ACME with webroot FTP not work



  • Hi@all,

    I use PFSense as gateway/firewall between WAN and LAN PFSense has a fixed WAN IP: 10.20.30.40 and a fixed LAN IP: 192.168.24.254

    There is an FTP server in the LAN that should be used for the acme_challenge. This server has the IP 192.168.24.7 (internal Hostname: web01.intern.local)
    My external domain (this one is hosted by my provider) is: mydomain.de
    On the external webserver I have set a DNS entry (A-Record):

    web01.mydomain.de -> 10.20.30.40
    

    To make the ACME-Challenge work I made the following configurations:
    84a7c333-299a-403a-bebc-182a7d5ba426-grafik.png

    198accbd-be53-4f4c-9ded-922cbd069bb1-grafik.png

    6f441743-12c8-4169-89a3-d1dd37cef6cb-grafik.png

    400646d3-8ca8-46a6-9996-74c2ee311cce-grafik.png

    -> Use Backend: web01.mydomain.de

    In ACME I have specified the connection data to the FTP server (in the LAN):
    96d3e0be-4105-4f8a-96b1-9c4bbb0862e1-grafik.png

    from outside (WAN) I can access the directory:
    http://web01.mydomain.de/.well-known/acme-challenge/
    access. When I click on "Issiue/Renew" in the ACME -> certificate I get the following message:

    web01.mydomain.de
    Renewing certificate 
    account: Test 
    server: letsencrypt-staging-2 
    
    /usr/local/pkg/acme/acme.sh  --issue  -d 'web01.mydomain.de' --webroot pfSenseacme --home '/tmp/acme/web01.mydomain.de/' --accountconf '/tmp/acme/web01.mydomain.de/accountconf.conf' --force --reloadCmd '/tmp/acme/web01.mydomain.de/reloadcmd.sh' --log-level 3 --log '/tmp/acme/web01.mydomain.de/acme_issuecert.log'
    Array
    (
        [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
        [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
        [ftpserver] => sftp://192.168.24.7
        [username] => webftp
        [password] => ********
        [folder] => /home/webftp/.well-known/acme-challenge/
    )
    [Mon Jan  6 16:13:15 CET 2020] Single domain='web01.mydomain.de'
    [Mon Jan  6 16:13:15 CET 2020] Getting domain auth token for each domain
    [Mon Jan  6 16:13:18 CET 2020] Getting webroot for domain='web01.mydomain.de'
    [Mon Jan  6 16:13:18 CET 2020] Verifying: web01.mydomain.de
    [Mon Jan  6 16:13:18 CET 2020] Found domain http api file: /tmp/acme/web01.mydomain.de//httpapi/pfSenseacme.sh
    
    challenge_response_put web01.mydomain.de, web01.mydomain.de
    FOUND domainitemFTP
    [Mon Jan  6 16:13:22 CET 2020] Found domain http api file: /tmp/acme/web01.mydomain.de//httpapi/pfSenseacme.sh
    [Mon Jan  6 16:13:22 CET 2020] web01.mydomain.de:Verify error:Invalid response from http://web01.mydomain.de/.well-known/acme-challenge/nXe6ov-W7EgFVxDCZX1LSNofJck6ovIFq5hvzAL6O4g [10.20.30.40]: 503
    [Mon Jan  6 16:13:22 CET 2020] Please check log file for more details: /tmp/acme/web01.mydomain.de/acme_issuecert.log
    

    If I call the URL for the challenge given in the message from external in the browser:

    http://web01.mydomain.de/.well-known/acme-challenge/nXe6ov-W7EgFVxDCZX1LSNofJck6ovIFq5hvzAL6O4g
    

    I get the error message:

    "503 Service Unavailable
    No server is available to handle this request. "

    what am I doing wrong?

    with best
    pixel


  • Rebel Alliance Developer Netgate

    That would be a problem on web01.mydomain.de -- check your error logs there.



  • after being on the HA proxy:
    3079f792-7f1a-41ea-b565-da9363a3c87a-grafik.png
    I can call the given token from outside and get it displayed in the browser. But the error message when clicking on "Issiu/Renew" remains the same



  • This :

    @pixel24 said in ACME with webroot FTP not work:

    [ftpserver] => sftp://192.168.24.7
    [username] => webftp
    [password] => ********
    

    is an FTP access to your web server.
    This means : you have a log ! check the ftp server log and see if the file is actually created. And on the rght spot.
    Set a DNS Sleep time of 300 seconds. That gives you the time t check if you can 'browse' the created file in here :
    http://192.168.24.7/.well-known/acme-challenge/
    Or look it up on teh webserver itself using a navigator, Explorer or what ever.

    Also : your site is accessible for the outside world : use a phone (kill the Wifi access !) and check the file using a browser.
    Something like http://web01.mydomain.de/.well-known/acme-challenge/

    After all : If Letsencrypt can find the file (and it better finds the file, if not : no cert), so can you.



  • @jimp said in ACME with webroot FTP not work:

    That would be a problem on web01.mydomain.de -- check your error logs there.

    In my opinion it cannot be the FTP. The ACME on the PFSense stores the files there. Or am I wrong?



  • @Gertjan said in ACME with webroot FTP not work:

    That gives you the time t check if you can 'browse' the created file in here :
    http://192.168.24.7/.well-known/acme-challenge/
    Or look it up on teh webserver itself using a navigator, Explorer or what ever.

    Yes, the files will be correct transfer from acme in the path:
    http://192.168.24.7/.well-known/acme-challenge/

    @Gertjan said in ACME with webroot FTP not work:

    Also : your site is accessible for the outside world : use a phone (kill the Wifi access !) and check the file using a browser.
    Something like http://web01.mydomain.de/.well-known/acme-challenge/

    Yes, I call up the path from external (Teamviewer of an external system) This works.



  • OMG. My bad! I have protected the HTTP directory password. The password was stored on the external system in the browser. So LE could not access it. Sorry for my misfortune :-(


Log in to reply