Another failed authorization issue


#1

Got the “Action required: Let’s Encrypt certificate renewals” email. So I did the steps described in How to stop using TLS-SNI-01 with Certbot
I never ran into an issue like that before.

My domain is: ok.fahmed.de

I ran this command: sudo certbot renew --dry-run

It produced this output: Processing /etc/letsencrypt/renewal/ok.fahmed.de.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for ok.fahmed.de
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (ok.fahmed.de) from /etc/letsencrypt/renewal/ok.fahmed.de.conf produced an unexpected error: Failed authorization procedure. ok.fahmed.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://ok.fahmed.de/.well-known/acme-challenge/G1Gf7h2lhuipYcRa7T6wKpgDvrR_caZnrFeIsjbV7uU: “\n\n403 Forbidden\n\n

Forbidden

\n<p”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ok.fahmed.de/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ok.fahmed.de/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): Apache2 2.4.25-3+deb9u6

The operating system my web server runs on is (include version): Debian 9

My hosting provider, if applicable, is: PixelX

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0


#2

Could you please show the output of the following?

apachectl -t -D DUMP_VHOSTS

#3

output shows:
AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1. Set the ‘ServerName’ directive globally to suppress this message
VirtualHost configuration:
*:443 ok.fahmed.de (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)


#4

Assuming that’s the full output, that’s looks OK.

Something is causing Certbot’s Apache authenticator to not combine well with how your port 80 virtual host is configured.

Would you be able to show the contents of /etc/apache2/sites-enabled/000-default.conf ?


Failed authorization
#5

first of all, thanks for your help!

content is:

<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

RewriteEngine on
RewriteCond %{SERVER_NAME} =ok.fahmed.de
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

<Directory /var/www/html/>
Options +FollowSymlinks
AllowOverride All


#6

Is that the full file? Seems to have been cut off a little bit at the end.

Also how about this:

grep -Ri "Strict-Transport" /etc/apache2

#7

Hi @wawawa

I see, you have already tested your domain via https://check-your-website.server-daten.de/?q=ok.fahmed.de

But your domain has a CNAME entry:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
ok.fahmed.de C ahmed.spdns.de yes 1 0
A 87.172.167.104 yes
www.ok.fahmed.de Name Error yes 1 0

So ahmed.spdns.de is used. Loading this domain manual, there is a nextcloud login.

So this configuration and the webserver there is relevant to validate your domain name.


#8

It is indeed the full file.
Command shows: /etc/apache2/apache2.conf:Header always set Strict-Transport-Security “max-age=15768000; includeSubDomains; preload”


#9

PS: Sorry, I should read the complete output of your test:

If you use http-01 - validation, Certbot creates a file in /.well-known/acme-challenge, Letsencrypt checks this file.

Port 80 is open. But there is a redirect to your login page. Your login page doesn’t know something about this test file.

So remove the redirect if the path starts with /.well-known/acme-challenge.


split this topic #10

A post was split to a new topic: Failed authorization


#11

hmm…
.htaccess already has an exceptional case for .well-known… :
RewriteCond %{REQUEST_URI} !^/.well-known/(acme-challenge|pki-validation)/.*


#12

Then there must be an error. The tool sees a redirect:

So share the content your your .htaccess


#13

I also upgraded before from 0.18 to 0.28


#14

This is the content of my .htaccess file:

<IfModule mod_headers.c>
  <IfModule mod_setenvif.c>
<IfModule mod_fcgid.c>
   SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
   RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
</IfModule>
<IfModule mod_proxy_fcgi.c>
   SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
</IfModule>
  </IfModule>

  <IfModule mod_env.c>
# Add security and privacy related headers
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set X-Robots-Tag "none"
Header set X-Download-Options "noopen"
Header set X-Permitted-Cross-Domain-Policies "none"
Header set Referrer-Policy "no-referrer"
SetEnv modHeadersAvailable true
  </IfModule>

  # Add cache control for static resources
  <FilesMatch "\.(css|js|svg|gif)$">
Header set Cache-Control "max-age=15778463"
  </FilesMatch>

  # Let browsers cache WOFF files for a week
  <FilesMatch "\.woff2?$">
Header set Cache-Control "max-age=604800"
  </FilesMatch>
</IfModule>
<IfModule mod_php5.c>
  php_value upload_max_filesize 10G
  php_value post_max_size 10G
  php_value memory_limit 512M
  php_value mbstring.func_overload 0
  php_value always_populate_raw_post_data -1
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
SetEnv htaccessWorking true
  </IfModule>
</IfModule>
<IfModule mod_php7.c>
  php_value upload_max_filesize 10G
  php_value post_max_size 10G
  php_value memory_limit 512M
  php_value mbstring.func_overload 0
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
SetEnv htaccessWorking true
  </IfModule>
</IfModule>
<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTP_USER_AGENT}  DavClnt
  RewriteRule ^$         /remote.php/webdav/          [L,R=302]
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
  RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
  RewriteRule ^\.well-known/webfinger /public.php?service=webfinger [QSA,L]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/.*
  RewriteRule ^(?:\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>
<IfModule mod_mime.c>
  AddType image/svg+xml svg svgz
  AddEncoding gzip svgz
</IfModule>
<IfModule mod_dir.c>
  DirectoryIndex index.php index.html
</IfModule>
AddDefaultCharset utf-8
Options -Indexes
<IfModule pagespeed_module>
  ModPagespeed Off
</IfModule>
#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####

ErrorDocument 403 //
ErrorDocument 404 //

#15

You have other RewriteRules with L at the end and no / at the beginning.

So use the same rule with your .well-known/acme-challenge directory.

But I don’t see there a redirect to your login page. So this place may be wrong.


#16

Perhaps that should read:
RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/(.*)


#17

Is it possible that the directory ./well-known/acme-challenge was not created? I searched for it, but can’t find it.


#18

I was able to renew the certificate. Mea culpa. I had a Geo-IP lock installed which prevented the challenge file from being accessed by the authority.


closed #19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.