403 - Forbidden / client denied

Discussion in 'Installation/Configuration' started by mccharlet, Feb 20, 2016.

  1. mccharlet

    mccharlet Member HowtoForge Supporter

    Hi,

    I created a webroot configuration for letsencrypt with this configuration
    Alias /.well-known "/var/www/letsencrypt/.well-known"

    <IfModule mod_headers.c>
    <LocationMatch "/.well-known/acme-challenge/*">
    Header set Content-Type "application/jose+json"
    Order allow,deny
    Allow from all
    </LocationMatch>
    </IfModule>

    have two ispconfig servers
    1. Apache 2.4 it's ok
    2. Apache 2.2 i have this error : client denied by server configuration: /var/www/letsencrypt/.well-known

    Thanks for your help

    BEts regrads
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Try to add a Directory directive for the /var/www/letsencrypt path and add a "Allow from all" there.
     
    mccharlet likes this.
  3. mccharlet

    mccharlet Member HowtoForge Supporter

    Thanks Till

    This is my new letsencrypt.conf file

    Alias /.well-known "/var/www/letsencrypt/.well-known"
    <Directory /var/www/letsencrypt>
    Allow from all
    </Directory>

    <IfModule mod_headers.c>
    <LocationMatch "/.well-known/acme-challenge/*">
    Header set Content-Type "application/jose+json"
    </LocationMatch>
    </IfModule>
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Probably this file gets loaded before the ispconfig.conf file, so that you open the directory here and ispconfig closes it again later on. Try to add:

    <Directory /var/www/letsencrypt>
    Allow from all
    </Directory>

    at the end of the apache ispconfig.conf file in sites-available directory and restart apache.
     
  5. mccharlet

    mccharlet Member HowtoForge Supporter

    Hi,

    That works.

    What is the best configuration ?
    The ispconfig.conf will change after an update ?

    Bets regrads
     
  6. sjau

    sjau Local Meanie Moderator

  7. mccharlet

    mccharlet Member HowtoForge Supporter

    Hi sjau,

    Yes i saw you tool and adapt to my needs few weeks ago. I don't follow the impovement of you tool. I adapt my version

    Best regards
     
  8. sjau

    sjau Local Meanie Moderator

    no worries, I just updated all the certs today and fixed some bugs in the renewer :) gl and hope the integrated version will be available soon.
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes. But you can e.g. add your own custom file that contains just these lines in sites-available, then enable it in sites-enabled, just ensure that the name in sites-enabled comes after 000-ispconfig.conf in alphabetic order..
     
  10. Nap

    Nap Member

    I have the same problem. I added
    Code:
    <Directory /var/www/.well-known>
      Require all granted
    </Directory>
    
    to the end of my ispconfig.conf file in sites-available, but it didn't work after restarting apache2.4. The permissions on .well-known and acme-challenge are both 777.

    I have Options -Indexes in my ispconfig.conf and ispconfig.vhost files, could that be causing the problem?

    phpMyAdmin and Squirrelmail both work fine. I switched Squirrelmail to https a couple days ago.

    Edit:
    I already have letsencrypt-webroot.conf which contains:
    Code:
      RewriteEngine On
      Alias /.well-known /var/www/.well-known
      <Directory /var/www/.well-known>
      Options +FollowSymLinks
      AllowOverride All
      Require all granted
      </Directory>
    
     
    Last edited: Feb 28, 2016
  11. Nap

    Nap Member

    My server just won't let me browse /.well-known for some reason that I cannot figure out.

    Here is a log of a variation of sjau's script:

    - Renewal in 60 days
    - Domain: mydomain.net
    - Query MySQL whether it's a vhost.
    - Sub-Domain(s):
    - 'mydomain.net' has DNS mbox.
    - Email source webmaster@mydomain.net
    - Prepare Server for webroot authentication.
    - Disabling necessary Server Modules
    - Run Let's Encrypt Tool
    /opt/letsencrypt/letsencrypt-auto --text --agree-tos --renew-by-default --rsa-key-size 4096 --email 'webmaster@mydomain.net' -d 'mydomain.net' -d 'www.mydomain.net' -a webroot --webroot-path /var/www/ certonly
    Failed authorization procedure. mydomain.net (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mydomain.net/.well-known/acme-challenge/DOaNM66FgRSLWkHDyM9veIUBamG2oGHuKvQsVND6bmQ [ww.xx.yy.zz]: 403, www.mydomain.net (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.mydomain.net/.well-known/acme-challenge/BGIsLjvl9uuTUJgUbgDU3eXQaSC64XsIeGl9yiOnKKc [ww.xx.yy.zz]: 403
    Sorry, there was some error. Please check:
    Checking for new version...
    Requesting root privileges to run letsencrypt...
    /root/.local/share/letsencrypt/bin/letsencrypt --no-self-upgrade --text --agree-tos --renew-by-default --rsa-key-size 4096 --email webmaster@mydomain.net -d mydomain.net -d www.mydomain.net -a webroot --webroot-path /var/www/ certonly
     
  12. Nap

    Nap Member

    Working with a particular client, I setup some aliases pointing to a file index.html:
    I setup an alias to /usr/share/me and it works. 755 for both the folder & file.
    I also setup an alias to /opt/me and it works. 755 for both the folder & file.
    I setup an alias to /root/data, with 755 permisions on ./data and 777 on index.html, but can't access it.
    var/www/letsencrypt/.well-known/acme-challenge (755/755/777/777/777) on the folders, and 777 on index.html in .well-known & acme-challenge, but I can't access them.

    All owners are root:root.

    Cheers,
    Nap
     
  13. sjau

    sjau Local Meanie Moderator

    please post the configs for that site
     
  14. Nap

    Nap Member

    <Directory /var/www/mydomain.com>
    AllowOverride None
    Require all denied
    </Directory>

    <VirtualHost *:80>
    DocumentRoot /var/www/mydomain.com/web

    ServerName mydomain.com
    ServerAlias www.mydomain.com
    ServerAlias forum.mydomain.com
    ServerAlias applic.mydomain.com
    ServerAdmin webmaster@mydomain.com

    ErrorLog /var/log/ispconfig/httpd/mydomain.com/error.log

    Alias /error/ "/var/www/mydomain.com/web/error/"
    ErrorDocument 400 /error/400.html
    ErrorDocument 401 /error/401.html
    ErrorDocument 403 /error/403.html
    ErrorDocument 404 /error/404.html
    ErrorDocument 405 /error/405.html
    ErrorDocument 500 /error/500.html
    ErrorDocument 502 /error/502.html
    ErrorDocument 503 /error/503.html

    <IfModule mod_ssl.c>
    </IfModule>

    <Directory /var/www/mydomain.com/web>
    # Clear PHP settings of this website
    <FilesMatch ".+\.ph(p[345]?|t|tml)$">
    SetHandler None
    </FilesMatch>
    Options +FollowSymLinks
    AllowOverride All
    Require all granted

    # ssi enabled
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
    Options +Includes
    </Directory>
    <Directory /var/www/clients/client2/web10/web>
    # Clear PHP settings of this website
    <FilesMatch ".+\.ph(p[345]?|t|tml)$">
    SetHandler None
    </FilesMatch>
    Options +FollowSymLinks
    AllowOverride All
    Require all granted

    # ssi enabled
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
    Options +Includes
    </Directory>

    <IfModule mod_ruby.c>
    <Directory /var/www/mydomain.com/web>
    Options +ExecCGI
    </Directory>
    RubyRequire apache/ruby-run
    #RubySafeLevel 0
    AddType text/html .rb
    AddType text/html .rbx
    <Files *.rb>
    SetHandler ruby-object
    RubyHandler Apache::RubyRun.instance
    </Files>
    <Files *.rbx>
    SetHandler ruby-object
    RubyHandler Apache::RubyRun.instance
    </Files>
    </IfModule>

    <IfModule mod_perl.c>
    PerlModule ModPerl::Registry
    PerlModule Apache2::Reload
    <Directory /var/www/mydomain.com/web>
    PerlResponseHandler ModPerl::Registry
    PerlOptions +ParseHeaders
    Options +ExecCGI
    </Directory>
    <Directory /var/www/clients/client2/web10/web>
    PerlResponseHandler ModPerl::Registry
    PerlOptions +ParseHeaders
    Options +ExecCGI
    </Directory>
    <Files *.pl>
    SetHandler perl-script
    </Files>
    </IfModule>

    <IfModule mod_python.c>
    <Directory /var/www/mydomain.com/web>
    <FilesMatch "\.py$">
    SetHandler mod_python
    </FilesMatch>
    PythonHandler mod_python.publisher
    PythonDebug On
    </Directory>
    </IfModule>

    # cgi enabled
    <Directory /var/www/clients/client2/web10/cgi-bin>
    Require all granted
    </Directory>
    ScriptAlias /cgi-bin/ /var/www/clients/client2/web10/cgi-bin/
    <FilesMatch "\.(cgi|pl)$">
    SetHandler cgi-script
    </FilesMatch>
    # suexec enabled
    <IfModule mod_suexec.c>
    SuexecUserGroup web10 client2
    </IfModule>
    # php as fast-cgi enabled
    # For config options see: http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html
    <IfModule mod_fcgid.c>
    IdleTimeout 300
    ProcessLifeTime 3600
    # MaxProcessCount 1000
    DefaultMinClassProcessCount 0
    DefaultMaxClassProcessCount 100
    IPCConnectTimeout 3
    IPCCommTimeout 600
    BusyTimeout 3600
    </IfModule>
    <Directory /var/www/mydomain.com/web>
    <FilesMatch "\.php[345]?$">
    SetHandler fcgid-script
    </FilesMatch>
    FCGIWrapper /var/www/php-fcgi-scripts/web10/.php-fcgi-starter .php
    FCGIWrapper /var/www/php-fcgi-scripts/web10/.php-fcgi-starter .php3
    FCGIWrapper /var/www/php-fcgi-scripts/web10/.php-fcgi-starter .php4
    FCGIWrapper /var/www/php-fcgi-scripts/web10/.php-fcgi-starter .php5
    Options +ExecCGI
    AllowOverride All
    Require all granted
    </Directory>
    <Directory /var/www/clients/client2/web10/web>
    <FilesMatch "\.php[345]?$">
    SetHandler fcgid-script
    </FilesMatch>
    FCGIWrapper /var/www/php-fcgi-scripts/web10/.php-fcgi-starter .php
    FCGIWrapper /var/www/php-fcgi-scripts/web10/.php-fcgi-starter .php3
    FCGIWrapper /var/www/php-fcgi-scripts/web10/.php-fcgi-starter .php4
    FCGIWrapper /var/www/php-fcgi-scripts/web10/.php-fcgi-starter .php5
    Options +ExecCGI
    AllowOverride All
    Require all granted
    </Directory>

    RewriteEngine on
    RewriteCond %{HTTP_HOST} ^forum\.mydomain\.com$ [NC]
    RewriteCond %{REQUEST_URI} !^/webdav/
    RewriteCond %{REQUEST_URI} !^/php5-fcgi/
    RewriteCond %{REQUEST_URI} !^/forum/

    RewriteRule ^/(.*)$ /forum/$1

    RewriteCond %{HTTP_HOST} ^applic\.mydomain\.com$ [NC]
    RewriteCond %{REQUEST_URI} !^/webdav/
    RewriteCond %{REQUEST_URI} !^/php5-fcgi/
    RewriteCond %{REQUEST_URI} !^/applic/

    RewriteRule ^/(.*)$ /applic/$1


    # add support for apache mpm_itk
    <IfModule mpm_itk_module>
    AssignUserId web10 client2
    </IfModule>

    <IfModule mod_dav_fs.c>
    # Do not execute PHP files in webdav directory
    <Directory /var/www/clients/client2/web10/webdav>
    <ifModule mod_security2.c>
    SecRuleRemoveById 960015
    SecRuleRemoveById 960032
    </ifModule>
    <FilesMatch "\.ph(p3?|tml)$">
    SetHandler None
    </FilesMatch>
    </Directory>
    DavLockDB /var/www/clients/client2/web10/tmp/DavLock
    # DO NOT REMOVE THE COMMENTS!
    # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
    # WEBDAV BEGIN
    # WEBDAV END
    </IfModule>

    <IfModule mod_fcgid.c>
    FcgidConnectTimeout 20

    <IfModule mod_mime.c>
    AddHandler fcgid-script .fcgi
    MaxRequestLen 20971520
    </IfModule>
    </IfModule>


    RewriteEngine On
    Alias /t1 /root/data
    <Directory /root/data>
    Options +FollowSymLinks
    AllowOverride All
    Require all granted
    </Directory>


    RewriteEngine On
    Alias /t2 /usr/share/me
    <Directory /usr/share/me>
    Options +FollowSymLinks
    AllowOverride All
    Require all granted
    </Directory>

    RewriteEngine On
    Alias /t3 /opt/me
    <Directory /opt/me>
    Options +FollowSymLinks
    AllowOverride All
    Require all granted
    </Directory>

    </VirtualHost>
    <VirtualHost *:443>

    This is the same as the http section

    </VirtualHost>
     
  15. Nap

    Nap Member

    Here is a list of modules I'm running on my Apache server:
    Loaded Modules:
    core_module (static)
    so_module (static)
    watchdog_module (static)
    http_module (static)
    log_config_module (static)
    logio_module (static)
    version_module (static)
    unixd_module (static)
    access_compat_module (shared)
    actions_module (shared)
    alias_module (shared)
    auth_basic_module (shared)
    auth_digest_module (shared)
    authn_core_module (shared)
    authn_file_module (shared)
    authz_core_module (shared)
    authz_host_module (shared)
    authz_user_module (shared)
    autoindex_module (shared)
    cgi_module (shared)
    dav_module (shared)
    dav_fs_module (shared)
    deflate_module (shared)
    dir_module (shared)
    env_module (shared)
    fastcgi_module (shared)
    fcgid_module (shared)
    filter_module (shared)
    flvx_module (shared)
    headers_module (shared)
    include_module (shared)
    mime_module (shared)
    mpm_prefork_module (shared)
    negotiation_module (shared)
    php5_module (shared)
    python_module (shared)
    rewrite_module (shared)
    setenvif_module (shared)
    socache_shmcb_module (shared)
    ssl_module (shared)
    status_module (shared)
    suexec_module (shared)
    suphp_module (shared)
    unique_id_module (shared)
     
  16. Nap

    Nap Member

    I don't have either SELinux or apparmor installed.
    My Apache error log shows the following errors:

    [Mon Feb 29 21:24:07.119019 2016] [authz_core:error] [pid 6512] [client ww.xx.yy.zz:65375] AH01630: client denied by server configuration: /var/www/letsencrypt/.well-known
    [Mon Feb 29 21:24:08.603192 2016] [authz_core:error] [pid 6512] [client ww.xx.yy.zz:65375] AH01630: client denied by server configuration: /var/www/letsencrypt/.well-known
    [Mon Feb 29 21:24:49.392338 2016] [authz_core:error] [pid 6574] [client ww.xx.yy.zz:47350] AH01630: client denied by server configuration: /var/www/mydomain.com/web/.well-known
    [Mon Feb 29 21:27:12.981786 2016] [authz_core:error] [pid 6894] [client ww.xx.yy.zz:16211] AH01630: client denied by server configuration: /var/www/mydomain.com/web/.well-known
    [Mon Feb 29 21:27:15.051538 2016] [authz_core:error] [pid 6894] [client ww.xx.yy.zz:16211] AH01630: client denied by server configuration: /var/www/mydomain.com/web/.well-known
    [Mon Feb 29 21:28:45.797448 2016] [core:error] [pid 6896] (13)Permission denied: [client ww.xx.yy.zz:11458] AH00035: access to /t1 denied (filesystem path '/root/data') because search permissions are missing on a component of the path
    [Mon Feb 29 22:02:04.920008 2016] [core:error] [pid 9045] (13)Permission denied: [client ww.xx.yy.zz:24853] AH00035: access to /t1 denied (filesystem path '/root/data') because search permissions are missing on a component of the path
     
  17. Nap

    Nap Member

    I managed to get /root/data working by setting the execute flag for OTHERS on the root folder.
    However, /var/www/letsencrypt/.well-known has the flag set on all folders in the path.
    So the question now is what is special in my setup about how apache is handling this path?
     
  18. Nap

    Nap Member

    At last I got it working. I needed to include Allow from all in the letsencrypt-ispconfig.conf settings.
    This is really weird as that is an apache2.2 directive.

    Having fixed this, my version of sjau's script is working fine and I have received and installed my first signed certificate for the domain I've been working with.
     

Share This Page