Elixir Phoenix production server has issue with Letsencrypt renewal

Question

I have a site built with Elixir Phoenix frame work. The website runs fine in both dev and prod mode.

When the phoenix server is running in dev mode, I have no issue renewingLet's Encrypt certificate, but when the exact same app is running in prod mode, I keep getting permission error when trying to renew. Please noted that I am talking about the exact same app, on the same FreeBSD server, executed by the same user - both command without sudo. The only difference is MIX_ENV=prod

I also noted that in prod mode, the phoenix server log an 404 error when Letsencrypt is trying to access my priv/static/.well-known/acme-challenge/(some-unique-string) My basic set up for phoenix + letsencrypt is detailed in this blog post

The question is: how is phoenix server treating directory/file permission differently between `prod' and 'dev' mode?

Using Elixir 1.2.4 and Phoenix 1.1.4

UPDATE:

Folks, since LetsEncrypt and Phoenix framework evolve rapidly, the issue I listed above is no longer an issue if you are using the latest cerbot from LetsEncrypt and Phoenix 1.2.0

This is not necessary an answer to the original questions though.

Phoenix doesn't treat permissions differently. Check what files you can't access. My guess is that there is a difference in configs between prod and dev. For example one of the file paths is misspelled. — tkowal, May 14 '16 at 07:27
@tkowal For Let's Encrypt to work, I do **not** need any configuration in "dev.exs" vs "prod.exs". There is a folder under /priv/static/.well-known that Let's encrypt need access to. When I am running in **prod** mode, Let's Encrypt can not access it. What is funny is that I run the server in **dev** mode to update my Let's Encrypt cert, then run it in **prod** mode. The prod mode is serving the proper updated Let's Encrypt cert that I got through using dev mode. In short, Phoenix server can serve the cert just fine but does **NOT** allow let's encrypt to update it somehow when in prod mode! — yial2, May 16 '16 at 00:30
What are the permissions and owners of this file? Can you post `ls -al` output on this file? — tkowal, May 16 '16 at 04:47
@tkowal `drwxr-xr-x 3 freebsd freebsd 512 Feb 28 20:05 .well-known`, and for the folder **acme-challenge** that I believe lets encrypt need access to is `drwxr-xr-x 2 freebsd freebsd 512 May 12 17:16 .acme-challenge`. **freebsd** is the user who run `mix phoenix.server` in both dev and prod mode - **both without sudo** — yial2, May 16 '16 at 15:34
Do you have any redirects active in production mode that aren't in place in developer mode? — Lexib0y, May 20 '16 at 08:32
@Lexib0y no redirects active in production mode - the only difference between `dev.exs` vs 'prod.exs` is that `dev.exs' has some live reload setting. — yial2, May 21 '16 at 05:14
In production mode, can you reach the "hello world" > ./priv/static/.well-known/XXXYYY.html file via your browser? — Lexib0y, May 21 '16 at 09:12
@Lexib0y yes, I can reach it without any issues. In fact, here is the link, [my link](https://trips.oceansafariscuba.com/.well-known/XXXYYY.html) — yial2, May 22 '16 at 23:12
@webdeb are you having the same issue? I have no luck so far solving this issue, but I will definitely post an answer here if I happen to have a solution. — yial2, May 31 '16 at 16:59
@yial2 sorry, I am not yet at the point of deploying. I was just interested in "howto" and the opportunities. When I get closer to to a production release of my app, I'll look deeper into it, because I'd like to use let's encrypt too. — webdeb, May 31 '16 at 17:21
I'm working on the same issue from the same article and I'm currently having the same experience. I noticed that when I run the server in `dev` with my `prod.exs` renamed to `dev.exs` certbot is successful, and the logger is quiet. When I run it in `prod` with the `prod.exs` properly named the router logs a `GET` request for `/.well-known/acme-challenge/random_file_name` does anyone know about a default config option on the router when the env is set to `prod` or is this a non-issue? — brittonjb, Jun 08 '16 at 01:00
@brittonjb just to double confirm, did the logger log a 404 when you run it in `prod` while the certbot is trying to access `/.well-known/acme-challenge/random_file_name`? I may have to re-try this issue on elixir-lang IRC channel and see if any big gun on there can shine lights to our issues. — yial2, Jun 08 '16 at 17:30
@yial2 I was thinking the same thing. When running it `prod` it logged a 404 when certbot tried to access that file. When running in `dev` with all of my production settings copied over it did not 404, it successfully completed. — brittonjb, Jun 08 '16 at 19:31
Maybe I'm oversimplifying things, but it doesn't hurt to ask... Are you running `MIX_ENV=prod mix compile` before running the server in production (I know that at some point you have runned this command, but after adding the file?). The files served in production are located in `_build/prod/lib/{yourApp}/priv/static` and they are copied to this folder when you compile the project. Can you check this folder to see if the files are there and if the permissions are right? — Tiago Engel, Aug 22 '16 at 23:05
@tiagohngl yes, I did run `MIX_ENV=prod mix compile` **after** getting all the Letsencrypt cert/files on the **dev** server. I ran it before launching **prod** server. As for the files under **_build/prod/lib/{yourApp}/priv/static/.well-known/acme-challenge** vs **_build/dev/lib/{yourApp}/priv/static//.well-known/acme-challenge** The permission are the **same** for all the files between the **dev** and **prod** — yial2, Aug 24 '16 at 00:33
I've said, I would add some value to this discussion when I did my own researches, the file approach did't work for me, also, but I've managed it with a route.. check out my answer guys — webdeb, Nov 03 '16 at 13:17
Folks, since LetsEncrypt and Phoenix framework evolve rapidly, the issue I listed above is no longer an issue if you are using the latest cerbot from LetsEncrypt and Phoenix 1.2.0 This is not necessary an answer to the original questions though. — yial2, Mar 01 '17 at 00:37
I am using Phoenix 1.3.0 and latest cerbot (I presume, could you share with me what is the latest cerbot version you are referring here?) and the problem still exists. Do I really need to take the "route approach"? Thanks for your advise. — Paul Wang, Mar 14 '18 at 00:32
@PaulWang back then, I was using certbot 0.9.3 - this is what worked for me. I remember that the newer certbot has some kind of UI for set up process. Make sure you point to the .well-know file with correct path! — yial2, Mar 15 '18 at 21:39
@PaulWang basically the "webroot_path" has to point to /[your app]/priv/static *NOT* straight at the .well-know file — yial2, Mar 15 '18 at 21:51
@yial2, thank you for the information. You are correct the latest cerbot and Phoenix has no problem anymore. In my case, the following two things fixed my problem: — Paul Wang, Mar 17 '18 at 16:34
In my case, the following two things fixed my problem: 1) in my /etc/nginx/sites-available/deploy-appname file I need set location ~ /priv/static/.well-known { allow all; } 2) in my .deleliver/config I need to sym link out the priv/static directory for letencrypt webroot point to. (https://github.com/edeliver/edeliver/issues/215) — Paul Wang, Mar 17 '18 at 16:40

score 2 · Answer 1 · answered Nov 03 '16 at 13:16

I've solved it, by using a route, instead of file:

scope "/.well-known", MyApp do
   get "/acme-challenge/:challenge", AcmeChallengeController, :show
end

And a simple controller..

defmodule AcmeChallengeController do
   use MyApp, :controller

   def show(conn, %{"challenge" => "the_random_file_name"}) do
      send_resp(conn, 200, "TheHashInTheFile")
   end

   def show(conn, _) do
      send_resp(conn, 200, "Not valid")
   end
end

This is hardcoded, compiled and faster then sending files, but, it would be also possible to use some kind of key/value store, and manage (add/delete) the the challenges from within the UI without re-deployment.

Thank You! I am eager to give this a try. Can you elaborate more on the `""TheHashInTheFile"`? Which file are you referring to? — yial2, Nov 07 '16 at 22:23

Elixir Phoenix production server has issue with Letsencrypt renewal

1 Answers1

Linked