Cannot Renew Certificate - authorisation error

That returns the IP of my server.

Is the redirection of the google site overriding anything apache is doing ?

I don’t know enough to answer that question.
I don’t even know what “SPF” stands for in the context of “server type”.

An SPF record is a Sender Policy Framework record. It’s used to indicate to mail exchanges which hosts are authorized to send mail for a domain. It’s defined in RFC 4408, and clarified by RFC 7208.

Rip

Don’t you mean ESF ?

From what I can see, any call to https://ai2.metricrat.co.uk will get a response from the google site, and not the server. From what you say, we need to be able to get a call from http://ai2.metricrat.co.uk in order to help certbot validate the site? This http address is not setup on the server or on the virtual host. Is there anything I can add or change to make this so, or have I got this wrong ?

I was able to set up the https certificate in the first place, and it is clearly working now; my site ai2.metricrat.co.uk is using an https secure address. I do not understand why certbot cannot validate when everything appears to already be in place?

If we cannot solve it on the community, what recourse do I have to “letsencrypt” to get this resolved ?

That’s NOT the SPF we are talking about.

My eyes! my eyes!
Yes, not SPF, ESF.

Now that we know HTTP is NOT an option.
We can focus on the HTTPS path.
[I was starting to think I was a bit crazy there for a minute]

We need to compare a working https config with this failing config.
Which includes reviewing their renewal conf files.

Sorry My bad… Isolated too long.

@RIP No worries, we are all going through the same thing (together | apart).
If you can, walk around the block.
See the random little critters that have come out to claim the world we left behind.
[we have strange African lizards roaming the streets like they own them … I kinda guess they do, now]

1 Like

Ah good, I am not alone!

Shall I post my renewal conf as well here ?

You already have.

I think we should try the --webroot -w /doc/root/path method
That bypasses the “logic” that tries to figure where to put the files and forces a specific location.
The “logic” falls on us to determine and ensure it works.
And when it does it works flawlessly.

OK, how do we do that ?


We match certbot webroot to the expected root of the web server vhost config (or specific location for /.well-known/… therein, if specified).

So what does the HTTPS vhost config look like now?
[since everything is being redirected to HTTPS - despite our best efforts]

OK tried this:

sudo certbot certonly --webroot -w /var/www/ai2.metricrat.co.uk/public_html -d ai2.metricrat.co.uk

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for ai2.metricrat.co.uk
Using the webroot path /var/www/ai2.metricrat.co.uk/public_html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. ai2.metricrat.co.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://ai2.metricrat.co.uk/.well-known/acme-challenge/20NHCRtrSvfm-92GVL6PzmFup_4khTODI8InVVHhkvI [2607:f8b0:400f:800::2013]: "<!DOCTYPE html><html lang=\"en-US\" itemscope itemtype=\"http://schema.org/WebPage\"><head><script type=\"text/javascript\" nonce=\"5Bs"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: ai2.metricrat.co.uk
   Type:   unauthorized
   Detail: Invalid response from
   https://ai2.metricrat.co.uk/.well-known/acme-challenge/20NHCRtrSvfm-92GVL6PzmFup_4khTODI8InVVHhkvI
   [2607:f8b0:400f:800::2013]: "<!DOCTYPE html><html lang=\"en-US\"
   itemscope itemtype=\"http://schema.org/WebPage\"><head><script
   type=\"text/javascript\" nonce=\"5Bs"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

I reverted the virtual host entry to how it was when we started:

<VirtualHost *:80>
         ServerAdmin webmaster@ai2.metricrat.co.uk
         ServerName ai2.metricrat.co.uk
         DocumentRoot /var/www/ai2.metricrat.co.uk/public_html
         ErrorLog ${APACHE_LOG_DIR}/error.log
         CustomLog ${APACHE_LOG_DIR}/access.log combined
     RewriteEngine on
     RewriteCond %{SERVER_NAME} =ai2.metricrat.co.uk
     RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Please show the vhost config for 443
[Everthing in 80 gets redirected to 443]

This?:

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAdmin webmaster@ai2.metricrat.co.uk
    ServerName ai2.metricrat.co.uk
    DocumentRoot /var/www/ai2.metricrat.co.uk/public_html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLCertificateFile /etc/letsencrypt/live/ai2.metricrat.co.uk/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ai2.metricrat.co.uk/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

from:
/etc/apache2/sites-enabled/ai2.metricrat.co.uk-le-ssl.conf

and contents of the include:

/etc/letsencrypt/options-ssl-apache.conf

SSLEngine on

    # Intermediate configuration, tweak to your needs
    SSLProtocol             all -SSLv2 -SSLv3
    SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-R$
    SSLHonorCipherOrder     on
    SSLCompression          off

    SSLOptions +StrictRequire

    # Add vhost name to log entries:
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
    LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

OK, let’s test that document root:

mkdir /var/www/ai2.metricrat.co.uk/public_html/.well-known
mkdir /var/www/ai2.metricrat.co.uk/public_html/.well-known/acme-challenge
echo "challenge file" >> /var/www/ai2.metricrat.co.uk/public_html/.well-known/acme-challenge/test-file1
echo "root file" >> /var/www/ai2.metricrat.co.uk/public_html/test-file2

Then test from Internet:
http://ai2.metricrat.co.uk/.well-known/acme-challenge/test-file1
http://ai2.metricrat.co.uk/test-file2

Both should redirect to HTTPS automatically:
https://ai2.metricrat.co.uk/.well-known/acme-challenge/test-file1
https://ai2.metricrat.co.uk/test-file2

Let’s see which ones work.

OK tried that. Still getting a redirect to my google site with a 404 page.
Seems like the redirect to my google site is overriding anything on my server…

1 Like