Authorization result: invalid

My domain is: nardellagroup.com

I ran this command: C:\win-acme\wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/"

It produced this output:

My web server is (include version): Apache/2.4.43 (Win64)

The operating system my web server runs on is (include version): Windows server 2016

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I am trying to renew my ssl cert and keep getting the following message

C:\Users\admin>C:\win-acme\wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/"

A simple Windows ACMEv2 client (WACS)
Software version 2.1.10.896 (RELEASE, PLUGGABLE)
ACME server https://acme-v02.api.letsencrypt.org/
IIS not detected
Running with administrator credentials
Scheduled task looks healthy
Please report issues at https://github.com/win-acme/win-acme

Renewing certificate for [Manual] crm.nardellagroup.com
[crm.nardellagroup.com] Authorizing...
[crm.nardellagroup.com] Authorizing using http-01 validation (FileSystem)
Answer should now be browsable at http://crm.nardellagroup.com/.well-known/acme-challenge/_EZteHzd5Dg8524pUkrOwxbe2JTqtV8MMwh8xD2Dpx8
Preliminary validation failed, the server answered '(null)' instead of '_EZteHzd5Dg8524pUkrOwxbe2JTqtV8MMwh8xD2Dpx8.qxbcGezi4o3ZiIfkIhBlC1F4Ibtwo5QTIwslEniHjgw'. The ACME server might have a different perspective
[crm.nardellagroup.com] Authorization result: invalid
[crm.nardellagroup.com] {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from http://crm.nardellagroup.com/.well-known/acme-challenge/_EZteHzd5Dg8524pUkrOwxbe2JTqtV8MMwh8xD2Dpx8 [45.73.35.203]: "<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?>\r\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\"\r\n \"http://www.w3.org/TR/xhtml1"",
"status": 403
}
Renewal for [Manual] crm.nardellagroup.com failed, will retry on next run

2 Likes

Welcome to the Let's Encrypt Community :slightly_smiling_face:

I noticed that you are using manual. Did you add the challenge file to your webroot/.well-known/acme-challenge/ with the right filename and contents? Usually you don't want to do this manually and instead specify your webroot to wacs.

I'm not seeing any redirects from http to https. Without those your site will be accessible insecurely.

I highly recommend that you follow the apache directions here:

2 Likes

Not sure what manual means. I inherited this system, so learning as i go on this.

Here is what is in my httpd-vhosts.conf in appache

<VirtualHost *:80>
ServerAdmin apereira@nardellagroup.com
##DocumentRoot "C:/xampp/htdocs/dummy-host.example.com"
DocumentRoot "C:/xampp/htdocs/suitecrm"
##ServerName dummy-host.example.com
ServerName crm.nardellagroup.com:443
##ServerAlias www.dummy-host.example.com
ServerAlias crm.nardellagroup.com
ErrorLog "logs/crm.nardellagroup.com-error.log"
CustomLog "logs/crm.nardellagroup.com-access.log" common

2 Likes

I think [Manual] in WACS has a different meaning from --manual in Certbot, although I don't know exactly what it means. For example, I think it might just be referring to the fact that the renewal was requested on the command line. The FileSystem method sounds like it might be doing what Certbot's --webroot does.

3 Likes

I have checked for the pem files and i see foour of them in the apache\conf folder. I checked the https-ssl file and i see them being called for in that file.
The server was working fine with the cert unitl recently. I assume it is because it cannot renew the cert.

That is why i tried to run it manually in cmd window and noticed that it did not work. This is where i am stuck. Not sure what the original error means.

1 Like

As @griffin posted, the site shows examples that use webroot:
https://www.win-acme.com/manual/advanced-use/examples/apache

Try:

wacs.exe --target manual --host crm.nardellagroup.com --validation filesystem --webroot "C:/xampp/htdocs/suitecrm" --store pemfiles --pemfilespath "WHEREVER-YOUR-APACHE/CONF-IS"

Also change these two lines:

ServerName crm.nardellagroup.com:443
ServerAlias crm.nardellagroup.com

To just one line:

ServerName crm.nardellagroup.com

You can't add a port to a servername.
And even if you could, you should not try to add port 443 to a port 80 vhost config section.

2 Likes

I ran your command and it looks like it worked, here is the results

A simple Windows ACMEv2 client (WACS)
Software version 2.1.12.943 (RELEASE, PLUGGABLE, 64-bit)
ACME server https://acme-v02.api.letsencrypt.org/
IIS not detected
Running with administrator credentials
Scheduled task looks healthy
Please report issues at https://github.com/win-acme/win-acme
Running in mode: Unattended
Target generated using plugin Manual: crm.nardellagroup.com
Overwriting previously created renewal

[crm.nardellagroup.com] Authorizing...
[crm.nardellagroup.com] Authorizing using http-01 validation (FileSystem)
Answer should now be browsable at http://crm.nardellagroup.com/.well-known/acme-challenge/TwF18cBc5qgkUsoCMehCKdbsbWtA9tT8YhhkMgK-pQg
Preliminary validation looks good, but the ACME server will be more thorough
[crm.nardellagroup.com] Authorization result: valid
Requesting certificate [Manual] crm.nardellagroup.com
Store with PemFiles...
Exporting .pem files to C:\xampp\apache\conf
Installing with None...
Scheduled task looks healthy
Next renewal scheduled at 2021-1-13 8:23:32
Certificate [Manual] crm.nardellagroup.com created

Then I made the following changes to the apache httpd.conf file

<VirtualHost *:80>
ServerAdmin apereira@nardellagroup.com
DocumentRoot "C:/xampp/htdocs/suitecrm"
ServerName crm.nardellagroup.com
ErrorLog "logs/crm.nardellagroup.com-error.log"
CustomLog "logs/crm.nardellagroup.com-access.log" common

Define SITEROOT "C:/xampp/htdocs/suitecrm"

<VirtualHost *:443>
ServerName crm.nardellagroup.com
DocumentRoot "${SITEROOT}/nardellagroup.com"

Does this look right to you?

3 Likes

So far, so good.
Is it using the new cert now?

2 Likes

It doesnt seem to be using it. I am rebooting the server. If yo click on the link https://crm.nardellagroup.com, it seems to not like the cert.
:

2 Likes

OK, i found the problem, there was a virtual host defined with 443 in httpd-ssl.conf, I changed the parameters in there, commented out the virtual host in httpd.con file, restarted appache and it is now working.
Thanks for all your help.
I guess the question do i leave the entries in httpd-ssl.conf or should i put them in httpd.conf. Or does it matter?

3 Likes