ACME Letsencrypt + sftp webroot, 404 error when trying to issue cert



  • ACME: 0.1.20
    pfsense; 2.4.0-RELEASE (amd64)

    I followed the guide at https://doc.pfsense.org/index.php/ACME_package

    Account keys: All seems fine, staging key generates (CA: letsencrypt-staging). Hit save.

    Certificates: Created the certificate using staging key. Active, key size 2048.
    Domain SAN list: subdomain.domain.com (behind reverse proxy, fully accessible from the internet). Checkbox on the left is checked. Mode: Enabled, method webroot ftp. sftp server (local ip) entered. Full path to web server root. sftp access and permissions for this user confirmed. Renex 60 days. Hit save.

    Attempting to issue the certificate fails with a 404 error when trying to validate. The domain key is generated and can be found in the pfsense temp dir.

    From acme_createdomainkey.log: "The domain key is here: /tmp/acme/Testa_acme//subdomain.domain.com/subdomain.domain.com.key"

    When checking the log the error seems to be that the letsecrypt validation server runs into a 404 when trying to validate via http.

    [Thu Oct 19 15:12:28 CEST 2017] subdomain.domain.com:Verify error:Invalid response from http://subdomain.domain.com/.well-known/acme-challenge/zyL2UkCIb709ojdBLAHBLAHwqojpdoqw09i55_PCnSnY:

    cat /tmp/acme/Testa_acme/acme_issuecert.log | grep sftp

    I can't see any proof in the log of any sftp activity. If this is true it's no surprise that the validation server cannot find any files.

    Am I missing something obvious? Why is there no sftp entries in the log? Is the sftp-query perhaps logged somewhere else?

    Tried manually creating the /.well-known/acme-challenge/ in the web root. Same same, no diff with or without.

    The lets encrypt server is accessing the web server as can be seen inte the access log: <internal ip="">- - [19/Oct/2017:15:36:05 +0200] "GET /.well-known/acme-challenge/4C4lgY6OBLAHBLABHALBAHBLAHTTrlASMsWFQ HTTP/1.1" 404 161 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"</internal>


  • Rebel Alliance Developer Netgate

    What exactly did you enter for the SFTP server? It should be sftp://x.x.x.x not just a bare IP address. See https://doc.pfsense.org/index.php/ACME_package#FTP_Webroot


Log in to reply