Can't renew certificate (client lacks sufficient authorization)

Dear all, :slight_smile:

I got an email notice because my (domalys.fr) domain certificate is about to expire. :sweat:

I’ve tried this :

sudo certbot -q renew
Attempting to parse the version 0.12.0 renewal configuration file found at /etc/letsencrypt/renewal/domalys.fr.conf with version 0.10.2 of Certbot. This might not work.
Attempting to renew cert from /etc/letsencrypt/renewal/domalys.fr.conf produced an unexpected error: Failed authorization procedure. www.domalys.fr (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.domalys.fr/.well-known/acme-challenge/dBuGPD_MD5Zhp5xytxzbOq7uoQfOEYBLdEKYjTWsAmw: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<ht". Skipping.

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/domalys.fr-0001/fullchain.pem (skipped)
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/domalys.fr/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

I did read that post Letsencrypt ssl urn:acme:error:unauthorized :error but it won’t help.

I’ve tried to create these directories/file : domalys.fr/.well-known/acme-challenge/index.html but can’t access it (error 404).

CHMOD of .well-known, acme-challenge directories AND index.html file are all 755 and owned by root.

The /var/www/html htaccess file is not redirecting anything… I’m stuck

Any help would be very appreciated.

Many thanks.


OS info :
uname -a
Linux vps107096.ovh.net 2.6.32-042stab120.11 #1 SMP Wed Nov 16 12:05:45 MSK 2016 x86_64 GNU/Linux

cat /etc/*release
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
NAME="Debian GNU/Linux"
VERSION_ID="8"
VERSION="8 (jessie)"
ID=debian
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

ISPconfig installed, FYI.

If you post (at least the first part of):

We may find that it doesn't match the cert seen from the Internet (which will expire in 7 days):
Valid until Thu, 15 Jun 2017 18:58:00 UTC (expires in 7 days, 14 hours)

Hi,

thank you very much for taking time, I really appreciate.

Here is the content of the fullchain.pem : https://ibb.co/etrSyF

as you can see there are 2 certificates. Is this the reason ?
What shall I do ?

Many thanks again.
M.

Those are PUBLIC certificates.
They get handed out on every SSL connection.
You don’t have to hide them.
Private certificates (which should never be given out) always contain the word PRIVATE.
Like:
-----BEGIN PRIVATE KEY-----
-----BEGIN EC PRIVATE KEY-----

If you could just copy paste the first in your reply.
From first BEGIN to first END.

Simple trick to view the cert:
copy the text and save it to a file name "whatever.CRT"
double-click “whatever.CRT” file in Windows

Hello again,

here are the complete certs :

-----BEGIN CERTIFICATE-----
MIIE+DCCA+CgAwIBAgISBA2fNYrkCZ5FQP6Xgy3V+pzrMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA1MTYyMTE0MDBaFw0x
NzA4MTQyMTE0MDBaMBUxEzARBgNVBAMTCmRvbWFseXMuZnIwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDjYm4NuZwg5CP9up1jVF2I1yHLeiU34tHQWMar
st5FTdGWuqnkpyBXZxkK5CkWi/DGEyzV+ClGF4XZrzGGqGWH91xPazNzerAKWlZ4
aA8qMCGwNsfIYk0FarCLmSgtsJP9kAKIzJEaO6Oas8UYorbkakXyPMHrRUsaRgPW
jXUOfrvBJFWOBJavbMSzPAsHnXrXLwHs6QooU1s91fWwqwMG8hMxsZ2nfuyytDJI
wg/RGT2JymUfDtZumLq6RQox95pHHOkZD0cBINnALtkddSYrcmyv45LFN+GNd7S7
NnsOsClwem8IbIj4FptP3Xh75O1ENHltejYS+BTJ3ndJmQQ1AgMBAAGjggILMIIC
BzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFOa/z/Q4BdtEGH7jLv+15SlxtggoMB8G
A1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMHAGCCsGAQUFBwEBBGQwYjAv
BggrBgEFBQcwAYYjaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9yZy8w
LwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcv
MBUGA1UdEQQOMAyCCmRvbWFseXMuZnIwgf4GA1UdIASB9jCB8zAIBgZngQwBAgEw
geYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNl
bmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1h
eSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25s
eSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3Vu
ZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzANBgkqhkiG
9w0BAQsFAAOCAQEAPh2ePCPc2Swn0RMAwEzUH+2ug0h+wQ/A4aDDQK8MqFgOJOdq
7hWO4Y/l52pWyL8AIU4tneWIOkk1roTurTKmQ7jBJiorjPBja2OZnjGUfmvkp0ow
2ULAcJo+ECbVlCvWt4LJlHXXxEfflczG+6HZ1Uq2n45+1Kx9Jfg4QbIZwVCRvtlQ
1CDqBhLf9quNdcH32YkzbhzhACYQxFUvxnX3WZt3Ge1/O4EVbuw0xU9ieJYUgDPD
JbgDRSVQwWSMAyQMAF9ZzeP209NPuPerx+CISoPfpU4J/wt6e7m6GwdgFAwW5jqJ
qSPw+ppWAjXWr4cGh8EmN9RobBXxR9GnZFnysg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

Many thanks

the first cert is valid LE for domain:
DNS Name=domalys.fr


the second is a valid LE intermediate cert.

As suspected that is the correct cert.
/etc/letsencrypt/live/domalys.fr-0001/fullchain.pem

What is seen on the Internet has expired.

Can you post your server conf file showing the SSL portion.

This is what is being served now:
-----BEGIN CERTIFICATE-----
MIIFCDCCA/CgAwIBAgISA7/Wz195lWqTU70NY5gR4H6jMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzAzMTcxODU4MDBaFw0x
NzA2MTUxODU4MDBaMBUxEzARBgNVBAMTCmRvbWFseXMuZnIwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDOeWOyyqTo5AW/+IDERRyhvir52rT+woLxrFBl
nkyWZ1vrVunbd63gTq3biiAaRxkgQqxWKrAzFWbob4cP3DBXRNAbLattMeOb0Pzk
DaUiDXjY3woiklvfMoobm5q+Dd4m37ftdlcakut1Fiz3VjexCRnRWcEkjJxImK9m
BZn+JYHTZ2UmgwaSplLqHWEjfE7KtvteeL3IZ2QyLXBxQPZBcOBgz4BoR21soMUg
hUH+pE0opngCDyAPDqIFNRbamtWx+PZTImnKvrp7K+11mdu+TUzBx7r9EJxVad1w
q+FlXNuE0qT3rciW5rHtS9/VVBfmVvnjj+f5wP/RQZTGIPd/AgMBAAGjggIbMIIC
FzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFBk4YDBHtARvN/yhRL5f/H2miUafMB8G
A1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMHAGCCsGAQUFBwEBBGQwYjAv
BggrBgEFBQcwAYYjaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9yZy8w
LwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcv
MCUGA1UdEQQeMByCCmRvbWFseXMuZnKCDnd3dy5kb21hbHlzLmZyMIH+BgNVHSAE
gfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYa
aHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhp
cyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5n
IFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZp
Y2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVw
b3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAEzfthAbLkc3xJNSiobegSiWg8hv
gA/io0w0HGVFVo7AvhPkru7Y3NTiviI9/vtQUFIDi6e/o/1mU7T7D8hyhpgEDJQX
vjQnbRHU3ynrvZImhjgeA3lgGAUrl6WL3E3BnRUE0vS6pEoxaNAfCdEFn1gT9Uho
vEXpnh4AlVPh7kaTO/Ph9vFR3vXHs0FVSErXnj8LQbEqxy5pSSc4Z5HSmQeo+whe
6AjFobGHtEqlB8stp4wyIrkocXUffMMtIkwCT3QjZedxHoHEhCgpWqNKu1f9Vmji
A7KXVCS/H8OF16VcAmjBuRHKFMZn5+c5/gA9RRWqMDHxqdoYYa8dc/MJgG0=
-----END CERTIFICATE-----

Which will expire in 7 days.
If you can find the file with that content, you can update that file with the content of:
/etc/letsencrypt/live/domalys.fr-0001/fullchain.pem
And you will have 90 days to figure out why it can’t update properly and get it fixed.

Thanks to you I think I might have found out.

Inside /etc/apache2/sites-available/domalys.fr.vhost I have this :

            SSLCertificateFile /var/www/clients/client0/web1/ssl/domalys.fr-le.crt
            SSLCertificateKeyFile /var/www/clients/client0/web1/ssl/domalys.fr-le.key
                            SSLCertificateChainFile /var/www/clients/client0/web1/ssl/domalys.fr-le.bundle

I guess I should replace this by

 SSLCertificateFile /etc/letsencrypt/live/domalys.fr-0001/cert.pem
                SSLCertificateKeyFile /etc/letsencrypt/live/domalys.fr-0001/priv.key
                                SSLCertificateChainFile /etc/letsencrypt/live/domalys.fr-0001/fullchain.pem

?

Yes!
That should do the trick.

You could verify that the private key and the public cert are matched, as follows:
openssl x509 -noout -modulos -in /etc/letsencrypt/live/domalys.fr-0001/cert.pem |openssl sha256
openssl x509 -noout -modulos -in /etc/letsencrypt/live/domalys.fr-0001/priv.key |openssl sha256

compare the two SHA256 outputs - they should be exactly the same.

Many thanks to you !

SHA256 are the same. However I tried to replace as proposed above, but reloading apache2 resulting in an error.

So I followed this thread How to manually renew a certificate? and this did the trick (as root) :

cd /root/letsencrypt/
./letsencrypt-auto --renew-by-default

I’ll probably add this to cron so that I don’t have to do it every 90 days.
Many thanks
Max

@maximilien, I wanted to suggest that this is weird because run --renew-by-default (now known as run --force-renew) and renew ultimately use the same logic to complete the renewal.

However, it looks like you are actually running two different versions of Certbot when you use these different commands, which you could check with --version. If you run certbot, you may be using your operating system’s packaged version of Certbot, which may be older; if you run /root/letsencrypt/letsencrypt-auto, you’re running a copy of the Certbot autoupdater, which downloads the newest released version from our site and then runs that. One possibility is that the newest version is able to complete the renewal successfully, while the OS-packaged version is not, for some reason.

If this is so, you may be able to use /root/letsencrypt/letsencrypt-auto renew, which would be preferable to the other form for frequent use from cron because it only renews when a certificate is less than 30 days from expiry, rather than immediately.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.