Authorization is looking for the wrong acme challenge


#1

I am trying to renew my certificate for 2 domains: olimpicos.org.mx and www.olimpicos.org.mx
I am simply executing /usr/bin/certbot renew and getting authorization errors.
I’ve read a lot of similar reports but I can confirm my case appears quite different from any other report I’ve found. So, please bear with me.

The error goes like this:

Processing /etc/letsencrypt/renewal/olimpicos.org.mx.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for olimpicos.org.mx
http-01 challenge for www.olimpicos.org.mx
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/olimpicos.org.mx.conf produced an unexpected error: 
Failed authorization procedure. www.olimpicos.org.mx (http-01): urn:acme:error:unauthorized :: 
The client lacks sufficient authorization :: Invalid response from 
http://www.olimpicos.org.mx/.well-known/acme-challenge/0QnP3v-uJnxYgxeYUPh4ZLURciwuVAFybD1Pzjv6Y_Y: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>". Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/olimpicos.org.mx/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

The configuration file contents is:

# renew_before_expiry = 30 days
version = 0.8.1
cert = /etc/letsencrypt/live/olimpicos.org.mx/cert.pem
privkey = /etc/letsencrypt/live/olimpicos.org.mx/privkey.pem
chain = /etc/letsencrypt/live/olimpicos.org.mx/chain.pem
fullchain = /etc/letsencrypt/live/olimpicos.org.mx/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = None
account = XXXXXXX
webroot_path = /usr/share/nginx/wordpress,
[[webroot_map]]
olimpicos.org.mx = /usr/share/nginx/wordpress
www.olimpicos.org.mx = /usr/share/ngix/wordpress

I have verified that I can retrieve files on this directory over http, e.g.
http://olimpicos.org.mx/.well-known/test/test or http://www.olimpicos.org.mx/.well-known/test/test

However, look at the url that the client is trying to reach:
www.olimpicos.org.mx/.well-known/acme-challenge/ 0QnP3v-uJnxYgxeYUPh4ZLURciwuVAFybD1Pzjv6Y_Y

The access log confirms this file name:

66.133.109.36 - - [03/Feb/2017:20:17:06 -0500] "GET /.well-known/acme-challenge/0QnP3v-uJnxYgxeYUPh4ZLURciwuVAFybD1Pzjv6Y_Y HTTP/1.1" 404 134 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"

In previous attempts I noticed that the acme-challenge folder and a file are created when I try to renew the certificate, but the filename didn’t match, it could be that the file was created and removed quite fast and I could not see it, so I set up a watcher and these are the only 2 new files created at the same time I ran the above command:

2017-02-03 20:17:05-05:00: 'acme-challenge' appeared in './' via 'CREATE,ISDIR'
2017-02-03 20:17:05-05:00: 'sr0oxI-dVMRUAbHOveyUs1ATD7soz988zmQKdfOUdeE' appeared in './acme-challenge/' via 'CREATE'

as you can see, certbot is creating a file in the right location, however, its name does not match the file that the server is requesting.

What am I missing? I’ll appreciate your help.


#2

hi acosta-edgar

A) Are you running certbot in sudo mode?
B) there should be 2 validation files in the .well-know/acme-challenge/directory
C) they should be returning application/text responses for content type not HTML
D) when i browse you your challenge file i am getting a 404 not found

this could be due to NGINX not serving up the files in the correct format (MIME extension issue)

Andrei


#3

Thanks Andrei,

A) I am running it as root
B) certbot is only creating the folder and one file under the folder, and it removes both after authentication fails.
C) I verified the server returns the application/text content type for not HTML, e.g. http://www.olimpicos.org.mx/.well-known/test/test
D) You won’t be able to reach the challenge because certbot removes it within seconds, plus the file you are trying too reach is the same challenge that the authentication process tried, but the issue is that challenge was never created by certbot

I tried again and I got the same error, except the challenge is different:

http://www.olimpicos.org.mx/.well-known/acme-challenge/pnjBzPJfatbzz2PlceJR2yIYD3joirgcRrXaTSBbHJI

While certbot was trying this happened on the .well-known folder:

2017-02-03 21:38:30-05:00: 'acme-challenge' change in './' via 'CREATE,ISDIR'
2017-02-03 21:38:30-05:00: 'sr0oxI-dVMRUAbHOveyUs1ATD7soz988zmQKdfOUdeE' change in './acme-challenge/' via 'CREATE'
2017-02-03 21:38:34-05:00: 'sr0oxI-dVMRUAbHOveyUs1ATD7soz988zmQKdfOUdeE' change in './acme-challenge/' via 'DELETE'
2017-02-03 21:38:34-05:00: 'acme-challenge' change in './' via 'DELETE,ISDIR'

and the access log shows:

66.133.109.36 - - [03/Feb/2017:21:38:31 -0500] "GET /.well-known/acme-challenge/pnjBzPJfatbzz2PlceJR2yIYD3joirgcRrXaTSBbHJI HTTP/1.1" 404 134 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"

As you can see the challenge that is requested was never created by certbot, and instead the challenge that was created was never requested. Plus certbot cleans-up after itself.


#4

One thing I just noticed is that certbot seems to be creating the same challenge filename every time. Look for

sr0oxI-dVMRUAbHOveyUs1ATD7soz988zmQKdfOUdeE

on the original questio and my previous comment.


#5

Found the problem, for some reason the webroot path of one of the domains was wrong in the renewal conf file, probably I did it by mistake.

Problem solved!


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.