Acme-challenge unauthorized

Help
1

I’m set up on AWS with Ubuntu 16.04 and Nginx and was trying to get certs for HTTPS for my site following tutorial: https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04#step-2-obtain-an-ssl-certificate

Ran

sudo certbot certonly --webroot --webroot-path=/var/www/html -d powertrader.com -d www.powertrader.com

and got:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for powertrader.com
http-01 challenge for www.powertrader.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.powertrader.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.powertrader.com/.well-known/acme-challenge/mngjpBDyH2l3KZi11R9__JwVcltkr4N-s6sYyyiRmSI: "

403 Forbidden

"
powertrader.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://powertrader.com/.well-known/acme-challenge/gJNIt8p8cHRb6V7FosSQQzdjs-JGrVOfu9m6_X6N_h4: "

403 Forbidden

IMPORTANT NOTES:

I do have a basic authentication set up but the SSL cert still threw an error when I commented the authentication out in the conf.

I thought it might be a firewall issue from some research online so I continued to setup firewall access as tutorial suggests with ‘Nginx Full’ to no avail.

I’m new to all this so please bear with me.

Can anyone help please?

2

Hi @winabun,

This error often relates to specifying the wrong webroot directory. How did you pick /var/www/html, and are you sure that’s the directory that contains the web content for this site?

3

Hi @schoen,

Thanks for helping me with this.

I am certain that /var/www/html is the site’s root directory. I believe I set it as such from following this tutorial https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mysql-php-lemp-stack-in-ubuntu-16-04 when I set up the LEMP stack. Reading back it seems like it was the default configuration?

4

OK, so if you make a file /var/www/html/test.txt, can you see it at http://powertrader.com/test.txt? If you make another file /var/www/html/.well-known/acme-challenge/test2.txt, can you see it at http://powertrade.com/.well-known/acme-challenge/test2.txt?

5

You appear to have a line in your nginx configuration that blocks paths beginning with a period (.). I get a login prompt for http://www.powertrader.com/obviously-invalid-url but I get the 403 Forbidden error for http://www.powertrader.com/.obviously-invalid-url

Please share your configuration files if you can’t find it and we’ll help you track it down.

2 Likes
6

@schoen

/var/www/html/test.txt I could see at powertrader.com/test.txt

However /var/www/html/.well-known/acme-challenge/test2.txt returned a 403 Forbidden

7

@Patches

Which configuration files do you need? nginx.conf or sites-available/default

8

The offending stanza could be present in either file, but more likely the latter.

It should look something like:

location ~ /\. {
    deny all;
    access_log off;
    log_not_found off;
}
2 Likes
9

wget http://powertrader.com/.well-known/acme-challenge/test.txt
HTTP request sent, awaiting response… 403 Forbidden

wget http://www.powertrader.com/.well-known/acme-challenge/test.txt
HTTP request sent, awaiting response… 403 Forbidden

10

@Patches

I did find a snippet:

location ~ /. {
deny all;
}

I commented it out, restarted nginx and tried to run the certbot command again. The error message has changed. Now I get:

Thoughts?

11

Now your HTTP authentication is getting in the way. You’ll need to exclude the /.well-known directory from it.

1 Like
13

That did it! Thank you @Patches

14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.