Cannot Renew Certificate - authorisation error

That’s NOT the SPF we are talking about.

My eyes! my eyes!
Yes, not SPF, ESF.

Now that we know HTTP is NOT an option.
We can focus on the HTTPS path.
[I was starting to think I was a bit crazy there for a minute]

We need to compare a working https config with this failing config.
Which includes reviewing their renewal conf files.

Sorry My bad… Isolated too long.

@RIP No worries, we are all going through the same thing (together | apart).
If you can, walk around the block.
See the random little critters that have come out to claim the world we left behind.
[we have strange African lizards roaming the streets like they own them … I kinda guess they do, now]

1 Like

Ah good, I am not alone!

Shall I post my renewal conf as well here ?

You already have.

I think we should try the --webroot -w /doc/root/path method
That bypasses the “logic” that tries to figure where to put the files and forces a specific location.
The “logic” falls on us to determine and ensure it works.
And when it does it works flawlessly.

OK, how do we do that ?

We match certbot webroot to the expected root of the web server vhost config (or specific location for /.well-known/… therein, if specified).

So what does the HTTPS vhost config look like now?
[since everything is being redirected to HTTPS - despite our best efforts]

OK tried this:

sudo certbot certonly --webroot -w /var/www/ -d

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
Using the webroot path /var/www/ for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from [2607:f8b0:400f:800::2013]: "<!DOCTYPE html><html lang=\"en-US\" itemscope itemtype=\"\"><head><script type=\"text/javascript\" nonce=\"5Bs"

 - The following errors were reported by the server:

   Type:   unauthorized
   Detail: Invalid response from
   [2607:f8b0:400f:800::2013]: "<!DOCTYPE html><html lang=\"en-US\"
   itemscope itemtype=\"\"><head><script
   type=\"text/javascript\" nonce=\"5Bs"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

I reverted the virtual host entry to how it was when we started:

<VirtualHost *:80>
         DocumentRoot /var/www/
         ErrorLog ${APACHE_LOG_DIR}/error.log
         CustomLog ${APACHE_LOG_DIR}/access.log combined
     RewriteEngine on
     RewriteCond %{SERVER_NAME}
     RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Please show the vhost config for 443
[Everthing in 80 gets redirected to 443]


<IfModule mod_ssl.c>
<VirtualHost *:443>
    DocumentRoot /var/www/
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/
Include /etc/letsencrypt/options-ssl-apache.conf


and contents of the include:


SSLEngine on

    # Intermediate configuration, tweak to your needs
    SSLProtocol             all -SSLv2 -SSLv3
    SSLHonorCipherOrder     on
    SSLCompression          off

    SSLOptions +StrictRequire

    # Add vhost name to log entries:
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
    LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

OK, let’s test that document root:

mkdir /var/www/
mkdir /var/www/
echo "challenge file" >> /var/www/
echo "root file" >> /var/www/

Then test from Internet:

Both should redirect to HTTPS automatically:

Let’s see which ones work.

OK tried that. Still getting a redirect to my google site with a 404 page.
Seems like the redirect to my google site is overriding anything on my server…

1 Like

Anything here that helps ?

1 Like

Hi @Metricrat

you use Google and you have a working Google certificate.

So there is no action required.

I don’t think and know, if it is possible to create Letsencrypt certificates if you use the Google host.

But it’s not required because you have a working certificate.

1 Like

OK. i think I understand that. I was concerned that this site would lose its https status if it does not renew?

But I have two other sites (virtual hosts on the same IP) with google redirects that have successfully renewed their letsencrypt certificates (main domain names, not a subdomain), so i don’t really understand why this one will not renew. As you may have seen from the posts above, there is apparently no way of providing http access for certbot to do its thing with the acme challenge. Just doesn’t make any sense. Rudy (rg305) has worked very hard on mybehalf trying to troubleshoot but to no avail.

1 Like

Well, the renewal deadline passed, and despite my reservations, the site is still up and it has retained it’s https status without a letsencrypt certificate in place. So @JuergenAuer is quite right, that by using a new google site as a redirect to my domain, it gets its https status from Google.

Still strange that the other site,, did renew OK with letsencrypt. Might try letting it expire next time around and see what happens…

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.