Authorization Procedure failed


#1

Hello everyone,

I installed Nextcloud on a Raspberry Pi 3, got it running pretty well. I used openssl to generate a SSL certificate. It was after that step when letsencrypt came to my mind and I thought, maybe I can create a new SSL certificate through Letsencrypt (so that I do not get the popup that’s asking me whether or not I trust this website whenever I try to access my cloud through the browser) and encrypt traffic with the LE-SSL-certificate instead of the openssl-certificate.

I will just fill out the premade form as this will make it a lot easier for you to understand what my problem is, I guess:

Please fill out the fields below so we can help you better.

My domain is: xxxxxx.ddns.net

I ran this command: sudo ./letsencrypt-auto

It produced this output:
Failed authorization procedure. xxxxxx.ddns.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested ef558645254c70cbf4ffba1a2c85bd43.9c0b742983a5d29377ed994612517970.acme.invalid from 84.150.102.51:443. Received certificate containing ‘’

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: xxxxxx.ddns.net
    Type: unauthorized
    Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
    Requested
    ef558645254c70cbf4ffba1a2c85bd43.9c0b742983a5d29377ed994612517970.acme.invalid
    from 84.150.102.51:443. Received certificate containing ‘’

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.

My operating system is (include version): Raspbian the latest

My web server is (include version): apache2

My hosting provider, if applicable, is: noip.com (I’m not sure what’s meant by hosting provider, noip.com is where I got my DNS server from, but the server is my very own Pi 3)

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

If you have any further questions please feel free to post them below. I will try to help as best as I can, considering I just got started in the server business and therefore I am pretty noobish on the whole thing.


#2

To validate that you really control mysafespace.ddns.net Let’s Encrypt has three options, the one it used here is called sometimes tls-sni-01, it connects to your Apache SSL server on port 443, asks to talk to a server with an invalid name and it expects to receive a special certificate whose contents prove you’re the one requesting the certificate, thus completing the loop. But instead it got something else, either nothing, or you snipped it from your response.

The Letsencrypt software you ran (now named Certbot) should configure Apache to give the right reply. But there might a number of reasons it didn’t end up working. Is there any other software listening on port 443 when someone out on the Internet connects to your mysafespace.ddns.net server, or is it definitely coming directly to the Raspbian Apache server? For example, could there be a nginx reverse proxy, or some other gizmo in between ?


#3

Hello and thank you very much for your reply.

Port 443 is open only for the Pi 3 (through the router setup). To my best knowledge there is no other software running on the Pi that might use port 443. I assume that because all I did was opening the box of the Pi 3 and follow the Nextcloud tutorial to set the cloud up. I did not install any other software and I therefore think, there is no other software that wants to respond when someone is reaching out to the Pi through Port 443. Is there any way to check this? Or could the error come from some other source?


#4

Maybe if you ask Certbot / Letsencrypt to be more verbose it will be apparent where the problem is. If you put -v (or maybe even -v -v) on the end of the command, it should say a lot more about what it’s doing. In particular it will have wanted to set up (temporarily) a fake virtual host entry with that crazy long name ending .acme.invalid, which it knows will be the name the Let’s Encrypt servers are about to ask for. That part doesn’t seem to be working for you.

Another option, assuming port 80 (ordinary unencrypted HTTP) also leads to the server, and which requires a little bit of extra work first time but then will still be fully automated for renewals is to use the “webroot” mode of the Letsencrypt script, which you can read about in their documentation. In this mode you arrange for files made by the script in a directory you choose to be visible over the web on a particular path like http://mysafespace.dddns.net/.well-known/acme-challenge/someGreatLongPileOfCharactersHere, which should be easy with your Apache server.

This mode is easier to self-test, because if you put a file in the right place, and can access it over the Internet then it should be working with the files Let’s Encrypt uses to actually validate control.


#5

Hello again,

adding -v to the execute-command it shows the process of what the programme is actually doing. This is quite a lot of text and, as I am unfamiliar and as this is my first attempt to get a server running, I understand hardly anything of what it is giving me.
However I found the part that you mentioned, where the programme is creating a new virtual host:

Adding Include /etc/apache2/le_tls_sni_01_cert_challenge.conf to /files/etc/apache2/apache2.conf
writing a config file with text:
< IfModule mod_ssl.c>
< VirtualHost *:443>
ServerName 2d9e850c87b970cf7ba8c70b9cadf59b.70b5d06092a7b18951993fe1b1273207.acme.invalid
UseCanonicalName on
SSLStrictSNIVHostCheck on

LimitRequestBody 1048576

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /var/lib/letsencrypt/N_JwUTCv_4Hryvop8nJFevc7L6aiwnmH2MwrHqoWuJE.crt
SSLCertificateKeyFile /var/lib/letsencrypt/N_JwUTCv_4Hryvop8nJFevc7L6aiwnmH2MwrHqoWuJE.pem

DocumentRoot /var/lib/letsencrypt/tls_sni_01_page/

< /VirtualHost>

< /IfModule>`


I configured Apache in a way so that if somebody is trying to connect to the server through port 80 (i.e. the unencrypted http way), the request will be automatically redirected to https. With that in mind I am not sure if your second idea is going to help since, if I understand what you’re saying correctly, my server has to be reachable through http too. I have not found the webroot-method in the manual yet.


#6

Yes, that looks like the configuration it should put in place to make validation work. Is it possible that the “IfModule” condition is failing for some reason? I think we had an example of that before on this discussion site. I can’t remember what the outcome was, maybe someone else will drop past who remembers.

For webroot, a redirect is OK, the Let’s Encrypt validation system can understand the redirect and “follow” it to the HTTPS location so long as the original HTTP request is actually answered (with the redirect response) rather than e.g. blocked by a firewall.

You might find the webroot feature mentioned under “certonly” in the documentation? The idea in this mode is that it only creates the certificate, you’d have to work out the Apache configuration changes by hand, but only once, because any renewed certificates will be soft-linked in the same place, so you can still automate everything just fine. People on this site can help if you struggle to get the configuration working.


#7

Hello again and thanks again for your answer.

After working on this for a few more hours after all I am still pretty confused, as this is a pretty complex topic that is not easy to understand for an absolute beginner in the server-business.
However I was able to start the process over again via the command:
./letsencrypt-auto certonly --rsa-key-size 4096 -d domain.name.com
This would lead me to a different setup where I could choose between 3 options (apache-beta, webroot, standalone)… webroot did not work for me either (although I was able to create and access a file on my cloud through my web browser like the way you mentioned). After all I tried the standalone routine which would start only after I shut down apache2, which was no problem. The certificate and key was generated a few minutes later. Thereafter I edited /etc/init.d/apache2/sites-available/config.conf so that it would load the new certificate and key. Restarting the apache2 server I see in my Firefox that the certificate is approved by Let’s Encrypt. So after all it worked out pretty well, although I still do not understand completely, what was wrong before.
Thanks again for your help!

edit:

Oh and by the way!!
I would really appreciate it if you’d cut out the subdomain like I did in the first post (i.e. make it xxxxxx.ddns.net). Do not want to leave any traces, haha. Anyways have a great day


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.