40

      To make the ACME-Challenge work I made the following configurations:
      84a7c333-299a-403a-bebc-182a7d5ba426-grafik.png

      198accbd-be53-4f4c-9ded-922cbd069bb1-grafik.png

      6f441743-12c8-4169-89a3-d1dd37cef6cb-grafik.png

      400646d3-8ca8-46a6-9996-74c2ee311cce-grafik.png

      -> Use Backend: web01.mydomain.de

      In ACME I have specified the connection data to the FTP server (in the LAN):
      96d3e0be-4105-4f8a-96b1-9c4bbb0862e1-grafik.png

      from outside (WAN) I can access the directory:
      http://web01.mydomain.de/.well-known/acme-challenge/
      access. When I click on "Issiue/Renew" in the ACME -> certificate I get the following message:

      web01.mydomain.de
Renewing certificate 
account: Test 
server: letsencrypt-staging-2 

/usr/local/pkg/acme/acme.sh  --issue  -d 'web01.mydomain.de' --webroot pfSenseacme --home '/tmp/acme/web01.mydomain.de/' --accountconf '/tmp/acme/web01.mydomain.de/accountconf.conf' --force --reloadCmd '/tmp/acme/web01.mydomain.de/reloadcmd.sh' --log-level 3 --log '/tmp/acme/web01.mydomain.de/acme_issuecert.log'
Array
(
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [ftpserver] => sftp://192.168.24.7
    [username] => webftp
    [password] => ********
    [folder] => /home/webftp/.well-known/acme-challenge/
)
[Mon Jan  6 16:13:15 CET 2020] Single domain='web01.mydomain.de'
[Mon Jan  6 16:13:15 CET 2020] Getting domain auth token for each domain
[Mon Jan  6 16:13:18 CET 2020] Getting webroot for domain='web01.mydomain.de'
[Mon Jan  6 16:13:18 CET 2020] Verifying: web01.mydomain.de
[Mon Jan  6 16:13:18 CET 2020] Found domain http api file: /tmp/acme/web01.mydomain.de//httpapi/pfSenseacme.sh

challenge_response_put web01.mydomain.de, web01.mydomain.de
FOUND domainitemFTP
[Mon Jan  6 16:13:22 CET 2020] Found domain http api file: /tmp/acme/web01.mydomain.de//httpapi/pfSenseacme.sh
[Mon Jan  6 16:13:22 CET 2020] web01.mydomain.de:Verify error:Invalid response from http://web01.mydomain.de/.well-known/acme-challenge/nXe6ov-W7EgFVxDCZX1LSNofJck6ovIFq5hvzAL6O4g [10.20.30.40]: 503
[Mon Jan  6 16:13:22 CET 2020] Please check log file for more details: /tmp/acme/web01.mydomain.de/acme_issuecert.log

      If I call the URL for the challenge given in the message from external in the browser:

      http://web01.mydomain.de/.well-known/acme-challenge/nXe6ov-W7EgFVxDCZX1LSNofJck6ovIFq5hvzAL6O4g

      I get the error message:

      "503 Service Unavailable
      No server is available to handle this request. "

      what am I doing wrong?

      with best
      pixel

      GertjanG 1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        That would be a problem on web01.mydomain.de -- check your error logs there.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        P 1 Reply Last reply Reply Quote 0
        • P
          pixel24
          last edited by

          after being on the HA proxy:
          3079f792-7f1a-41ea-b565-da9363a3c87a-grafik.png
          I can call the given token from outside and get it displayed in the browser. But the error message when clicking on "Issiu/Renew" remains the same

          1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @pixel24
            last edited by

            This :

            @pixel24 said in ACME with webroot FTP not work:

            [ftpserver] => sftp://192.168.24.7
[username] => webftp
[password] => ********

            is an FTP access to your web server.
            This means : you have a log ! check the ftp server log and see if the file is actually created. And on the rght spot.
            Set a DNS Sleep time of 300 seconds. That gives you the time t check if you can 'browse' the created file in here :
            http://192.168.24.7/.well-known/acme-challenge/
            Or look it up on teh webserver itself using a navigator, Explorer or what ever.

            Also : your site is accessible for the outside world : use a phone (kill the Wifi access !) and check the file using a browser.
            Something like http://web01.mydomain.de/.well-known/acme-challenge/

            After all : If Letsencrypt can find the file (and it better finds the file, if not : no cert), so can you.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            P 1 Reply Last reply Reply Quote 0
            • P
              pixel24 @jimp
              last edited by

              @jimp said in ACME with webroot FTP not work:

              That would be a problem on web01.mydomain.de -- check your error logs there.

              In my opinion it cannot be the FTP. The ACME on the PFSense stores the files there. Or am I wrong?

              1 Reply Last reply Reply Quote 0
              • P
                pixel24 @Gertjan
                last edited by

                @Gertjan said in ACME with webroot FTP not work:

                That gives you the time t check if you can 'browse' the created file in here :
                http://192.168.24.7/.well-known/acme-challenge/
                Or look it up on teh webserver itself using a navigator, Explorer or what ever.

                Yes, the files will be correct transfer from acme in the path:
                http://192.168.24.7/.well-known/acme-challenge/

                @Gertjan said in ACME with webroot FTP not work:

                Also : your site is accessible for the outside world : use a phone (kill the Wifi access !) and check the file using a browser.
                Something like http://web01.mydomain.de/.well-known/acme-challenge/

                Yes, I call up the path from external (Teamviewer of an external system) This works.

                1 Reply Last reply Reply Quote 0
                • P
                  pixel24
                  last edited by

                  OMG. My bad! I have protected the HTTP directory password. The password was stored on the external system in the browser. So LE could not access it. Sorry for my misfortune :-(

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.