Can't obtain LE cert Installed Failed


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: devb2be.bondwith.me

I ran this command:
./certbot-auto certonly -w /usr/share/nginx/html/testb2be.bondwith.me -d testb2be.bondwith.me

It produced this output:
./certbot-auto certonly -w /usr/share/nginx/html/testb2be.bondwith.me -d testb2be.bondwith.me
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?


1: Apache Web Server plugin - Beta (apache)
2: Nginx Web Server plugin (nginx)
3: Spin up a temporary webserver (standalone)
4: Place files in webroot directory (webroot)


Select the appropriate number [1-4] then [enter] (press ‘c’ to cancel): 4
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for testb2be.bondwith.me
Using the webroot path /usr/share/nginx/html/testb2be.bondwith.me for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. testb2be.bondwith.me (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://testb2be.bondwith.me/.well-known/acme-challenge/2jFgpYPpoCOuaH01WcdDC7g7Bi4dcSggD5Rit61PhK8: “\n\n404 Not Found\n\n

Not Found

\n<p”

IMPORTANT NOTES:

My web server is (include version):
Apache (httpd) is using port 80 for http and port 443 for https. The nginx is also just newly setup and it is using port 8080 for http and port 8443 for https. The existing hostname “devb2be.bondwith.me” has already been setup previously with let’s encrypt.

The operating system my web server runs on is (include version):
OS version = Centos Linux release 7.5.1804(Core)
Apache = 2.4.6 (centos)
Nginx = 1.12.2

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Not using any cpanel.

Other misc highlights

  1. I am using the old method of git clone letsencrypt to get this letsencrypt to work.

  2. This new centos 7 has package comes with certbot, I’m not sure if i have to install this centos package certbot to make this work for the issues or perhaps no? Need your advise.


#2

Maybe try 1 instead.

If that fails, show the recent apache error logs.


#3

Hi rg305,

I’ve tried with option 1 and it failed. I check on the letsencrypt.log and i get this error below. Could it be due to python 2.7 error? Current python is 2.7.5

Domain: testb2be.bondwith.me
Type: unauthorized
Detail: Invalid response from http://testb2be.bondwith.me/.well-known/acme-challenge/NqbU_w5cJMJZMzJyIy2SjZ-ikFhymS9LzwhUlXnno_g: “\n\n403 Forbidden\n\n

Forbidden

\n<p”

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2018-11-02 12:15:18,559:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py”, line 155, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py”, line 226, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. testb2be.bondwith.me (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://testb2be.bondwith.me/.well-known/acme-challenge/NqbU_w5cJMJZMzJyIy2SjZ-ikFhymS9LzwhUlXnno_g: “\n\n403 Forbidden\n\n

Forbidden

\n<p”

2018-11-02 12:15:18,559:DEBUG:certbot.error_handler:Calling registered functions
2018-11-02 12:15:18,559:INFO:certbot.auth_handler:Cleaning up challenges
2018-11-02 12:15:18,817:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py”, line 1364, in main
return config.func(config, plugins)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py”, line 1254, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py”, line 120, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/client.py”, line 391, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/client.py”, line 334, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/client.py”, line 370, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py”, line 155, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py”, line 226, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. testb2be.bondwith.me (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://testb2be.bondwith.me/.well-known/acme-challenge/NqbU_w5cJMJZMzJyIy2SjZ-ikFhymS9LzwhUlXnno_g: “\n\n403 Forbidden\n\n

Forbidden

\n<p”

#4

Lets check Internet access to the challenge folder.
Please place a test.txt file at:
http://testb2be.bondwith.me/.well-known/acme-challenge/test.txt


#5

This is confusing, as you mentioned that Apache was serving ports 80 & 443.
Can you also show the vhost configs for: testb2be.bondwith.me


#6

Hi rg305,

Currently this centos 7 server has 2 web installed and yes they are apache and nginx. Apache is binding port 80 to http and port 443 for https.

Nginx is binding port 8080 for http and port 8443 on https.

There are no issues with LE cert running on apache at this moment. The only problem i face is not being able to install LE cert for 2 new subdomains aka “testb2be.bondwith.me” and “testweb.bondwith.me”. These 2 new subdomains however has been done on DNS and the IP is pointing to this same server.

The are no vhost configure yet for testb2be.bondwith.me as I need to resolve this issue first on LE.


#7

Then show the default vhost config for port 80.

AND:


#8

Hi rg305,

For the later one i try for the test.txt file i get this error below.

./certbot-auto certonly -w /usr/share/nginx/html/testb2be.bondwith.me -d testb2be.bondwith.me
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?


1: Apache Web Server plugin - Beta (apache)
2: Nginx Web Server plugin (nginx)
3: Spin up a temporary webserver (standalone)
4: Place files in webroot directory (webroot)


Select the appropriate number [1-4] then [enter] (press ‘c’ to cancel): 4
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for testb2be.bondwith.me
Using the webroot path /usr/share/nginx/html/testb2be.bondwith.me for all unmatched domains.
Cleaning up challenges
Encountered exception during recovery:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/error_handler.py”, line 108, in _call_registered
self.funcs-1
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py”, line 310, in _cleanup_challenges
self.auth.cleanup(achalls)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/plugins/webroot.py”, line 222, in cleanup
os.remove(validation_path)
OSError: [Errno 20] Not a directory: ‘/usr/share/nginx/html/testb2be.bondwith.me/.well-known/acme-challenge/QiouMdVnZ6B5GoTjo81_gMf4YXd91bilpWm0ewKx3FU’
Couldn’t create root for testb2be.bondwith.me http-01 challenge responses: [Errno 20] Not a directory: ‘/usr/share/nginx/html/testb2be.bondwith.me/.well-known/acme-challenge’


#9

The requested URL /.well-known/acme-challenge/test.txt was not found on this server.

That test file wasn’t going to fix your certbot problem directly.

Anyway, you’re saying Apache listens on port 80 and nginx listens on 8080. Let’s Encrypt will only try to access your token through port 80. Which is running Apache. Let’s Encrypt will never try to connect to port 8080.

So adding the token to your nginx webroot is not going to work. You’ll need to add it to a webroot where Apache will serve the token when requested for the site testb2be.bondwith.me. So you’ll either need to add a non-HTTPS virtualhost to Apache or add it to the webroot of the default VirtualHost. Of Apache…


#10

Hi Osiris,

I get your point. In summary I would describe as below.

  1. It is best to choose either to use Apache or Nginx. Not both as this issue will crop up.
  2. I will try to add a vhost as you have recommend and check it from there.

Thanks.