• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

ACME Letsencrypt + sftp webroot, 404 error when trying to issue cert

Scheduled Pinned Locked Moved ACME
2 Posts 2 Posters 1.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    StarkJohan
    last edited by Oct 19, 2017, 2:21 PM Oct 19, 2017, 1:38 PM

    ACME: 0.1.20
    pfsense; 2.4.0-RELEASE (amd64)

    I followed the guide at https://doc.pfsense.org/index.php/ACME_package

    Account keys: All seems fine, staging key generates (CA: letsencrypt-staging). Hit save.

    Certificates: Created the certificate using staging key. Active, key size 2048.
    Domain SAN list: subdomain.domain.com (behind reverse proxy, fully accessible from the internet). Checkbox on the left is checked. Mode: Enabled, method webroot ftp. sftp server (local ip) entered. Full path to web server root. sftp access and permissions for this user confirmed. Renex 60 days. Hit save.

    Attempting to issue the certificate fails with a 404 error when trying to validate. The domain key is generated and can be found in the pfsense temp dir.

    From acme_createdomainkey.log: "The domain key is here: /tmp/acme/Testa_acme//subdomain.domain.com/subdomain.domain.com.key"

    When checking the log the error seems to be that the letsecrypt validation server runs into a 404 when trying to validate via http.

    [Thu Oct 19 15:12:28 CEST 2017] subdomain.domain.com:Verify error:Invalid response from http://subdomain.domain.com/.well-known/acme-challenge/zyL2UkCIb709ojdBLAHBLAHwqojpdoqw09i55_PCnSnY:

    cat /tmp/acme/Testa_acme/acme_issuecert.log | grep sftp

    I can't see any proof in the log of any sftp activity. If this is true it's no surprise that the validation server cannot find any files.

    Am I missing something obvious? Why is there no sftp entries in the log? Is the sftp-query perhaps logged somewhere else?

    Tried manually creating the /.well-known/acme-challenge/ in the web root. Same same, no diff with or without.

    The lets encrypt server is accessing the web server as can be seen inte the access log: <internal ip="">- - [19/Oct/2017:15:36:05 +0200] "GET /.well-known/acme-challenge/4C4lgY6OBLAHBLABHALBAHBLAHTTrlASMsWFQ HTTP/1.1" 404 161 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"</internal>

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Oct 23, 2017, 3:22 PM

      What exactly did you enter for the SFTP server? It should be sftp://x.x.x.x not just a bare IP address. See https://doc.pfsense.org/index.php/ACME_package#FTP_Webroot

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      1 out of 2
      • First post
        1/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received