Can't renew certificate. DNS problem: Failed authorization procedure

Entered the command: certbot-auto renew Server DNS is correct
Receive the following:
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for cnow9..com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (cnow9..com) from /etc/letsencrypt/renewal/cnow9..com.conf produced an unexpected error: Failed authorization procedure. cnow9..com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://cnow9..com/.well-known/acme-challenge/KwJ3aDbhy0pcgBJV7bcO0Xue6KbVt19DM4kI8SLISSQ: "

Oritor <meta property="og:title" content="Or". Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/cnow9..com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: cnow9..com
    Type: unauthorized
    Detail: Invalid response from
    http://cnow9..com/.well-known/acme-challenge/KwJ3aDbhy0pcgBJV7bcO0Xue6KbVt19DM4kI8SLISSQ:
    "

    Oritor <meta property="og:title" content="Or"

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

cnow9(two dots)com ???

You have probably some address rewrite rules, which are redirecting all requests to your app and it makes it impossible for Let’s Encrypt validation servers to access verification file. You have to make sure that all URLs beginning with /.well-known/acme-challenge/ are handled by webserver itself.

@rg305: I think the part of the domain between these two dots was removed - which is kinda pointless, as I was able to find full domain name using Certificate Transparency logs…

It would be helpful for people to say something like:
cnow9.(removed).com
Instead of wasting time…

1 Like

Thank you for replies. Novice question. I have replaced our domain with which resulted in the two dots.

Understand I need to set the web root https://certbot.eff.org/docs/using.html#webroot so that the verification file is exported and lets encrypt can verify the domain.

I enter:

certbot-auto certonly --webroot-path /var/www/html
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Failed to find executable apache2ctl in PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

How would you like to authenticate with the ACME CA?

1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c’
to cancel): cnow9.oritor.com
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for cnow9.oritor.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. cnow9.oritor.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://cnow9.oritor.com/.well-known/acme-challenge/gtzkkipdQUab_uKPSspyekeds01qU5hJQsZeoIbGh9U: "

Oritor <meta property="og:title" content="Or"

IMPORTANT NOTES:

Hi @LGencrypt,

You need to be sure that a request to http://cnow9.oritor.com/.well-known/acme-challenge/whatever is going to read the files on your web root, in your case /var/www/html/.well-known/acme-challenge/whatever
so before trying to issue a cert check it yourself.

1.- Create a test file

mkdir -p /var/www/html/.well-known/acme-challenge/
echo "this is a challenge test" > /var/www/html/.well-known/acme-challenge/test

2.- Check that you can view the file using your browser.

http://cnow9.oritor.com/.well-known/acme-challenge/test

If you can’t view the text “this is a challenge test” then or you are not specifying the right web root for your domain (keep in mind that you are redirecting http to https and maybe you have different web roots /var/www/html/ for request to port 80 and another path for requests to port 443) or as other mates said, maybe you have some rewrite rule doing something strange.

Cheers,
sahsanu

I would also check:
https://cnow9.oritor.com/.well-known/acme-challenge/test
as your server issues “301 Moved Permanently” on http content to https.
or insure to bypass redirection for:
location /.well-known/acme-challenge

@sahsanu and @rg305, thank you for suggestions. Suggestions led e to the correct webroot address, able to create new cert.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.