Let's Encrypt and Phabricator

Let’s Encrypt and Phabricator – Error renewing certificate

Let’s Encrypt is a free, automated, and open Certificate Authority. Recently the automatic SSL certificate renewal request for one of my domains, which is in instance of Phabricator, was about to happen but an error occured. The problem was not with Let’s Encrypt, but with the way this domain was configured.

 

UPDATE: the error occures also when generating a certificate for the first time, not only for renewing. In my case happend for renewing because the first certificate was generate when Phabricator wasn’t installed.

 

As you may know from other posts I’m using Webmin/Virtualmin for hosting and I have a self-hosted Phabricator instance which I have installed and configured following the official guide.

I chose to install Phabricator and all its dependencies (arcanist and libphutil) in the public_html directory of my virtual server and this made me change things inside the Apache Directives and I’d like to mention this one line:

DocumentRoot /home/dummy/phab.domain.com/public_html/phabricator/webroot

… which changes the default DocumentRoot, which was /home/dummy/phab.domain.com/public_html in my case. This line is what have broken my certificate renewal request.

 

Let’s Encrypt certificate request

When you request a certificate (first time or renewal) with Let’s Encrypt, the following are happening:

  1.  A directory is generated under the default Apache DocumentRoot with this structure: .well-known/acme-challenge/
  2.  Inside the acme-challenge directory a temporary token-as-a-file is created, something like this:  REPIpWcxlc2AC4dEqbCChiLKa6DkyyoJz_5ULAxBlk
  3.  Let’s Encrypt API is making a request to check the existence of that token: http://phab.domain.com/.well-known/acme-challenge/REPIpWcxlc2AC4dEqbCChiLKa6DkyyoJz_5ULAxBlk

 

What happens after step 3 is not my concern right now, because here is the problem.

Remember that we changed the default DocumentRoot location from public_html to Phabricator’s webroot, so it is normal to get a 404 – Not Found when we access http://phab.domain.com/.well-known/....

Fortunately, there is a simple solution to have the .well-known directory inside Phabricator’s webroot, by making a symlink:

[dummy@host ~]$ ln -s /home/dummy/phab.domain.com/public_html/.well-known/ /home/dummy/phab.domain.com/public_html/phabricator/webroot/.well-known

Now if you change directory to Phabricator’s webroot you should see the .well-known directory and all its content.

 

That should be all, but it’s not!

 

If you’ll try to access http://phab.domain.com/.well-known/ you’ll still get a 404 – Not Found error, but pay attention to what kind of error page this is: it’s a Phabricator handled error page, so we have to change the way this software manages URL routing.

 

Going back to Apache Directives for this domain, search for the Phabricator rules and find this one:

RewriteRule ^(.*)$ /index.php?__path__=$1 [B,L,QSA]

… before which add the following:

RewriteCond %{REQUEST_URI} !^/.well-known/

 

Now Phabricator rules will skip the .well-kwown directory and trying to access http://phab.domain.com/.well-known/  will give you a default 403 – Forbidden error page instead of Phabricator’s 404 – Not Found.

 

That’s all!

Leave a Reply