Page 1 of 1
[SOLVED] Vesta + Let's Encrypt + Drupal Multisite authorization problem while issuing certificate
Posted: Sat Dec 19, 2015 4:17 pm
by vlahonick
I have a drupal multisite installation with vesta and let's encrypt. The problem is that when I try to issue a certificate for a domain included in the multisite I get the following error:
Code: Select all
Failed authorization procedure. WWW.MY-DOMAIN.COM (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://WWW.MY-DOMAIN.COM/.well-known/acme-challenge/0VLqD9bONDUvfoRB8vnRsvLqqznZsKgooYDE8QDE9xE [MY-IP-HERE]: 404, MY-DOMAIN.COM (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://MY-DOMAIN.COM/.well-known/acme-challenge/f9aEPtCrIRortvYqQtoTaYNHNVGkE3QvGfTadvNzuPY [MY-IP-HERE]: 404
I found somewhere that there was a issue with the drupal .htaccess but I got the error above with the .htaccess disabled and without so it has to be something else.
The command I used to issue the let's encrypt certificate was:
Code: Select all
letsencrypt --webroot -w /home/admin/web/MY-DOMAIN.COM/public_html/ -d MY-DOMAIN.COM -d WWW.MY-DOMAIN.COM --agree-tos --email [email protected] --verbose
I tried to issue certificates for my main multisite domain and for other domains as well but all failed. On the other hand, certificates issued for other domains (not included in the multisite) are working fine.
Re: [SOLVED] Vesta + Let's Encrypt + Drupal Multisite authorization problem while issuing certificate
Posted: Fri Dec 25, 2015 10:05 pm
by vlahonick
After a lot of searching and experimentation I found the answer. Actually there are two parameters that should be taken into consideration from those who crave a Drupal multisite + Vesta + Let's Encrypt.
1. Before trying to install any certificate in your Drupal multisite go to your apache2.conf and undo any changes you might did in the Document Root. Otherwise Let's Encrypt apache plugin will be unable to find the actual webroot to install the certificate. If you do not do this you will probably end up with Le'ts Encrypt generating some 404 error about not finding some files in the .well-known/acme-challenge folder. After successfully issuing the certificates you can repair your apache2.conf document root for your multisite.
2. If you wish to install a Let's Encrypt certificate in the main site of your drupal multisite you should temporarily disable your .htaccess. If you do not a 403 error about authentication authorization appears. So you should rename your .htaccess to something else, issue the certificate with the normal process and then fix the .htaccess back. If you need more on this issue read here
https://community.letsencrypt.org/t/dru ... ation/3014.
Re: [SOLVED] Vesta + Let's Encrypt + Drupal Multisite authorization problem while issuing certificate
Posted: Thu Dec 31, 2015 2:22 am
by kodiak
You should be able to avoid having Drupal's (or any other app's) rewrites interfere with webroot auth by using a common webroot directory for all of your domains, accessed by an Alias set in your main Apache config. Apache will route requests there before it gets to the site, so the .htaccess will never be parsed.
Create a common directory to use as your webroot for all LE certs, such as /etc/letsencrypt/webroot:
Then create a letsencrypt.conf file in your Apache conf.d directory (/etc/httpd/conf.d in RHEL, Fedora, CentOS, etc., but it varies with other Linux distros):
Code: Select all
Alias /.well-known/acme-challenge /etc/letsencrypt/webroot/.well-known/acme-challenge
When you request a cert, be sure to specify "--webroot -w /etc/letsencrypt/webroot"
If you're interested in a fully automated solution, check out
https://github.com/interbrite/letsencrypt-vesta.
Re: [SOLVED] Vesta + Let's Encrypt + Drupal Multisite authorization problem while issuing certificate
Posted: Thu Dec 31, 2015 10:44 am
by vlahonick
kodiak wrote:You should be able to avoid having Drupal's (or any other app's) rewrites interfere with webroot auth by using a common webroot directory for all of your domains, accessed by an Alias set in your main Apache config. Apache will route requests there before it gets to the site, so the .htaccess will never be parsed.
Sounds great! I will test it as soon as possible in a clean Debian 8 + Vesta + Drupal 7 installation and then I will try it out with WordPress and Joomla.
Can you tell me the command you use for issuing certificates?
I am using (with the .htaccess workaround and a letsencrypt native installation in Debian 8 Testing)
This way it works but in some point I am getting a "semi-error" about no VHOST found and I have to choose between the defaults. I press cancel all the time (I didn't want to mess with any of the default files even I think they are not being used by Vesta) but then I get "Congratulations" about my new successfully issued certificate.
Is there anything we can do here? A workaround for the wizard to find the correct VHOST or is not even necessary? I assume that this problem will remain even with your solution since it is about vhost.
Re: [SOLVED] Vesta + Let's Encrypt + Drupal Multisite authorization problem while issuing certificate
Posted: Sun Jan 03, 2016 3:26 am
by kodiak
You should add "certonly" to the end of your command. That way the Let's Encrypt client will handle the certificate generation, but it won't try to update your Apache and/or Nginx configurations.
Also, not sure it makes a difference, but you should be specifying only domain names, not URLs, for your -d (domain) flags. For example:
Code: Select all
-d my-domain.com -d www.my-domain.com
Since you asked, here's the command I use:
Code: Select all
letsencrypt-auto -t --renew-by-default --agree-tos --webroot -w /etc/letsencrypt/webroot
--server https://acme-v01.api.letsencrypt.org/directory -d my-domain.com,www.my-domain.com
-m [email protected] certonly
Re: [SOLVED] Vesta + Let's Encrypt + Drupal Multisite authorization problem while issuing certificate
Posted: Wed Jul 20, 2016 8:15 am
by skurudo
LetsEncrypt support added.
CLI commands for now, GUI will be later.
Code: Select all
v-add-letsencrypt-domain USER DOMAIN [ALIASES] [RESTART]
v-add-letsencrypt-user USER [EMAIL]
v-check-letsencrypt-domain USER DOMAIN
v-list-letsencrypt-user USER [FORMAT]
v-sign-letsencrypt-csr USER DOMAIN CSR_DIR [FORMAT]
v-update-letsencrypt-ssl
ENG:
viewtopic.php?t=11927
RUS:
viewtopic.php?t=11905