• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

ACME sftp webroot validation fails / path issue?

Scheduled Pinned Locked Moved ACME
16 Posts 2 Posters 1.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • G
    Gertjan @pfSense_user 0
    last edited by Mar 6, 2023, 9:17 AM

    @pfsense_user-0 said in ACME sftp webroot validation fails / path issue?:

    However, I can not view this file from a browser, although it is in the same directory (domain blued out), where index.html etc. work as expected

    That might be an issue.
    If the web server, your host is controlling it - doesn't not 'want' to show files with unknown extensions, then the "web browser request" that LE makes when checking the file and it content won't work neither.

    You have a domain name.
    Most registrars these days give you an API access. Isn't it way easier to use some more classic DNS acme solution ?

    No "help me" PM's please. Use the forum, the community will thank you.
    Edit : and where are the logs ??

    P 2 Replies Last reply Mar 6, 2023, 9:38 AM Reply Quote 1
    • P
      pfSense_user 0 @Gertjan
      last edited by pfSense_user 0 Mar 6, 2023, 9:40 AM Mar 6, 2023, 9:38 AM

      @gertjan
      It gets even more weird: Once I move my test file (still without extension) one level up into the /.well-known folder itself, i can view and access it...well-known.png

      And:
      token.png

      The access problem seems to be limited to the /acme-challenge subfolder ::scratching head::

      Unfortunately, the provider does not give access to API or automated DNS record changes with their affordable hosting contracts. Of course, they want customers to upgrade or to buy their SSL-certificates, both of which, however, are not competitively priced. I shy away from switching providers, because many e-mail adresses in use by the whole family depend on my domains, thus moving house would be a pain.

      Thus, I am stuck with ftp validation, getting it to work would really, really be great!

      [edited typos]

      1 Reply Last reply Reply Quote 0
      • P
        pfSense_user 0 @Gertjan
        last edited by pfSense_user 0 Mar 6, 2023, 11:54 AM Mar 6, 2023, 11:53 AM

        @gertjan THANKS for pointing me towards the API!

        Although fiendishly hidden away on their website, my provider IONOS offers free of charge sign-up to "developer APIs".

        Now that I have a valid API key, and luckily, pfSense-acme has a preset for IONOS, I have tried that.

        Both staging and production went through without an error message from pfSense-acme package.

        Concurrent with validation
        pfSense-ACME_ionos-API_a.png
        I could see a temporary TXT record in my administrative hosting page, which disappeared after validation finalized, which seems normal cleanup behaviour.
        pfSense-ACME_ionos-API_b.png
        I just presume that the broken symbol on the first screenshot will be present during validation, whereas the tick indicates successful validation

        However, I still get an SSL error when trying to access my domain [sorry, screenshot is in German, but it is the generic Firefox SSL error page; a corresponding error also shows up in Safari and in google chrome ("ERR_SSL_PROTOCOL_ERROR")
        webbrowser_error.png

        I have already

        • flushed my pfSense resolver cache,

        • flushed the browser cache,

        • tried viewing the domain from my mobile over LTE,

        same result.

        Could this be a question of DNS-propagation? I presumed that the tick implied finalized verification and propagation, but I might be wrong.

        @gertjan Thanks for bearing with me!

        G 1 Reply Last reply Mar 6, 2023, 1:23 PM Reply Quote 0
        • G
          Gertjan @pfSense_user 0
          last edited by Mar 6, 2023, 1:23 PM

          @pfsense_user-0

          Where is this web server ?
          The certificate(s) is ready to be used, and you can see it here :
          System > Certificate Manager > Certificates

          Now yo have to export it, and bring them over to server, there where the web server (like apache2, nginx, etc) runs, so it can use that certificate.

          The acme pfsense package was created so you could get a cert for pfSense, the web GUI. For any other device, you have to copy the certificate over to that device.
          Or write a script that automates that process, and restarts the web server on that device so the the new cert is taken in account.
          The effect will be immediate.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          P 2 Replies Last reply Mar 6, 2023, 2:24 PM Reply Quote 1
          • P
            pfSense_user 0 @Gertjan
            last edited by Mar 6, 2023, 2:24 PM

            @gertjan Ehemm... It is hard for me to admit 😖 that I was so naive to think that, with a IONOS preset and an API key, pfSense-acme would also magically, on validation, put the certificate onto the server.

            Thanks for the clarification and all your help!

            1 Reply Last reply Reply Quote 0
            • P
              pfSense_user 0 @Gertjan
              last edited by Mar 6, 2023, 2:35 PM

              @gertjan Unfortunately, after all this work, there seems to be no way for me to upload the letsencrypt certificate to my IONOS webspace.

              The API only allows for management of certificates purchased from IONOS. And I do not have access to the SSL root, nor can I restart the server.

              Bildschirm­foto 2023-03-06 um 15.31.17.png

              G 1 Reply Last reply Mar 6, 2023, 3:28 PM Reply Quote 0
              • G
                Gertjan @pfSense_user 0
                last edited by Mar 6, 2023, 3:28 PM

                @pfsense_user-0 said in ACME sftp webroot validation fails / path issue?:

                IONOS webspace.

                If the webserver is controlled by the host, then you can't do things like 'add' a certificate.
                For the certificate to be taken in account, the web server has to be restarted.
                Or, 'your' web server is shared with hundreds if not thousand other users ....

                But : there is still good news : every web hosting company offers signed certs (mostly from LE) as every web server is using https these days. The host company will take care of everything.
                "http" isn't used any more, Google (and others) isn't even indexing them.

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                P 1 Reply Last reply Mar 6, 2023, 3:52 PM Reply Quote 1
                • P
                  pfSense_user 0 @Gertjan
                  last edited by Mar 6, 2023, 3:52 PM

                  @gertjan I know about http pointing to Nirvana these days ;-) That's why I am desperately looking for a solution...

                  Unfortunately, the good news ist not so good with IONOS, as they know about their customer's desperation for SSL certificates. Their pricing policy for adding certificates to existing domains is rather steep. All my websites are hobby projects, so they don't create any revenue. IONOS exclusively offers GeoTrust QuickSSL certificates and offers them in bundles at a hefty premium.

                  Maybe it is time to cancel some of my domains...

                  G 1 Reply Last reply Mar 6, 2023, 4:05 PM Reply Quote 0
                  • G
                    Gertjan @pfSense_user 0
                    last edited by Mar 6, 2023, 4:05 PM

                    @pfsense_user-0

                    I'm not affiliated with these guys, but https://www.ovhcloud.com/de/web-hosting/ and you have it all - and even more.
                    Certs are LE so not your issue.

                    I was using them for years (web hosting), but then my web sites became to big - their mail (MX) handling is good for average guy, but not for a company. I went bare bone 'dedicated server' (not some fog based device). Solved many issued.

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    P 1 Reply Last reply Mar 6, 2023, 4:33 PM Reply Quote 1
                    • P
                      pfSense_user 0 @Gertjan
                      last edited by Mar 6, 2023, 4:33 PM

                      @gertjan Thanks for the provider info, and also for all of your replies, which were extremely helpful to me! Kind regards.

                      1 Reply Last reply Reply Quote 0
                      16 out of 16
                      • First post
                        16/16
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received