Fails to create certs if user/owner of files has been changed outside of Plesk

plesk / letsencrypt-plesk

Let’s Encrypt extension for Plesk gives all Plesk users the power to get a free Let’s Encrypt certificate with just a couple of clicks.

https://www.plesk.com/extensions/letsencrypt/

180 stars 25 forks source link

Fails to create certs if user/owner of files has been changed outside of Plesk #183

Open ceri-richmond opened 7 years ago

ceri-richmond commented 7 years ago

We have a slightly odd way of setting up domains/hosting accounts in Plesk that we think is affecting LetsEncrypt from doing its thing.

E.G. We have a 'deployer' user that is used to deploy to hosting accounts we setup in Plesk. Our process is...Set up a domain / hosting package in Plesk, create a user/password etc, then we change default hosting settings to meet our requirements around deployments (e.g. changing the document root from httpdocs to httpdocs/current/build), then we change the owner of everything under /httpdocs to be a generic 'deployer' user set up outside of Plesk.

We assume this means that the LetsEncrypt process cannot create the .well-known dir it needs in order to run further processes as it runs as the user that the hosting account was setup with initially, which can no longer write to the document root as it is owned by the 'deployer' user.

Any ideas how we might be able to work around this?

Thanks, Ceri

vvolodko commented 7 years ago

Try to create '.well-known/acme-challenge' directory in doc root of every site you plan to secure by LetsEncrypt. Add write permissions to the diretory for subscription owner's system user. In this case the LE extension will put challenge token files in the directory and won't try to remove the directory after challenge is passed.

Perhaps, custom '.well-known/acme-challenge/.htaccess' (or '.well-known/acme-challenge/web.config' for Windows/IIS) file is required for your special configuration.

ceri-richmond commented 7 years ago

Thanks for the ideas - but still failing to issue. We also change the doc root in hosting settings (httpdocs/current/build), do you think this may also be a factor?

vvolodko commented 7 years ago

Yes, this definitely is root cause. The LetsEncrypt extension place challenge token files in /var/www/vhosts/${domain}/.well-known/acme-challenge/ directory (or C:\inetpub\vhosts\${domain}\.well-known\acme-challenge\ on Windows) and assumes the token files are accessible by http://${domain}/.well-known/acme-challenge/. In your custom vhost configuration the token files are not available.

Please, try to configure your domain vhost to serve /.well-known/acme-challenge/* URL from /var/www/vhosts/${domain}/.well-known/acme-challenge/ directory. Perhaps symlink ${vhost}/httpdocs/current/build/.well-known/acme-challenge/ -> ${vhost}/.well-known/acme-challenge/ will suite your needs.

P.S. You can add following configuration in panel.ini to not remove token files, so you can check if they are available by http://${domain}/.well-known/acme-challenge/ URL

[ext-letsencrypt]
disable-cleanup = "true"

ceri-richmond commented 7 years ago

Thanks again for the ideas. Unfortunately still not working for us, but getting some feedback in the form of errors now:

Error: Permission denied Error: Let's Encrypt SSL certificate installation failed: filemng failed: filemng: Error occurred during /bin/mkdir command.