I am trying to install a Let's Encrypt SSL certificate to a subscription held on a Plesk install.
I am running the following version of Plesk;
Plesk Onyx Version 17.8.11 Update #11
I then navigate to
Subscriptions > Domain > Lets Encrypt
From the setup screen I do not change anything, so
'Include a "www" subdomain for the domain and each selected alias'
and
'Secure webmail on this domain'
Remain unchecked. However, when I try to install the cert I get the following error;
Error: Could not issue a Let's Encrypt SSL/TLS certificate for domain.org.
The authorization token is not available at http://example.com/.well-known/acme-challenge/key.
The token file 'C:\Inetpub\vhosts\example.com\httpdocs\\.well-known\acme-challenge\key' is either unreadable or does not have the read permission.
To resolve the issue, correct the permissions on the token file to make it is possible to download it via the above URL.
See the related Knowledge Base article for details.
Details
Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/umis0L7-OVlu7SrSjMFHBsu-T7Cx0hwFS-WMxHgZgNA.
Details:
Type: urn:acme:error:unauthorized
Status: 403
Detail: Invalid response from http://example.com/.well-known/acme-challenge/key: "<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-sc"
It give a link to the following KB;
Plesk Suggested KB article
Which suggest I check the DNS resovles, so ipconfig shows me that the domain is pointing to the right IP.
However I dont have the ability for IPv6 and when i go to
domains > example.com> Web Hosting Access
I do not have the ability to select this.
Now from RDP to the server and looking I can see the directory structure is created i..e
.well-known > acme-challenge > key file
is created? Can anyone help with what the issue could be here please?
Check if the domain name resolves to IPv6 or not:
dig AAAA google.com #8.8.8.8
Check permissions for token file well-known > acme-challenge > key file
Try to access this file via browser, or create a new test text file inside of the acme-challenge folder and try to access it. There is a possibility that web.config file can cause the issue.
Related
I know this question has been asked several times, but I need some specific help as I've been taking advice from several other threads and nothing has worked to this point.
I'm trying to renew my SSL certificate in Ubuntu 14.04 using certbot-auto renew, and I'm running an Apache2 server and nginx. I'm getting the following output for certbot-auto renew:
root#PostgreSQLServer:/# sudo certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/my-domain.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for my-domain.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/my-domain.com.conf produced an unexpected error: Failed authorization procedure. my-domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://my-domain.com/.well-known/acme-challenge/ailNmgZADpb4QBipKM57sOi9w3PwNkwBwVFiRYs7i40: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/my-domain.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: my-domain.com
Type: unauthorized
Detail: Invalid response from
http://my-domain.com/.well-known/acme-challenge/ailNmgZADpb4QBipKM57sOi9w3PwNkwBwVFiRYs7i40:
"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
I ensured the .well-known folder exists in /var/www/my-domain.com/public_html and when I navigate to http://my-domain.com/.well-known/ in my browser, I am able to see the contents of that directory. I also added an acme-challenge folder in .well-known and included a test.txt file for testing; I was able to access the directory and the text file in my browser.
I found that the acme-challenge folder was not created when I ran the certbot-auto command so it seems to be a permissions issue. I am running certbot-auto as root, but also gave write permissions to www-data user on the .well-known and acme-challenge folders (root and www-data users are running the apache2 and nginx processes).
Even after granting that write permission, I still get the 404 error detailed above.
I also have an automated cert renewal process running via crontab and I have the output being logged to a local file. In that log file, I see the renewal request seemed to be working correctly until certbot-auto was upgraded from 0.9.3 to 0.10.1. Here's a sample from the log file when the upgrade took place:
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/offensively-bad.com.conf
-------------------------------------------------------------------------------
The following certs are not due for renewal yet:
/etc/letsencrypt/live/offensively-bad.com/fullchain.pem (skipped)
No renewals were attempted.
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/offensively-bad.com.conf
-------------------------------------------------------------------------------
The following certs are not due for renewal yet:
/etc/letsencrypt/live/offensively-bad.com/fullchain.pem (skipped)
No renewals were attempted.
Upgrading certbot-auto 0.9.3 to 0.10.1...
Replacing certbot-auto...
Creating virtual environment...
Installing Python packages...
Installation succeeded.
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/offensively-bad.com.conf
-------------------------------------------------------------------------------
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/offensively-bad.com/fullchain.pem (failure)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: offensively-bad.com
Type: unauthorized
Detail: Invalid response from
http://offensively-bad.com/.well-known/acme-challenge/tkSc8l-r1XVPIF5TosTbEXiYMa8sQnoXEjAEgAwRoqI:
"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
You can see that after upgrading, the process began failing with a 404 message.
I've tried all the advice I could find online and am completely stumped, so any help would be much appreciated. Thanks in advance!
My problem was a too old certbot version on my raspberry pi raspbian Stretch:
certbot --version
Gave
certbot 0.10.2
apt-get install python-certbot-apache -t stretch-backports
Did the trick:
certbot 0.21.1
And then just
certbot --apache -d domain.com
Hope this helps!
I had to edit this conf file: /etc/letsencrypt/renewal/offensively-bad.com.conf and modify the line below [[webroot_map]]:
[[webroot_map]]
offensively-bad.com = /path/to/what/certbot/thinks/is/the/correct/webroot/path/initially/specified/by/the/user
In my case, I changed it to
offensively-bad.com = /var/www/offensively-bad.com/public_html/
Thanks to the forum at letsencrypt for helping me out.
We have logger adapter "WLClientLogReceiver". When we tried to hit the REST service using below link to get adapter details we got 404 error
https://example.com/worklightadmin/management-apis/1.0/runtimes/myruntimename/adapters/WLClientLogReceiver
Respnse:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /worklightadmin/management-apis/1.0/runtimes/myruntimename/adapters/WLClientLogReceiver was not found on this server.</p>
<hr>
<address>IBM_HTTP_Server at example.com Port 443</address>
</body></html>
The 404 seems to suggest the URL is wrong. If the URL were indeed proper , then a message such as - " The adapter \"WLClientLogReceiver\" of the runtime \"yourruntime\" does not exist in the MobileFirst administration database" is returned, in case you query for a missing adapter.
To test:
a)
The URL - "https://example.com/worklightadmin/management-apis/1.0/runtimes/myruntimename/adapters?" returns metadata of all deployed adapters.
Check if you get the list of all adapters and see if WLClientLogReceiver is in the list.
b) If that also gives you a 404 :
If you are deployed on a standalone server, your admin context might be different - for standalone servers ,it is by default "wladmin" as opposed to "worklightadmin" in the Development server. Verify your context root.
I installed Alfresco on Windows 7 with the executable default install.My installation is Alfresco community version (5.0.d).
I tried to configue SSL link. I changed the file named generate_keystores.bat located in D:\Alfresco\alf_data\keystore.
It makes me generate my self-signed certificates.
Then I replaced all .keystore and .truststore with my certificates and I also imported certificates into Java's keystore which is named cacerts.
I configured Tomcat server to browse my /share only in https.
When I run it all things look prefect, but I cannot search users and site with it.
It seems the indexing has broken and the solr.log output ERROR logs:
2015-10-13 21:11:15,007 ERROR
[org.alfresco.solr.tracker.AbstractTracker] Tracking failed
org.alfresco.error.AlfrescoRuntimeException: 09132881
api/solr/aclchangesets return status:403
at org.alfresco.solr.client.SOLRAPIClient.getAclChangeSets(SOLRAPIClient.java:159)
at org.alfresco.solr.tracker.AclTracker.checkRepoAndIndexConsistency(AclTracker.java:347)
at org.alfresco.solr.tracker.AclTracker.trackRepository(AclTracker.java:313)
at org.alfresco.solr.tracker.AclTracker.doTrack(AclTracker.java:104)
at org.alfresco.solr.tracker.AbstractTracker.track(AbstractTracker.java:153)
at org.alfresco.solr.tracker.TrackerJob.execute(TrackerJob.java:47)
at org.quartz.core.JobRunShell.run(JobRunShell.java:216)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:563)
'2015-10-13 21:11:15,012 ERROR [org.alfresco.solr.tracker.AbstractTracker] Tracking failed
org.alfresco.error.AlfrescoRuntimeException: 09132882 GetModelsDiff return status is 403
at org.alfresco.solr.client.SOLRAPIClient.getModelsDiff(SOLRAPIClient.java:1091)
at org.alfresco.solr.tracker.ModelTracker.trackModelsImpl(ModelTracker.java:249)
at org.alfresco.solr.tracker.ModelTracker.trackModels(ModelTracker.java:207)
at org.alfresco.solr.tracker.ModelTracker.doTrack(ModelTracker.java:167)
at org.alfresco.solr.tracker.AbstractTracker.track(AbstractTracker.java:153)
at org.alfresco.solr.tracker.TrackerJob.execute(TrackerJob.java:47)
at org.quartz.core.JobRunShell.run(JobRunShell.java:216)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:563)
Could anybody tell me the reason of this issue?
I am currently trying to use embeded Tomcat for my application and am trying to set it up to get the URL of the http request.
Some Background:
I am using the same code as in the first answer for the post here : Howto embed Tomcat 6?
The only change I have made is :
private String catalinaHome = "/home/xyz/tomcat"; // This dir is created and has full access permissions
Also , I am looking at: http://tomcat.apache.org/tomcat-5.5-doc/catalina/docs/api/org/apache/catalina/startup/Embedded.html
There are no server.xml and tomcat-users.xml that I could find, so I created a tomcat-users.xml since I was getting an exception :Memory database file /home/xyz/tomcat/conf/tomcat-users.xml cannot be read .
tomcat-users.xml:
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<role rolename="tomcat"/>
<role rolename="role1"/>
<user username="tomcat" password="tomcat" roles="tomcat"/>
<user username="both" password="tomcat" roles="tomcat,role1"/>
<user username="role1" password="tomcat" roles="role1"/>
</tomcat-users>
The code uses container.setRealm(new MemoryRealm());
It appears from here : http://tomcat.apache.org/tomcat-4.1-doc/catalina/funcspecs/fs-memory-realm.html that I should have a server.xml file and there should already be one created by default.
1] Do I need to create a server.xml, what should be the default in it ?
I have put a file with default from here : http://www.akadia.com/download/soug/tomcat/html/tomcat_server_xml.html , but just want to know what is the right thing to do ?
2]When I access http://localhost:8089/mywebapp/index.html, all i get is The requested resource () is not available, though I have an index.html page at the "webappDir" in the code
3] My only need from the embedded tomcat is to intercept so as to get the URL passed to tomcat in my code. I can then parse the URL [do my stuff] and then create a http payload and send an http response back.
I would appreciate any pointers, especially for 3] ?
Thanks!
Ok, for your first question, yo do not need server.xml. If you check the code of your initial post they are setting the parameters there. So that is what server.xml would encapsulate. In reality what happens is that Tomcat will parse server.xml for the properties you are defining on your java file where you instanciate the catalina call to start. But since it is embedded you are setting all those parameters on you class instead.
For your second question, check your logs directory and see what is being parsed. Something is happening after your service starts because it should already redirect you once you call the port. either way, just try http://localhost:8089 and see what you get back in return from tomcat. It should give you some kind of response back from the server itself.
if you do it like this "http://localhost:8089/mywebapp/index.html" you are trying to access a created context, and that might not be configured correctly, but that is just a guess right now.
Try this first and tell me what you get back. we can troubleshoot from this point and see if I can help more in that sense.
Quick question, is this windows or linux you are installing on?
If it is linux the configurations filea are located usually on /etc/tomcat6. (at least on ubuntu they are). Reply back with the version you have installed. I might be able to help you out.
I guess I should also elaborate here a little more. Tomcat is a service in linux as well, so in ubuntu you have to start tomcat in order to access it.
$: sudo service tomcat6 start
then it starts tomcat on port 8080 (usually if not changed) of your localhost. hence you type localhost:8080 to access the website for configuration of tomcat that gives you a It works prompt for you.
Let me know if you have more questions, I will try to respond to the best of my knowledge
I have a fla (using ActionScript 3.0) I am compiling in Flash. I am using URLRequest and URLLoader to access a http webservice.
var loader:URLLoader = new URLLoader();
var request:URLRequest = new URLRequest("http:test.webservice.com");
try {
loader.load(request);
} catch (error:Error) {
trace("Unable to load requested document.");
}
This works fine - however if I try and access a https address I get
httpStatusHandler: [HTTPStatusEvent type="httpStatus" bubbles=false cancelable=false eventPhase=2 status=0]
ioErrorHandler: [IOErrorEvent type="ioError" bubbles=false cancelable=false eventPhase=2 text="Error #2032: Stream Error. URL: https://test.webservice.com"]
How can I retrieve data from a https web service? Does the SWF have to be hosted on a SSL secured page?
If you install the flash debug player, you'll probably see the following in the log:
** Security Sandbox Violation ***
Connection to https://www.example.com/service/ halted - not permitted from http://www.example.com/your.swf
Error: Request for resource at https://www.example.com/service/ by requestor from http://www.example.com/your.swf is denied due to lack of policy file permissions.
By default a swf hosted in a http cannot access https --it's considered a different domain.
You'll need to set up the appropriate crossdomain.xml policy file, with care to verify the Content-Type is text/* or another whitelisted value. Additionally, you'll need a meta-policy file with "secure=false", which will allow https to be accessed from http.
<allow-access-from domain="www.example.com" secure="false" />
Further reading:
Policy file changes in Flash Player 9 and Flash Player 10
Check the crossdomain policy in the actionscript documentation.
http://kb2.adobe.com/cps/142/tn_14213.html
A secure server that allows access to movies hosted via a non-secure
protocol
It is not advisable to permit HTTP content to access HTTPS content.
This practice can compromise the security offered by HTTPS.
However, there may be cases where legacy Flash content is allowed
access to data of a HTTPS site. With Flash Player 7, this is no longer
allowed by default. To permit access to HTTPS data by Flash movies
served via HTTP, use the secure attribute in a "allow-access-from" tag
and set it to false.
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="www.company.com" secure="false" />
</cross-domain-policy>
It is saved as crossdomain.xml and placed on the site root of the
HTTPS server.