Acme Unauthorized Error on Certbot

Please fill out the fields below so we can help you better.

My domain is: sorin-si-raluca.go.ro
I ran this command: sudo certbot --apache
It produced this output:
Failed authorization procedure. sorin-si-raluca.go.ro (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://sorin-si-raluca.go.ro/.well-known/acme-challenge/dTtbgrAyor8hR3Agq-_-vNfcX5lwPvERUFQORqz6csQ [86.124.181.20]:

"<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

IMPORTANT NOTES: - The following errors were reported by the server: Domain: sorin-si-raluca.go.ro Type: unauthorized Detail: Invalid response from http://sorin-si-raluca.go.ro/.well-known/acme-challenge/dTtbgrAyor8hR3Agq-_-vNfcX5lwPvERUFQORqz6csQ

[86.124.181.20]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.

My web server is (include version): Apache/2.4.25 (Raspbian) with the following modules:

  • core_module (static)
  • so_module (static)
  • watchdog_module (static)
  • http_module (static)
  • log_config_module (static)
  • logio_module (static)
  • version_module (static)
  • unixd_module (static)
  • access_compat_module (shared)
  • alias_module (shared)
  • auth_basic_module (shared)
  • authn_core_module (shared)
  • authn_file_module (shared)
  • authz_core_module (shared)
  • authz_host_module (shared)
  • authz_user_module (shared)
  • autoindex_module (shared)
  • deflate_module (shared)
  • dir_module (shared)
  • env_module (shared)
  • filter_module (shared)
  • mime_module (shared)
  • mpm_prefork_module (shared)
  • negotiation_module (shared)
  • php7_module (shared)
  • proxy_module (shared)
  • proxy_balancer_module (shared)
  • proxy_http_module (shared)
  • reqtimeout_module (shared)
  • rewrite_module (shared)
  • setenvif_module (shared)
  • slotmem_shm_module (shared)
  • socache_shmcb_module (shared)
  • ssl_module (shared)
  • status_module (shared)

The operating system my web server runs on is (include version):
pi@raspberrypi:~ $ cat /etc/os-release

My hosting provider, if applicable, is: I use dynamic DNS provided by my internet provider which maps my public IP to the hostname

I can login to a root shell on my machine (yes or no, or I don't know):
yes, SSH to my Raspberry Pi

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No control panel, terminal access

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
pi@raspberrypi:~ $ certbot --version

  • certbot 0.28.0

Other information
I was initially able to setup HTTPS on the apache website just fine, using the raspbian repository certbot without much fuss. However when I tried certbot renew I got the same error as the one printed above. Tried deleting the certificate with certbot delete, and then re-issuing the certificate - same output. Now when I try to run certbot I get the unauthorization error and can't recertify the Apache on my Pi.

1 Like

What's the output of:

sudo apachectl -t -D DUMP_VHOSTS
2 Likes

Have you tried?:
sudo certbot renew
OR
sudo certbot renew --dry-run

2 Likes

pi@raspberrypi:~ $ sudo apachectl -t -D DUMP_VHOSTS

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443                  sorin-si-raluca.go.ro (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80                   is a NameVirtualHost
         default server sorin-si-raluca.go.ro (/etc/apache2/sites-enabled/000-default-le-ssl.conf:42)
         port 80 namevhost sorin-si-raluca.go.ro (/etc/apache2/sites-enabled/000-default-le-ssl.conf:42)
         port 80 namevhost sorin-si-raluca.go.ro (/etc/apache2/sites-enabled/000-default.conf:1)
1 Like

Certbot 0.28, which is quite old, has a problem where it doesn't handle duplicate Apache virtualhosts properly.

The upshot here is that you should remove one of these two virtualhosts. You could try:

sudo a2dissite 000-default

and see whether Certbot renewal works then.

3 Likes

Great suggestion disabling the default website. After running the command, certbot worked liked a dream!

I tried installing certbot using snap, however I can't seem to run it as sudo:
#certbot --version -> works fine
#sudo certbot --version -> no command named "certbot"

Had to remove the SNAPD Certbot, and had to fall back to the APT-GET repo for Raspbian.

1 Like

The snapd version may not get placed into your search path.
After install try:
which certbot
find / -name certbot

The snapd install should have snap in the path - mine is at /snap/bin/certbot

/snap/bin/certbot --version
certbot 1.8.0
1 Like

I think that's a known issue with alternate shells. We updated the instructions on the website but it's not deployed yet due to some other problems. But tl;dr; if anybody else hits this, run this after installing the snap, and it will work with sudo:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Hopefully the site updates will be deployed soon.

2 Likes