Attempting to renew cert from /etc/letsencrypt/renewal/groomgy.com.conf produced an unexpected error: Failed authorization procedure


#1

My domain is:

https://groomgy.com

I ran this command:

sudo certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/groomgy.com.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for groomgy.com
tls-sni-01 challenge for www.groomgy.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (groomgy.com) from /etc/letsencrypt/renewal/groomgy.com.conf produced an unexpected error: Failed authorization procedure. groomgy.com (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested aac68ac4f8dc5d9ac69fe61ba9bf7b88.276acccc10ef2428291a193cd6b5156f.acme.invalid from 54.255.153.71:443. Received 2 certificate(s), first certificate had names “groomgy.com, www.groomgy.com”, www.groomgy.com (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested c8c650d779b9bc36f90c471411f60fba.62d3f4f004a46a115e19034a46c3295d.acme.invalid from 54.255.153.71:443. Received 2 certificate(s), first certificate had names “groomgy.com, www.groomgy.com”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/groomgy.com/fullchain.pem (failure)

The operating system my web server runs on is (include version):

Ubuntu 16.04

I can login to a root shell on my machine:

Yes

I’m using a control panel to manage my site:

No


I am not sure what to debug or where to look at. Could someone advise me on where to look at?


#2

Hi @Kimserey

the tls-sni-01 - challenge is deprecated. So use

sudo certbot renew --dry-run --preferred-challenges http

instead.


#3

Thanks for the reply @JuergenAuer

I’ve ran sudo certbot renew --dry-run --preferred-challenges http.

Here is the response:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/groomgy.com.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for groomgy.com
http-01 challenge for www.groomgy.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (groomgy.com) from /etc/letsencrypt/renewal/groomgy.com.conf produced an unexpected error: Failed authorization procedure. www.groomgy.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.groomgy.com/.well-known/acme-challenge/33K__0lsi2z3wrqqRRGliFzbBm8zlv19GLpAruXV2hA: “\r\n404 Not Found\r\n<body bgcolor=“white”>\r\n<h1.>404 Not Found\r\n


”, groomgy.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://groomgy.com/.well-known/acme-challenge/d09ncTEswJzosEV8qgj09KQELn5IRUzjFgSBa-FULWg: “\r\n404 Not Found\r\n<body bgcolor=“white”>\r\n<h1.>404 Not Found\r\n
”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/groomgy.com/fullchain.pem (failure)

DRY RUN: simulating ‘certbot renew’ close to cert expiry
(The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/groomgy.com/fullchain.pem (failure)
DRY RUN: simulating ‘certbot renew’ close to cert expiry
(The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)


My server returns 404 Not Found on the url http://groomgy.com/.well-known/acme-challenge/d09ncTEswJzosEV8qgj09KQELn5IRUzjFgSBa-FULWg


#4

Please share your log.

And create a file in /.well-known/acme-challenge - file name 1234, so you should be able to load this file via

http://groomgy.com/.well-known/acme-challenge/1234

If this works, you know your correct webroot (path to /). So perhaps use

sudo certbot renew --dry-run --preferred-challenges http --webroot -w yourwebroot

If this doesn’t work, there may be wrong redirects. Or a proxy server.


#5

Thanks for the reply @JuergenAuer, specifying the root worked, thank you so much.

I don’t remember specifying the webroot 3 months ago when I first setup the SSL.
Was the cron job renewal failing due to the deprecation of tls-sni-01 challenge?


#6

Perhaps. I don’t know. But there are a lot of users, tls-sni-01 fails, switching to http-01 works.