Can't Issue Certificates

belerofon · June 15, 2020, 7:00am

Hi all,

I have an issue and don’t know what’s went wrong.
I have 3 Server that using Lets encrypt and only one of them makes me trouble since a short time. The server is behind a Firewall (NAT and FW Policy is implemented and OK) and is in use as Reverse Proxy (but I also make a exception for .well-known).

3 Month ago I can issued certificate for this server, now I can’t nighter renew, nor issue new Certificates.
In use is Apache 2.4.38 and certbot 0.31.0.

Here is a log of the Subdomain “secure”:
root@ZH-DMZ-RVP-01:~# certbot certonly --dry-run --debug-challenges -d secure..de -v
Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator None and installer None
Apache version is 2.4.38
Multiple candidate plugins: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7fa3572088d0>
Prep: True

* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7fa3560d3048>
Prep: True

* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7fa3560d32b0>
Prep: True

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Selected authenticator <certbot_apache.override_debian.DebianConfigurator object at 0x7fa3572088d0> and installer None
Plugins selected: Authenticator apache, Installer None
Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/14127352', new_authzr_uri=None, terms_of_service=None), c071935c650fe2f23814a40bb39f1d1f, Meta(creation_dt=datetime.datetime(2020, 6, 11, 18, 34, 39, tzinfo=<UTC>), creation_host='rvp.<DOMAINNAME>.de'))>
Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
https://acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 724
Received response:
HTTP 200
Server: nginx
Date: Mon, 15 Jun 2020 06:49:20 GMT
Content-Type: application/json
Content-Length: 724
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "88pigZ5_XjQ": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
  "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
Should renew, less than 30 days before certificate expiry 2020-06-30 06:46:20 UTC.
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Requesting fresh nonce
Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
Received response:
HTTP 200
Server: nginx
Date: Mon, 15 Jun 2020 06:49:21 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0001zrtVdfxPM-NOuSSOo-5K8ILHSs1vZY6biluw0VSTlB8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


Storing nonce: 0001zrtVdfxPM-NOuSSOo-5K8ILHSs1vZY6biluw0VSTlB8
JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "secure.<DOMAINNAME>.de"\n    }\n  ]\n}'
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNDEyNzM1MiIsICJub25jZSI6ICIwMDAxenJ0VmRmeFBNLU5PdVNTT28tNUs4SUxIU3MxdlpZNmJpbHV3MFZTVGxCOCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
  "signature": "FcJwKixfCMPTAKKwobIyzkIMpSvamRpTpD80uT2DFOYIyAKDKyMsgMhFetZcn66AAHjuM8mr4mXuFaUvv05f50Ms7wtTPmWs-B1BDh41CmViJ2_b07vT-EP6A0tg5XQV8NnhiUfAYrqrof3d6S0eUg93TlW0q8Wsl3SJdqbIEjXMmvo5XorZ5g7ChFQPDP5DSRVT6o2gbUfiHBk-3W_ohizC4TV5WO9KMVFMj9huLr6DSSnCXnv7nL0_4U1yF-8rekj2ZLgsmFYLirs13L16PGCeWkMwyHirtAWyDRLV_CvNn3VuVVCU_3FMraiqUUrH7d1tI5Ty5gR19iQkO-__0g",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInNlY3VyZS5jaHJpc3RpYW4tYnVyZ2VydC5kZSIKICAgIH0KICBdCn0"
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 370
Received response:
HTTP 201
Server: nginx
Date: Mon, 15 Jun 2020 06:49:21 GMT
Content-Type: application/json
Content-Length: 370
Connection: keep-alive
Boulder-Requester: 14127352
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/14127352/102217913
Replay-Nonce: 00019l6XCkTcZ824Uhf2tPq_po-LScgCwXYsOGAEo_4jy90
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2020-06-22T06:49:21.490152476Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "secure.<DOMAINNAME>.de"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/65568508"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/14127352/102217913"
}
Storing nonce: 00019l6XCkTcZ824Uhf2tPq_po-LScgCwXYsOGAEo_4jy90
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/65568508:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNDEyNzM1MiIsICJub25jZSI6ICIwMDAxOWw2WENrVGNaODI0VWhmMnRQcV9wby1MU2NnQ3dYWXNPR0FFb180ank5MCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My82NTU2ODUwOCJ9",
  "signature": "UnPqDllcN6UWbsLTh7D66wdQoAQmAAZvC7bz3FJbb2zyfJYDFuUgeipi6VpKjneCoa-vAVvOpSQxHgXVQf-FIwNkGJII812g9tyuYhbOSqhGmtq6FLnTExlvViwfEfGazszoqQnMEEUvaHP1ou7RgUZt2_eGQAIUt7CBs0h1ZWYO_WeCz-KhoKmR7qlaqQk_vTSnftDNcpdEPMK0D4aR7l5jWvLwJPE31p2vpiXJ2DV181-DwMZibY7ky_m2PQu_X6WKvjwCYmfaDYiQ1RCLSVN6_knvDnIVbjD3vUh5oDQGIp7GSBJwXWvMYWIBnnBcRX7Q640xa1i4jw3_enTXhQ",
  "payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/65568508 HTTP/1.1" 200 823
Received response:
HTTP 200
Server: nginx
Date: Mon, 15 Jun 2020 06:49:21 GMT
Content-Type: application/json
Content-Length: 823
Connection: keep-alive
Boulder-Requester: 14127352
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0001VIa0fzPsYUAVNmAFhvdUtG7rUjBeSegVnQryWS8jh7Y
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "secure.<DOMAINNAME>.de"
  },
  "status": "pending",
  "expires": "2020-06-22T06:49:21Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/65568508/hatuwg",
      "token": "W68ceL9AChLF3lIpZgM5BwrHyoriSyShNtH1ZojvsJM"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/65568508/4AiWJw",
      "token": "W68ceL9AChLF3lIpZgM5BwrHyoriSyShNtH1ZojvsJM"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/65568508/OKzx6g",
      "token": "W68ceL9AChLF3lIpZgM5BwrHyoriSyShNtH1ZojvsJM"
    }
  ]
}
Storing nonce: 0001VIa0fzPsYUAVNmAFhvdUtG7rUjBeSegVnQryWS8jh7Y
Performing the following challenges:
http-01 challenge for secure.<DOMAINNAME>.de
Adding a temporary challenge validation Include for name: secure.<DOMAINNAME>.de in: /etc/apache2/sites-enabled/004-Reverse-GINA.conf
Adding a temporary challenge validation Include for name: secure.<DOMAINNAME>.de in: /etc/apache2/sites-enabled/004-Reverse-GINA-le-ssl.conf
writing a pre config file with text:
         RewriteEngine on
        RewriteRule ^/\.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ /var/lib/letsencrypt/http_challenges/$1 [END]
    
writing a post config file with text:
         <Directory /var/lib/letsencrypt/http_challenges>
            Require all granted
        </Directory>
        <Location /.well-known/acme-challenge>
            Require all granted
        </Location>
    
Creating backup of /etc/apache2/sites-enabled/004-Reverse-GINA.conf
Creating backup of /etc/apache2/sites-enabled/004-Reverse-GINA-le-ssl.conf
Waiting for verification...

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
JWS payload:
b'{\n  "resource": "challenge",\n  "type": "http-01"\n}'
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/65568508/hatuwg:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNDEyNzM1MiIsICJub25jZSI6ICIwMDAxVklhMGZ6UHNZVUFWTm1BRmh2ZFV0RzdyVWpCZVNlZ1ZuUXJ5V1M4amg3WSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My82NTU2ODUwOC9oYXR1d2cifQ",
  "signature": "SNmEBnMcPNRvBDzrnY1ebp-HjosyW0IlIe5bBd-_B-nJtlU90DuaLCHGoBAcszhxlsQBmjgEcJgz453tD1GATIOYCIMrwo7OdwpmbYbP1zZfDc9zxCbhUxOJCL14rzWjl7yuRH-_lKMppRFH3XNkU9I96063Nz_jkN59v0_ZMkvifqp3wnhS-SuiR14BGyvxr23y9NtEv1wEag6gTayD4xuI7sJnljzoQS1Ahq1Tp6HwSPpksqWI6Tg0TFQQS2jgamK_lYC9DEibgpONuaiVo2fM_q4EWUbVElR6EdxW_Id0D-LWIrcy1mpj5-xhK4Psg7hO8LdFUR_V2uZWPkWBsA",
  "payload": "ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJ0eXBlIjogImh0dHAtMDEiCn0"
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/65568508/hatuwg HTTP/1.1" 200 191
Received response:
HTTP 200
Server: nginx
Date: Mon, 15 Jun 2020 06:49:32 GMT
Content-Type: application/json
Content-Length: 191
Connection: keep-alive
Boulder-Requester: 14127352
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/65568508>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/65568508/hatuwg
Replay-Nonce: 0002foMa2Eq9pm7Q_iGtquFiEGN8uxbeS3tQV5OAFyZoqLg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/65568508/hatuwg",
  "token": "W68ceL9AChLF3lIpZgM5BwrHyoriSyShNtH1ZojvsJM"
}
Storing nonce: 0002foMa2Eq9pm7Q_iGtquFiEGN8uxbeS3tQV5OAFyZoqLg
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/65568508:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNDEyNzM1MiIsICJub25jZSI6ICIwMDAyZm9NYTJFcTlwbTdRX2lHdHF1RmlFR044dXhiZVMzdFFWNU9BRnlab3FMZyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My82NTU2ODUwOCJ9",
  "signature": "jAv9G3OUFUAqoUzW9O1qZenvOWbr-h2VFL4ztQmf9g89kXdNUehz1hhg81PrlatC6nx95tTU4qNzbK1IbsCylSLaMCirWIw97yBRA9ZWyeggBw_O20NpagHVNcn3dwTbIle34g6ZdDiotOUcJBLIThFPgvVoANK2A2t2zSqwxKMngOrfY9mPBeIbhubXJxHVnjrYOtsOxF03gsw3WTyykczeFazx8CRPoxHCRPzAt7pyX3G1QQEDnICCcmLH_hxcyoErWS9eKUdmfk6Q7fQE0eYYUGlbMUUXgAWu6icG6GVkE35kF5ivB9xeMydQz3I5G00qsuKF46d58cuMD4VM1Q",
  "payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/65568508 HTTP/1.1" 200 1234
Received response:
HTTP 200
Server: nginx
Date: Mon, 15 Jun 2020 06:49:36 GMT
Content-Type: application/json
Content-Length: 1234
Connection: keep-alive
Boulder-Requester: 14127352
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002EW3UrCB2VJY6wqZBjoMaz1fegglxWk9mBsiouFql1fg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "secure.<DOMAINNAME>.de"
  },
  "status": "invalid",
  "expires": "2020-06-22T06:49:21Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Invalid response from http://secure.<DOMAINNAME>.de/.well-known/acme-challenge/W68ceL9AChLF3lIpZgM5BwrHyoriSyShNtH1ZojvsJM [<X.X.X.X>]: \"\u003c!DOCTYPE html\u003e\\n\u003chtml\u003e\\n\u003chead\u003e\\n\u003cmeta charset=\\\"utf-8\\\"\u003e\\n\u003cstyle\u003ebody{font-family:Arial,Helvetica,sans-serif;font-size:12px;text-alig\"",
        "status": 403
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/65568508/hatuwg",
      "token": "W68ceL9AChLF3lIpZgM5BwrHyoriSyShNtH1ZojvsJM",
      "validationRecord": [
        {
          "url": "http://secure.<DOMAINNAME>.de/.well-known/acme-challenge/W68ceL9AChLF3lIpZgM5BwrHyoriSyShNtH1ZojvsJM",
          "hostname": "secure.<DOMAINNAME>.de",
          "port": "80",
          "addressesResolved": [
            "<X.X.X.X>"
          ],
          "addressUsed": "<X.X.X.X>"
        }
      ]
    }
  ]
}
Storing nonce: 0002EW3UrCB2VJY6wqZBjoMaz1fegglxWk9mBsiouFql1fg
Reporting to user: The following errors were reported by the server:

Domain: secure.<DOMAINNAME>.de
Type:   unauthorized
Detail: Invalid response from http://secure.<DOMAINNAME>.de/.well-known/acme-challenge/W68ceL9AChLF3lIpZgM5BwrHyoriSyShNtH1ZojvsJM [<X.X.X.X>]: "<!DOCTYPE html>\n<html>\n<head>\n<meta charset=\"utf-8\">\n<style>body{font-family:Arial,Helvetica,sans-serif;font-size:12px;text-alig"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. secure.<DOMAINNAME>.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://secure.<DOMAINNAME>.de/.well-known/acme-challenge/W68ceL9AChLF3lIpZgM5BwrHyoriSyShNtH1ZojvsJM [<X.X.X.X>]: "<!DOCTYPE html>\n<html>\n<head>\n<meta charset=\"utf-8\">\n<style>body{font-family:Arial,Helvetica,sans-serif;font-size:12px;text-alig"

Calling registered functions
Cleaning up challenges
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1250, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 116, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 310, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. secure.<DOMAINNAME>.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://secure.<DOMAINNAME>.de/.well-known/acme-challenge/W68ceL9AChLF3lIpZgM5BwrHyoriSyShNtH1ZojvsJM [<X.X.X.X>]: "<!DOCTYPE html>\n<html>\n<head>\n<meta charset=\"utf-8\">\n<style>body{font-family:Arial,Helvetica,sans-serif;font-size:12px;text-alig"
Failed authorization procedure. secure.<DOMAINNAME>.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://secure.<DOMAINNAME>.de/.well-known/acme-challenge/W68ceL9AChLF3lIpZgM5BwrHyoriSyShNtH1ZojvsJM [<X.X.X.X>]: "<!DOCTYPE html>\n<html>\n<head>\n<meta charset=\"utf-8\">\n<style>body{font-family:Arial,Helvetica,sans-serif;font-size:12px;text-alig"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: secure.<DOMAINNAME>.de
   Type:   unauthorized
   Detail: Invalid response from
   http://secure.<DOMAINNAME>.de/.well-known/acme-challenge/W68ceL9AChLF3lIpZgM5BwrHyoriSyShNtH1ZojvsJM
   [<X.X.X.X>]: "<!DOCTYPE html>\n<html>\n<head>\n<meta
   charset=\"utf-8\">\n<style>body{font-family:Arial,Helvetica,sans-serif;font-size:12px;text-alig"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Additional hints:

IP and DNS is correct.
If I open the Challenge Site (e.g. http://secure..de/.well-known/acme-challenge/W68ceL9AChLF3lIpZgM5BwrHyoriSyShNtH1ZojvsJM) from external I can see the token.

So at all Firewall, NAT and Apache seems to be configured correctly.

Has anyone a idea?

Thanks and Regards
Christian

_az · June 15, 2020, 7:30am

I can't. I see a Synology 404 page. Let's Encrypt sees the same thing.

Are you certain that you are forwarding external requests to Apache? Because they seem to be landing on your Synology's built-in webserver instead.

belerofon · June 16, 2020, 8:45am

Hy thanks for the hint.
I found the Issue in the PortForwarding.

Now it works.

system · July 16, 2020, 8:45am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.