search

plesk / letsencrypt-plesk

Let’s Encrypt extension for Plesk gives all Plesk users the power to get a free Let’s Encrypt certificate with just a couple of clicks.
https://www.plesk.com/extensions/letsencrypt/
180 stars 25 forks source link

Renewal of Roundcube webmail certificate fails with "Challenge marked as invalid" #166

Closed gnanet closed 7 years ago

gnanet commented 7 years ago

Distributor ID: Ubuntu Description: Ubuntu 14.04.5 LTS Release: 14.04 Codename: trusty Plesk 12.5.30 Update 63 (this contains "A number of security enhancements." )

The full CLI error:

Executing /opt/psa/admin/plib/modules/letsencrypt/scripts/cli.php failed: Challenge marked as invalid. Details: Invalid response from http://webmail.DOMAIN/.well-known/acme-challenge/CHALLENGE-HASH: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Inter"

exit status 1

A quick look into the error.log of apache shows a Satisfy not allowed here 

[Fri Apr 28 02:21:52.387469 2017] [core:alert] [pid 32478] /usr/share/psa-roundcube/.well-known/acme-challenge/.htaccess: Satisfy not allowed here, referer: http://webmail.DOMAIN/.well-known/acme-challenge/CHALLENGE-HASH

This can only happen with a too restrictive AllowOverride setting that controls the path /usr/share/psa-roundcube.

And ofcourse this setting is present twice in /etc/apache2/plesk.conf.d/roundcube.conf as AllowOverride FileInfo:

        <IfModule mod_fcgid.c>
                FcgidInitialEnv PP_CUSTOM_PHP_CGI_INDEX fastcgi
                FcgidInitialEnv PP_CUSTOM_PHP_INI "/etc/psa-webmail/roundcube/php.ini"
                FcgidMaxRequestLen 134217728
                <Directory "/usr/share/psa-roundcube">
                        Options -Indexes +FollowSymLinks
                        AllowOverride FileInfo
                        Require all granted
                        Include "/etc/apache2/plesk.conf.d/roundcube.htaccess.inc"

                        <Files ~ (\.php$)>
                                SetHandler fcgid-script
                                FCGIWrapper /var/www/cgi-bin/cgi_wrapper/cgi_wrapper .php
                                Options +ExecCGI
                        </Files>
                </Directory>
        </IfModule>

The question is: How did it worked before? Did plesk change the apache config template, and if yes, why? - NOTE: Plesk 12.5.30 Update 63 contains "A number of security enhancements." Is this Satisfy any that gets generated on line 152 of challenge.py needed?

WORKAROUND: create a /etc/apache2/plesk.conf.d/webmails/roundcube/00_letsencrypt.conf file with following content, and do an apache2ctl graceful

<Directory "/usr/share/psa-roundcube/.well-known/acme-challenge">
    AllowOverride FileInfo AuthConfig Limit
</Directory>
xgin commented 7 years ago

It is possible to secure webmail with the extension version 2.1.0 Plesk Onyx is minimal required version for the feature.

dappiu commented 6 years ago

The problem is not solved for me with Plesk Onyx 17.8.11 and Let'sEncrypt extension version 2.6.1-398

I had to modify the template /usr/local/psa/admin/conf/templates/custom/webmail/webmail.php (copied from default template /usr/local/psa/admin/conf/templates/default/webmail/webmail.php) adding

<Directory "/usr/share/psa-roundcube/.well-known/acme-challenge">
    AllowOverride FileInfo AuthConfig Limit
</Directory>

just before the </VirtualHost> closing tag of the first vhost (not the SSL one, to be clear)

Then I launched /usr/local/psa/admin/sbin/httpdmng --reconfigure-all and from them on I was able to generate certificates for webmail.*