Resolved Issues with renewing certificates

[nucknuck]

Hello together,

when SSLIT in combination with Let´sEncrypt tries to renew the certificates I get following error message:

[2022-02-14 09:11:09.853] 22838:620a0e9549863 ERR [extension/letsencrypt] Domain validation failed for example.org: Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/ID-xxxxxxxxxx.
Details:
Type: urn:ietf:params:acme:error:unauthorized
Status: 403
Detail: Invalid response from https://example.org/.well-known/acme-challenge/PsxAS03I_GL495WFlSzXYZW-PCMvcqW78w6-DGndiCM [116.202.xxx.xxx]: "<!DOCTYPE html>\n<html lang=\"de-DE\">\n<head>\n\t<meta charset=\"UTF-8\" />\n<meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\">\n\t<lin"
[2022-02-14 09:11:09.860] 22838:620a0e9549863 ERR [extension/letsencrypt] Domain validation failed: Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/ID-xxxxxxxxxx.

( IP, domain and acme ID censored)


When I try to open the link to the challenge file in my browser I get a page of the installed wordpress on this domain.
It shows the wordpress internal "page no found".

Short:

Instead of showing the acme challenge file the installed wordpress shows file not found.
So there seems to be a redirect problem or something like that.

The response shows the first lines of the source code of the wordpress page.

How to solve it? Any idea?

 

[Bitpalast]

You can check the .htaccess file settings, because probably a rewrite rule prevents access to the SSL challenge files. This article explains how to exclude a certain path, e.g. .well-known, from rewrites: .htaccess mod_rewrite - how to exclude directory from rewrite rule

 

[nucknuck]

In root directory there is a htaccess.

# BEGIN WordPress
# Die Anweisungen (Zeilen) zwischen „BEGIN WordPress“ und „END WordPress“ sind
# dynamisch generiert und sollten nur über WordPress-Filter geändert werden.
# Alle Änderungen an den Anweisungen zwischen diesen Markierungen werden überschrieben.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

This seems to be the standard .htaccess file of a normal wordpress installation.

Before trying to exclude something - the site works without it, and the error remains.
So I can´t explain myself why this happens.

 

[Kaspar]

Do you use any proxy for your website? Nginx, Varnish, CloudFlare, something else?

When looking at the response code below it seems a regular Wordpress page is served. Which shouldn't be the case for a default Wordpress setup on Plesk.

Detail: Invalid response from https://example.org/.well-known/acme-challenge/PsxAS03I_GL495WFlSzXYZW-PCMvcqW78w6-DGndiCM [116.202.xxx.xxx]: "<!DOCTYPE html>\n<html lang=\"de-DE\">\n<head>\n\t<meta charset=\"UTF-8\" />\n<meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\">\n\t<lin"

What happens when you you try to visit https://example.org/.well-known/acme-challenge/PsxAS03I_GL495WFlSzXYZW-PCMvcqW78w6-DGndiCM from your browser?

 

[nucknuck]

I tried now something different - in the root directory of domain is only the folder structure for the acme challenge.
When I try to open it via browser I get the message "file not found".

Log out of plesk:

65260#0: *92085 openat() "/var/www/vhosts/default/htdocs/.well-known/acme-challenge/TbfJOnXJkeHo04HD7I7ETNincXt0SNJwRwW62MnReTY" failed (2: No such file or directory)

But this is the wrong path?! So why is the system looking for the challenge file in the default folder instead of the well-known of the domain root directory?!

Checked logfile for other domains - the same...

@Rasp : Domains run as ngings proxy mode

 

[Bitpalast]

That is the correct, expected behavior. In earlier Plesk versions the SSL certs were stored inside the document root directory. That lead to problems with certs for redirects, so Plesk moved them into a virtual directory that is hosted outside the subscription directory structure.

Have you checked Rasp's suggestion whether proxies like Cloudflare are used? It just seems to not reach the right location on your host when the challenge is requested. Is the IP set correctly or could it be that this was previously hosted elsewhere and the IP is routing requests to a different host?

 

[nucknuck]

@Peter Debik : No Cloudfare or something else.


According to your last answer: You wrote that the challenge is now in a virtual directory and no longer in the subscription directoy...

File located for actual challenge:

/var/www/vhosts/domain.tld.eu/httpdocs/.well-known/acme-challenge

 

[Bitpalast]

Is the web configurations trouble shooter showing any issues? Have you tried to reconfigure the webserver configuration files of the domain? They may be broken.

 

[nucknuck]

No error shown.

BUT ..... i reconfigured the domain and now it works.

Difference: by renewing the configuration these lines were removed

#extension letsencrypt begin
    location ^~ /.well-known/acme-challenge/ {
        root /var/www/vhosts/default/htdocs;

        types { }
        default_type text/plain;

        satisfy any;
        auth_basic off;
        allow all;

        location ~ ^/\.well-known/acme-challenge.*/\. {
            deny all;
        }
    }
    #extension letsencrypt end

Strange thing... ok, now it´s the fact that I´m at the rate limit for the domains. I have to wait some days before activaing the cron jobs again.
But manually I got success with 3 domains and its subdomains.

 

[nucknuck]

@Peter Debik & @Rasp - here is my update according this issue...


After 7 days of waiting (IP rate limit of lets encrypt) I reactivate the 6 cronjobs in plesk.

Extension sslit:

/opt/psa/admin/bin/php -dauto_prepend_file=sdk.php '/opt/psa/admin/plib/modules/sslit/scripts/keep-secured.php

/opt/psa/admin/bin/php -dauto_prepend_file=sdk.php '/opt/psa/admin/plib/modules/sslit/scripts/panel-notifications.php

/opt/psa/admin/bin/php -dauto_prepend_file=sdk.php '/opt/psa/admin/plib/modules/sslit/scripts/complete-order.php

/opt/psa/admin/bin/php -dauto_prepend_file=sdk.php '/opt/psa/admin/plib/modules/sslit/scripts/daily-tasks.php

Extension lets encrypt:

/opt/psa/admin/bin/php -dauto_prepend_file=sdk.php '/opt/psa/admin/plib/modules/letsencrypt/scripts/keep-secured.php'

/opt/psa/admin/bin/php -dauto_prepend_file=sdk.php '/opt/psa/admin/plib/modules/letsencrypt/scripts/remove-expired-tokens.php'

Result:

After the cronjobs started I got about 50 mails - 3 mails with a message that the certificates of the subscriptions has been renewed sucessfully.
All other mails shows the error that the acme-challenge failed - same error message like before (thread #1).


--> -->
General question:

I see two cronjobs called keep-secured - for my understanding and the fact that lets encrypt should work as a plugin for sslit since a few updates it should be only one process. Both extension seems to do the same job.

/opt/psa/var/modules/letsencrypt/etc/... - lets encrypt creates and stores certificates

/opt/psa/var/modules/sslit/etc... - sslit creates and stores certificates

 

[Bitpalast]

We have the same crontab jobs here.

 

[nucknuck]

@Peter Debik

Can you tell me the output of :

plesk ext sslit --common-challenge-dir -info

This would show information about the challenge directory.

 

[Bitpalast]

# plesk ext sslit --common-challenge-dir -info
- Available: true
- Enabled: true

 

[nucknuck]

Thank you.

Last week I enabled the common challenge directory, today it was disabled again.
So yesterday the renewal tried again the well-known folder in the subscription.