Editing
Installing Let's Encrypt SSL Certificates On Namecheap Hosting
(section)
Jump to navigation
Jump to search
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Troubleshooting == === Script doesn't have access to `/.well-known/acme-challenge` === The script reports it can't access `http://mysite.com/.well-known/acme-challenge/[VERIFICATION_FILE]`. Make sure if the web root is in a subdirectory, that you include the subdirectory in the `--webroot` argument!!! e.g. `--webroot ~/mysite.com/app` === Certificate not renewing === After installing a certificate with `acme.sh` it should be renewed automatically. However, it's possible to [https://github.com/acmesh-official/acme.sh#12-how-to-renew-the-certs manually renew certificates]. === Certificate failing to verify on password-protected server === '''Use case''' The server is password-protected with `.htaccess` directives. '''Resolution''' ==== Option 1 ==== Edit the `.htaccess` file installed in the web app root directory. <syntaxhighlight lang="ApacheConf" highlight="2,8,9,10,12"> # Authentication exception for validating the server when issuing SSL certificates SetEnvIf Request_URI ^/.well-known/acme-challenge/ noauth=1 # login prompt AuthType Basic AuthUserFile "/path/to/auth/file" <RequireAny> Order Deny,Allow Satisfy Any Deny from all Require valid-user Allow from env=noauth </RequireAny> </syntaxhighlight> ==== Option 2 ==== Make an exception for directory `.well-known/acme-challenge/` but placing an `.htaccess` file there with the following contents: <syntaxhighlight lang="ApacheConf"> require all granted </syntaxhighlight> <p class="alert alert-warning">This seems like the cleaner solution, but in at least one instance (June 2023) it did not work as needed. === Certificate failing to verify using .well-known challenge === '''Use case''' * Log into the server using ssh. * Run `acme.sh` script from the command line to renew certificate. * There will be errors to effect of `"verify error"` and `"invalid response from [domain]/.well-knonwn/acme-challenge/..."`. '''Cause''' Permissions errors prevent the script from writing the file to `.well-known/acme-challenge/` that is used to verify ownership of the domain. '''Fix''' The last time this happened, I compared the permissions for the web roots and `.well-known` directories for two sites hosted on the same server where one site's certificate was being renewed and the other was failing. I could not find any differences in the permissions. What I ended up doing was to move the root directory of the site, create a new directory for the site, put a potboiler index html page in the directory, and then run the acme script. After this allowed me to renew the certificate, I copied all the content from the original directory back into the new one. '''Also!''' Remember that the root of many of the web apps is in the `app/` subdirectory! When issuing the certificate make sure to set the web root option appropriately, e.g. `--webroot ~/mydomain.com/app` === Timeout polling order status while issuing certificate === '''Use case''' Manually issue a certificate with the following command: <syntaxhighlight lang="bash"> $ acme.sh --issue --webroot ~/my_webapp_root -d mydomain.com --force </syntaxhighlight> '''Expected result''' `acme.sh` sends request to the CA server and receives successful response. '''Actual result''' <pre> [Sat Apr 9 17:40:56 EDT 2022] Polling order status: https://acme.zerossl.com/v2/DV90/order/dtElfwFq1sLFiXaP188uDw [Sat Apr 9 17:40:59 EDT 2022] Order status is processing, lets sleep and retry. [Sat Apr 9 17:40:59 EDT 2022] Retry after: 15 [Sat Apr 9 17:41:15 EDT 2022] Polling order status: https://acme.zerossl.com/v2/DV90/order/dtElfwFq1sLFiXaP188uDw [Sat Apr 9 17:41:18 EDT 2022] Order status is processing, lets sleep and retry. [Sat Apr 9 17:41:18 EDT 2022] Retry after: 15 </pre> Over and over again until finally the script times out with an error similar to this: <pre> [Sat Apr 9 17:42:29 EDT 2022] Sign error, wrong status </pre> '''Solution''' This happened using the default acme.sh CA server which is ZeroSSL. Changing the default CA server to Let's Encrypt fixed this. <syntaxhighlight lang="bash"> $ acme.sh --set-default-ca --server letsencrypt </syntaxhighlight>
Summary:
Please note that all contributions to Littledamien Wiki may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
Littledamien Wiki:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Navigation menu
Personal tools
Not logged in
Talk
Contributions
Create account
Log in
Namespaces
Page
Discussion
English
Views
Read
Edit
View history
More
Search
Navigation
Main page
Recent changes
Random page
Help about MediaWiki
Tools
What links here
Related changes
Special pages
Page information