ACME sftp webroot validation fails / path issue?

Gertjan · Mar 6, 2023, 9:17 AM

@pfsense_user-0 said in ACME sftp webroot validation fails / path issue?:

However, I can not view this file from a browser, although it is in the same directory (domain blued out), where index.html etc. work as expected

That might be an issue.
If the web server, your host is controlling it - doesn't not 'want' to show files with unknown extensions, then the "web browser request" that LE makes when checking the file and it content won't work neither.

You have a domain name.
Most registrars these days give you an API access. Isn't it way easier to use some more classic DNS acme solution ?

pfSense_user 0 · Mar 6, 2023, 9:40 AM

@gertjan
It gets even more weird: Once I move my test file (still without extension) one level up into the /.well-known folder itself, i can view and access it...

And:

The access problem seems to be limited to the /acme-challenge subfolder ::scratching head::

Unfortunately, the provider does not give access to API or automated DNS record changes with their affordable hosting contracts. Of course, they want customers to upgrade or to buy their SSL-certificates, both of which, however, are not competitively priced. I shy away from switching providers, because many e-mail adresses in use by the whole family depend on my domains, thus moving house would be a pain.

Thus, I am stuck with ftp validation, getting it to work would really, really be great!

[edited typos]

pfSense_user 0 · Mar 6, 2023, 1:23 PM

@gertjan THANKS for pointing me towards the API!

Although fiendishly hidden away on their website, my provider IONOS offers free of charge sign-up to "developer APIs".

Now that I have a valid API key, and luckily, pfSense-acme has a preset for IONOS, I have tried that.

Both staging and production went through without an error message from pfSense-acme package.

Concurrent with validation

I could see a temporary TXT record in my administrative hosting page, which disappeared after validation finalized, which seems normal cleanup behaviour.

I just presume that the broken symbol on the first screenshot will be present during validation, whereas the tick indicates successful validation

However, I still get an SSL error when trying to access my domain [sorry, screenshot is in German, but it is the generic Firefox SSL error page; a corresponding error also shows up in Safari and in google chrome ("ERR_SSL_PROTOCOL_ERROR")

I have already

flushed my pfSense resolver cache,
flushed the browser cache,
tried viewing the domain from my mobile over LTE,

same result.

Could this be a question of DNS-propagation? I presumed that the tick implied finalized verification and propagation, but I might be wrong.

@gertjan Thanks for bearing with me!

Gertjan · Mar 6, 2023, 1:23 PM

@pfsense_user-0

Where is this web server ?
The certificate(s) is ready to be used, and you can see it here :
System > Certificate Manager > Certificates

Now yo have to export it, and bring them over to server, there where the web server (like apache2, nginx, etc) runs, so it can use that certificate.

The acme pfsense package was created so you could get a cert for pfSense, the web GUI. For any other device, you have to copy the certificate over to that device.
Or write a script that automates that process, and restarts the web server on that device so the the new cert is taken in account.
The effect will be immediate.

pfSense_user 0 · Mar 6, 2023, 2:24 PM

@gertjan Ehemm... It is hard for me to admit that I was so naive to think that, with a IONOS preset and an API key, pfSense-acme would also magically, on validation, put the certificate onto the server.

Thanks for the clarification and all your help!

pfSense_user 0 · Mar 6, 2023, 2:35 PM

@gertjan Unfortunately, after all this work, there seems to be no way for me to upload the letsencrypt certificate to my IONOS webspace.

The API only allows for management of certificates purchased from IONOS. And I do not have access to the SSL root, nor can I restart the server.

Gertjan · Mar 6, 2023, 3:28 PM

@pfsense_user-0 said in ACME sftp webroot validation fails / path issue?:

IONOS webspace.

If the webserver is controlled by the host, then you can't do things like 'add' a certificate.
For the certificate to be taken in account, the web server has to be restarted.
Or, 'your' web server is shared with hundreds if not thousand other users ....

But : there is still good news : every web hosting company offers signed certs (mostly from LE) as every web server is using https these days. The host company will take care of everything.
"http" isn't used any more, Google (and others) isn't even indexing them.

pfSense_user 0 · Mar 6, 2023, 3:52 PM

@gertjan I know about http pointing to Nirvana these days ;-) That's why I am desperately looking for a solution...

Unfortunately, the good news ist not so good with IONOS, as they know about their customer's desperation for SSL certificates. Their pricing policy for adding certificates to existing domains is rather steep. All my websites are hobby projects, so they don't create any revenue. IONOS exclusively offers GeoTrust QuickSSL certificates and offers them in bundles at a hefty premium.

Maybe it is time to cancel some of my domains...

Gertjan · Mar 6, 2023, 4:05 PM

@pfsense_user-0

I'm not affiliated with these guys, but https://www.ovhcloud.com/de/web-hosting/ and you have it all - and even more.
Certs are LE so not your issue.

I was using them for years (web hosting), but then my web sites became to big - their mail (MX) handling is good for average guy, but not for a company. I went bare bone 'dedicated server' (not some fog based device). Solved many issued.

pfSense_user 0 · Mar 6, 2023, 4:33 PM

@gertjan Thanks for the provider info, and also for all of your replies, which were extremely helpful to me! Kind regards.