Can't get a certificate from letsencrypt

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
example.com
I ran this command:
sudo certbot certonly -d example.com -d www.example.com
It produced this output:
Failed authorization procedure
My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.23

I am new to Apache and server stuff.
Been trying to get a certificate from letsencrypt via Apache2 on Ubuntu 18.04.
However, I am getting an error which is Failed authorization procedure.
Can anyone help me out to figure out this problem?

Summary:

  • The problem: Can’t get a certificate with a problem Failed authorization procedure.
  • The goal: Want to create a certificate for SSL which I may know how to set it up so that my topic is going to be focusing on how to get the certificate.
  • Ubuntu version: 18.04
  • Apache version: 2.4

Tried to access to http://example.com/.well-known/acme-challenge/test which is created manually and the test is just a text file. But it turned out displaying Not Found page with saying You don't have permission to access /.well-known/acme-challenge/test on this server.
I did modify /etc/apache2/sites-available/example.com.conf a little bit too much. I’ve kind of reached where my brain is confused about what I did.

/etc/apache2/sites-available/example.com.conf

WSGIPythonHome "/home/bob/flask"
WSGIPythonPath "/home/bob/flask/python3.6/site-packages"

NameVirtualHost *:80
<VirtualHost *:80>
     # Add machine's IP address (use ifconfig command)
     ServerAdmin bob@example.com
     ServerName example.com
     ServerAlias www.example.com
     DocumentRoot /var/www/example.com

     # Give an alias to to start your website url with
     WSGIDaemonProcess example.com user=www-data group=www-data threads=5
     WSGIScriptAlias / /var/www/example.com/assess.wsgi
     <Directory /var/www/example.com/>
     # set permissions as per apache2.conf file
            Options FollowSymLinks
            AllowOverride None
            Require all granted
     </Directory>

     Alias /.well-known/acme-challenge/ /example.com/.well-known/acme-challenge/
     <Directory /var/www/example.com/.well-known/acme-challenge>
            Allow from all
     </Directory>
     ErrorLog ${APACHE_LOG_DIR}/error.log
     LogLevel warn
     CustomLog ${APACHE_LOG_DIR}/access.log combined

     # RewriteEngine on
     # RewriteCond %{SERVER_NAME} = example.com
     # RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

     # SSLEngine on
     # SSLCertificateFile /etc/ssl/certs/barracuda.crt
     # SSLCertificateKeyFile /etc/ssl/private/barracuda.key

     # Redirect "/assess" "https://localhost/"
</VirtualHost>

This is the outputs of a command, sudo certbot certonly -d example.com -d www.example.com 

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for example.com
http-01 challenge for www.example.com
Input the webroot for example.com: (Enter 'c' to cancel): /var/www/example.com

Select the webroot for www.example.com:
-------------------------------------------------------------------------------
1: Enter a new webroot
2: /var/www/example.com
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.example.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.example.com/.well-known/acme-challenge/GENAiPDAT0J6dRekLdiKDwOnA5Vf-3xcqyOxJt9Ke38 [2606:2800:220:1:248:1893:25c8:1946]: "<!doctype html>\n<html>\n<head>\n    <title>Example Domain</title>\n\n    <meta charset=\"utf-8\" />\n    <meta http-equiv=\"Content-type", example.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://example.com/.well-known/acme-challenge/sRteUqLGER3OzwEDYFi5xLRWhBJdyHkWaAUa1k1tMTY [2606:2800:220:1:248:1893:25c8:1946]: "<!doctype html>\n<html>\n<head>\n    <title>Example Domain</title>\n\n    <meta charset=\"utf-8\" />\n    <meta http-equiv=\"Content-type"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.example.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.example.com/.well-known/acme-challenge/GENAiPDAT0J6dRekLdiKDwOnA5Vf-3xcqyOxJt9Ke38
   [2606:2800:220:1:248:1893:25c8:1946]: "<!doctype
   html>\n<html>\n<head>\n    <title>Example Domain</title>\n\n
   <meta charset=\"utf-8\" />\n    <meta http-equiv=\"Content-type"

   Domain: example.com
   Type:   unauthorized
   Detail: Invalid response from
   http://example.com/.well-known/acme-challenge/sRteUqLGER3OzwEDYFi5xLRWhBJdyHkWaAUa1k1tMTY
   [2606:2800:220:1:248:1893:25c8:1946]: "<!doctype
   html>\n<html>\n<head>\n    <title>Example Domain</title>\n\n
   <meta charset=\"utf-8\" />\n    <meta http-equiv=\"Content-type"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Again, my goal is to get a certificate from letsencript.

2

Hi @boblef

please share your domain name.

3

Thank you for your reply, @JuergenAuer.

I don’t have any domain except for ‘example.com’ which I’m using for testing purpose.
Can’t I create a certificate with ‘example.com’?

Thanks,
Bob

4

You can't get a certificate with that domain name.

If you want to use a public trusted certificate, you need a public visible, worldwide unique domain name.

So only you as domain owner can create a certificate.

example.com is registered, but it's not your domain -> you can't create a certificate with that name.

5

If you don’t have control over the domain you cannot issue a certificate for it. So if you didn’t register example.com yourself you will need a publicly-accessible hostname that you do have control over in order to generate a LetsEncrypt certificate.

1 Like
6

Thanks for your quick response and good information, @JuergenAuer and @mproto.

Was being stuck on this problem for 2 days, and I understand why I can’t create it.
I am a part of a team trying to lunch a web site on Apache. I just want to make sure how to set up SSL with a certificate before actually launching it.
So I can’t get a certificate without a real domain.

1 Like
7

Yes, that's correct.

But if you want to start a website, you need a domain name you can use. Or use a subdomain to test.

8

Okay, make a lot of sense for me.
Again, I appreciate your quick response and tips!

Bob

1 Like
9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.