letsencrypt AWS http challenge

I had the problem, that when renewing the Letsencrypt certificate via cronjob Amazon Linux 2

certbot renew --post-hook "systemctl reload httpd"  >> /var/log/certbot.log 2>&1

the SSL certificate was not renewed, but following error occurred:

Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (foo.de) from /etc/letsencrypt/renewal/foo.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.

I then looked in configuration: /etc/letsencrypt/renewal/foo.conf and the Authentificator modified on Apache and the challenge of Authentificator on HTTP (through the Web server).

# Options used in the renewal process
account = xxx
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = apache
installer = apache
pref_challs = http-01,

After that was the important Port 80 unlock the security group for authentication and another command

certbot renew

was the certificate was successfully renewed.

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for foo.de
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is

Execute PHP script as a Windows service

Under Windows, scripts can be, that's endless run with PHP using a service implemented.

This has the advantage of, that is the memory consumption with the time to infinity, with endless script versions and a recovery and restart functionality can be implemented, to keep the service over long periods of time running.

Furthermore, the service receives from the operating system events, if e.g.. a shutdown is, to be able to stop in time itself and not corrupt data to produce cancellation in a non-atomic operation.

To create a Windows service, you need the win32service PHP library.

You can here them Download and in the php.ini embed:


Create service more…

proftp user log traffic with mod_sql

To the user traffic in proftp log to a MySQL database, you only need the user table a column “traffic” Add type BIGINT, Default 0:


Then you can use a SQLNamedQuery kan in the sql.conf, to cut with the amount of traffic:

SQLLog RETR,STOR,APPE extendedlog
SQLNamedQuery extendedlog UPDATE "traffic= (traffic + %b) WHERE userid='%u'" ftpuser

Attention, Use leads to increased traffic to the database.

AWS: need to verify an email address in SES without access to the mailbox

To send Amazon SES email, need to verify only the email address. This is a problem, If one has access to the domain, but has set up a mail server.

To work around the problem, one only verifies the domain in SES and is then under Configure email receiving a to verifierende E-Mail address and connects them with a SNS topic. After that you can Subscription set up on the SNS topic via email and so the verification email can be forward on an existing mailbox.

Microsoft IIS REST API allow by PUT, DELETE

To the IIS 7.5 all HTTP verbs like PUT, POST, DELETE and PATCH to enable, need to disable the following modules and handlers in the web.config:

<?xml version="1.0" encoding="UTF-8"?>
         <remove name="WebDAVModule" />
            <remove name="WebDAV" />
            <remove name="OPTIONSVerbHandler" />
            <remove name="TRACEVerbHandler" />

Microsoft IIS SSL certificate create for localhost for chrome 60 with SAN

To create a certificate for IIS under IIS, should you create a SSL certificate with openssl (comes with GIT in C:\Program FilesGitusrbin).

With the two commands, you can create a .pfx file, also see chrome 60 He runs on option chrome://flags/#allow-insecure-localhost.

openssl req  -newkey rsa:2048 -x509   -nodes -keyout server.key  -new  -out server.crt  -subj /CN=localhost  -reqexts SAN -extensions SAN  -config openssl.cnf -sha256 -days 36500
openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt

You need a configuration file OpenSSL.cnf: more…