Lets Encrypt 403 - The client lacks sufficient authorization. Drupal 7 Site - apache

When trying to generate the LetsEncript cert I am getting the following 403.
[ec2-user#myip html]$ /opt/letsencrypt/letsencrypt-auto certonly
--webroot -w /var/www/html -d example.com -d www.example.com --config /etc/letsencrypt/config.ini --agree-tos Checking for new version... Requesting root privileges to run letsencrypt... sudo
/home/ec2-user/.local/share/letsencrypt/bin/letsencrypt certonly
--webroot -w /var/www/html/myroot -d example.com -d www.example.com --config /etc/letsencrypt/config.ini --agree-tos
Version: 1.1-20080819 Version: 1.1-20080819 Failed authorization
procedure. mydomain.com (http-01): urn:acme:error:unauthorized :: The
client lacks sufficient authorization :: Invalid response from
http://example.com/.well-known/acme-challenge/IDug1d_rT8rZNPQQfdsgfdgsdfBKRJaHMTa3kulh4HnQ
[52.30.98.10]: 403
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: mydomain.com Type: unauthorized Detail: Invalid
response from http://example.com/.well-known/acme-
challenge/IDug1d_rT8rZNPQQkjsdgfdgdfggdfajhsTa3kulh4HnQ
[52.30.98.101]: 403
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.

How to Configure Let’s Encrypt on Drupal
To make your Drupal site work with Let’s Encrypt, below are the changes require in the htaccess file.
This line:
<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\..*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
Swapped by this line:
<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
And, this line:
RewriteRule "(^|/)\." - [F]
Swapped by this line:
RewriteRule "(^|/)\.(?!well-known)" - [F]
Source:
https://support.cloudways.com/configure-drupal-lets-encrypt/

It turned out that Drupal's .htaccess file (rightly so) was not allowing the hidden file to be accessed. I temporarily renamed the .htaccess file to .temphtaccess and the authorisation worked.
/opt/letsencrypt/letsencrypt-auto certonly --webroot -w /var/www/html/myroot -d example.com -d www.example.com --config /etc/letsencrypt/config.ini --agree-tos
Checking for new version...
Requesting root privileges to run letsencrypt...
sudo /home/ec2-user/.local/share/letsencrypt/bin/letsencrypt certonly --webroot -w /var/www/html/myroot -d example.com -d www.example.com --config /etc/letsencrypt/config.ini --agree-tos
Version: 1.1-20080819
Version: 1.1-20080819
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/example.com/fullchain.pem. Your cert will
expire on 2016-07-17. To obtain a new version of the certificate in
the future, simply run Let's Encrypt again.
- If you like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Related

How to install lets encrypt ssl in amazon linux AMI?

How to install lets encrypt SSL in amazon Linux AMI.i want to implement the lets encrypt SSL for my domain.
There are a lot of solutions online; I think you have to keep on trying until you find one that works for you. After a lot of experimentation, what worked for me was following the certbot instructions for Apache and CentOS 6. The official link is here, but for consistency:
Run the following commands in the terminal:
Download Certbot
wget https://dl.eff.org/certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot-auto
sudo chown root /usr/local/bin/certbot-auto
sudo chmod 0755 /usr/local/bin/certbot-auto
Execute Certbot
sudo /usr/local/bin/certbot-auto --apache
If there's an error message, read the warning and run (if you feel comfortable):
sudo /usr/local/bin/certbot-auto --apache --debug
Here, you may be asked to complete some fairly intuitive questions to configure your installation. If not, what worked for me won't work for you. :(
Automate Renewal
Test to see if renewing your certificate works:
sudo /usr/local/bin/certbot-auto renew --dry-run
If so, navigate to your system's crontab (usually somewhere around /etc/crontab/) and add the following code to check (and run, if necessary) and auto-renewal at midnight and noon everyday:
0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew
Here I will explain how to configure let's encrypt in Linux AMI. I did it successfully in my Linux AMI.i followed the following steps to get it done.
1. SSH into your server.
2. Download certbot (the Let’s Encrypt client need to install for renew and install ssl): **wget https://dl.eff.org/certbot-auto** then **chmod a+x certbot-auto**
3. Run certbot to fetch your certificates.follow the below code
sudo ./certbot-auto --debug -v --server https://acme-v01.api.letsencrypt.org/directory certonly -d YOUR_DOMAIN [Replace your Domain in YOUR_DOMAIN placeholde]
4. while generating it will ask you the recover or support email please add your email.
5. certbot will place your certs in the following paths…
Certificate: /etc/letsencrypt/live/YOUR_DOMAIN/cert.pem
Full Chain: /etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem
Private Key: /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem
6. Go to your apache config where you created a virtual host it can be either in httpd.conf or conf.d.
7. Add the virtual host for 443 port
<VirtualHost *:443>
ServerAdmin ADMIN_EMAIL
ServerName YOUR_DOMAIN
ServerAlias www.YOUR_DOMAIN
DocumentRoot "YOUR FOLDER PATH"
AllowEncodedSlashes On
ErrorLog "/var/log/httpd/YOUR_DOMAIN_error.log"
CustomLog "/var/log/httpd/YOUR_DOMAIN-sslaccess.log" common
<Directory YOUR FOLDER PATH>
DirectoryIndex index.php
Options -Indexes
AllowOverride All
</Directory>
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/YOUR_DOMAIN/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem
</VirtualHost>
You need to install Certbot if you are running CentOS 7 or 8 since Certbot-auto is deprecated and doesn't work beyond CentOS 6.
You can check which CentOS you are running by using the following command.
rpm -E %{rhel}
And use this tutorial from amazon to install Certbot in Amazon Linux
sudo yum update
sudo yum install -y certbot python2-certbot-apache
If you get "Package not found" error, then try the Prepare to Install section from the same blog.
sudo wget -r --no-parent -A 'epel-release-*.rpm' https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/
sudo rpm -Uvh dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-*.rpm
sudo yum-config-manager --enable epel*

How to fix error setting SSL with certbot using?

I try to set ssl for my php/laravel application under Digital Ocean with Kubuntu 18
as in this articles
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-18-04
But I got error trying to use certbot to obtain a free SSL certificate :
# sudo ufw status
Status: active
To Action From
-- ------ ----
Apache Full ALLOW Anywhere
443 ALLOW Anywhere
80 ALLOW Anywhere
22/tcp ALLOW Anywhere
Apache Full (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
80 (v6) ALLOW Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6)
# sudo certbot --apache -d products-catalog.nilov-sergey-demo-apps.tk -d www.products-catalog.nilov-sergey-demo-apps.tk
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for products-catalog.nilov-sergey-demo-apps.tk
http-01 challenge for www.products-catalog.nilov-sergey-demo-apps.tk
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.products-catalog.nilov-sergey-demo-apps.tk (http-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for www.products-catalog.nilov-sergey-demo-apps.tk
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: www.products-catalog.nilov-sergey-demo-apps.tk
Type: None
Detail: DNS problem: NXDOMAIN looking up A for
www.products-catalog.nilov-sergey-demo-apps.tk
products-catalog.nilov-sergey-demo-apps.tk - that is my domain I got on freenom.com and searching I found a hint that
I need to add A-record for www subdomain
I tried to add new record as https://imgur.com/a/ijFxlzN
But trying to suBmit this page I got:
• Error occured: Invalid value in dnsrecord
What is wrong ? Can new record be issue of my problem ? Or I need to move in other way ?
UPDATED # 2
Configuration in appache is :
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html/lprods/public
ServerName products-catalog.nilov-sergey-demo-apps.tk
ServerAlias products-catalog.nilov-sergey-demo-apps.tk
<Directory /var/www/html/lprods/public>
AllowOverride All
Order Deny,Allow
Allow from all
Require all granted
</Directory>
Options FollowSymLinks
DirectoryIndex index.php
ErrorLog /var/www/html/lprods/storage/logs/error.log
CustomLog /var/www/html/lprods/storage/logs/access.log combined
</VirtualHost>
with line in /etc/hosts
138.68.107.5 products-catalog.nilov-sergey-demo-apps.tk
Can it be issue with my problem ?
UPDATED # 3
I made some more review and found next :
IP of my server is 138.68.107.4 and under ssh I enter the console of OS as
ssh root#138.68.107.4
But in my /etc/hosts file I had next lines pointing to some other hosts on this server:
# 127.0.0.1 localhost
127.0.0.1 localhost.localdomain localhost
138.68.107.4 box.example.com box
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
138.68.107.4 votes.nilov-sergey-demo-apps.tk
138.68.107.5 products-catalog.nilov-sergey-demo-apps.tk
138.68.107.6 csvp.nilov-sergey-demo-apps.tk
...
I modified 3 last lines as :
138.68.107.4 votes.nilov-sergey-demo-apps.tk
138.68.107.4 products-catalog.nilov-sergey-demo-apps.tk
138.68.107.4 csvp.nilov-sergey-demo-apps.tk
But I still not sure is that is valid value, as I have next error again:
# sudo certbot --apache -d products-catalog.nilov-sergey-demo-apps.tk -d www.products-catalog.nilov-sergey-demo-apps.tk
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for products-catalog.nilov-sergey-demo-apps.tk
http-01 challenge for www.products-catalog.nilov-sergey-demo-apps.tk
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.products-catalog.nilov-sergey-demo-apps.tk (http-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up
A for www.products-catalog.nilov-sergey-demo-apps.tk
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: www.products-catalog.nilov-sergey-demo-apps.tk
Type: None
Detail: DNS problem: NXDOMAIN looking up A for
www.products-catalog.nilov-sergey-demo-apps.tk
can reason of this error be in wrong IP in /etc/hosts or some other issue ?
Thanks!
The domain www.products-catalog.nilov-sergey-demo-apps.tk does not resolve:
https://www.whatsmydns.net/#A/www.products-catalog.nilov-sergey-demo-apps.tk
So it's not a server configuration issue, you simply have to add the www.products-catalog subdomain record in you DNS manager,
or remove this: -d www.products-catalog.nilov-sergey-demo-apps.tk from the certbot command
certbot complains about:
DNS problem: NXDOMAIN looking up A for
www.products-catalog.nilov-sergey-demo-apps.tk
a) the local /etc/hosts file is not the public DNS zone file ...just add the domain name; because virtual host is being told apart by HTTP host headers: 138.68.107.4 nilov-sergey-demo-apps.tk
when using a DNS zone file, one does not have to add them into there, alike on the localhost.
b) then either use the certbot command without the non-existent www virtual host:
sudo certbot --apache -d products-catalog.nilov-sergey-demo-apps.tk
or fix DNS and virtual host, in order to serve the www virtual host; then they should work for both. an A "address" record is being expected; but a CNAME "common name" record is being provided. to fix this you just have to change the type from CNAME to A and wait until it had been distributed.
see for yourself: non-www and www. HTTPS also does not respond, at all.
c) and to fix the virtual host configuration, you have to add the proper ServerAlias:
ServerName products-catalog.nilov-sergey-demo-apps.tk
ServerAlias www.products-catalog.nilov-sergey-demo-apps.tk
If you run certbot with --manual certonly then run with --apache option it will "reinstall" the cert to your Apache server.
Run :
sudo certbot --server https://acme-v02.api.letsencrypt.org/directory
-d *.domain.com --manual --preferred-challenges dns-01 certonly
You then add DNS TXT record and click Continue on the certbot instruction.
Once complete you can run a simple --apache install like this.
sudo certbot --server https://acme-v02.api.letsencrypt.org/directory
-d *.domain.com --apache
This will ask to reinstall cert and you can just select that.

ssl installation on apache ubuntu16.0.4

My hosting (instance) is on EC2 and domain is on Nominalia. I am using ubuntu16.0.4 and Laravel 5.4, I have generated CSR, key file, certificate file and kept on root of server that is /var/www/html
Now I have to place
<VirtualHost *:443>
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /var/www/html/sitename.com.crt
SSLCertificateKeyFile /var/www/html/sitename.com.key
SSLCertificateChainFile /var/www/html/intermediate-ca.crt
</VirtualHost>
I am not getting where I shall keep it. I tried to keep in /etc/apache2/sites-enabled/000-default.conf or /etc/apache2/sites-enabled/default-ssl.conf or /etc/apache2/sites-available/default-ssl.conf but it did not work and I am getting errors
In chrome
This site can’t be reached
and in Mozilla
Secure Connection Failed
Site is working without https
I also tried to keep both "VirtualHost *:443" and "VirtualHost *:80" in /etc/apache2/sites-enabled/000-default.conf but it also did not work. In this case, I am getting "This site can’t be reached"
There are lot of articles that I am reading from few days but not getting how to do final setting so that my site start working after I successfully placed all certificate files.
Recently Chrome stoped accepting self-signed Certificates. You can save a lot of effort using Let's Encrypt SSL Certificates. They are free, but valid for 90 days only. But you can configure auto renewal process, so you don't need to worry, because all things happens behind scenes.
Installation on Ubuntu it's simple:
1. Add repository to apt
sudo add-apt-repository ppa:certbot/certbot
After complete, update apt-get:
sudo apt-get update
2. Install Certbot
Certbot is a client tool for managing certificates from Let's Encrypt.
Run:
sudo apt-get install python-certbot-apache
3. Set up SSL Certificate
sudo certbot --apache -d sitename.com
If your domain could be accessed with www prefix run this command instead:
sudo certbot --apache -d sitename.com -d www.sitename.com
From now Certbot will run automatically via /etc/cron.d to check for expiring certificates.
You can validate process by running:
sudo certbot renew --dry-run.
It's done.
Full documentation for Certbot is here: https://certbot.eff.org/docs/

Letsencrypt certificate for www and non-www domain

I have generated SSL certificate like so:
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
./letsencrypt-auto certonly --standalone
Then I was asked for email ... and a domain name. I entered example.com
I figured out that I could enter multiple domains to be included in one certificate using different approach. E.g.:
sudo -H ./letsencrypt-auto certonly --standalone -d example.com -d www.example.com
I wonder if I could have entered multiple domains when I was promoted for them in a dialog or now I need to regenerate using a different approach?
Do I need to remove previous letsencrypt installation before going new way?
UPDATE -> SOLVED
sudo ./certbot-auto certonly --standalone -d example.com -d www.example.com
You do not need to remove the installed certificate.
You can extend it to your sub-domain if you're using the same domain. Do the following:
sudo certbot certonly --standalone -d example.com -d www.example.com
When prompted for Expanding or Cancelling, reply with E then hit Enter key on your keyboard.
The certificate should be setup successfully.
If you encounter this error: Problem binding to port 80: Could not bind to IPv4 or IPv6, stop Apache by running systemctl stop apache2 then run the above certbot command again.
Once the SSL certificate is successfuly setup, run systemctl restart apache2 to get Apache up and running again.

using certbot-auto for nginx

I have an nginx running.
Now I want my nginx to use SSL:
certbot-auto --nginx -d my.domain.com -n --agree-tos --email admin#mail.com
OUTPUT:
Performing the following challenges:
tls-sni-01 challenge for my.domain.com
Cleaning up challenges
Cannot find a VirtualHost matching domain my.domain.com.
my.domain.com is pointing to the IP of my server. It's its dns name.
What am I doing wrong? I did this already for apache and it was working fine. My nginx is running (and I'm not able to restart it manually after the certbot-auto but this wasn't necessary when I used certbot-auto --apache
In my case, I had to add the "server_name" line because it wasn't in my nginx config so it was giving me the error message "Cannot find a VirtualHost matching domain my.domain.com" when I ran:
certbot --nginx
Make sure this is in your config:
server {
server_name my.domain.com;
....
}
Your are probably missing some Server Blocks (virtual hosts) files in the sites-enabled folder. Check if your config files exist in /etc/nginx/sites-available and /etc/nginx/sites-enabled. If they are not present in the sites-enabled folder, create symbolic links for them:
$ sudo ln -s /etc/nginx/sites-available/my.domain.com /etc/nginx/sites-enabled/
Add your site, check for config errors and restart nginx:
$ sudo certbot --nginx -d my.domain.com
$ sudo nginx -t
$ sudo service nginx restart