Cerbot The client lacks sufficient authorization :: Invalid response

ejgutierrez74 · November 23, 2019, 11:15am

I want to secure nextcloud local virtual host with self-signed certificates.
I can access to virtual host http://nextcloud.eduardo.com and i want to access via:https://nextcloud.eduardo.com

The server is ubuntu 18.04 with nginx.

My domain is:
virtual host nextcloud.eduardo.com

I ran this command:
sudo certbot --nginx

It produced this output:
2019-11-23 11:44:11,307:DEBUG:certbot.error_handler:Calling registered functions
2019-11-23 11:44:11,307:INFO:certbot.auth_handler:Cleaning up challenges
2019-11-23 11:44:12,675:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.27.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1364, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1124, in run
certname, lineage)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 120, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 391, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 334, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 370, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 155, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 226, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. nextcloud.eduardo.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://nextcloud.eduardo.com/.well-known/acme-challenge/kIefkn_F0wPAmafHOhFHAzIGcV3DP7T01yP1tEbs-U4 [45.79.19.196]: 404
2019-11-23 11:56:14,398:DEBUG:certbot.main:certbot version: 0.27.0
2019-11-23 11:56:14,399:DEBUG:certbot.main:Arguments:
2019-11-23 11:56:14,399:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-11-23 11:56:14,418:DEBUG:certbot.log:Root logging level set at 20
2019-11-23 11:56:14,418:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log

My web server is (include version):
Nginx 1.14
The operating system my web server runs on is (include version):
Ubuntu 18.04
My hosting provider, if applicable, is:
No applicable
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.27

Some extra config ( i have my nextcloud installation in /usr/share/nginx/nextcloud16, then i create a .well known directory with acme with write permissions: /usr/share/nginx/nextcloud16/.well-known/acme-challenge

eduardo@eduardo-VirtualBox:/usr/share/nginx/nextcloud16$ sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: nextcloud.eduardo.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for nextcloud.eduardo.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. nextcloud.eduardo.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://nextcloud.eduardo.com/.well-known/acme-challenge/kIefkn_F0wPAmafHOhFHAzIGcV3DP7T01yP1tEbs-U4 [45.79.19.196]: 404

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: nextcloud.eduardo.com
   Type:   unauthorized
   Detail: Invalid response from
   http://nextcloud.eduardo.com/.well-known/acme-challenge/kIefkn_F0wPAmafHOhFHAzIGcV3DP7T01yP1tEbs-U4
   [45.79.19.196]: 404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

eduardo@eduardo-VirtualBox:/usr/share/nginx/nextcloud16$ ls -all
total 176
drwxr-xr-x 16 www-data www-data  4096 nov 22 10:36 .
drwxr-xr-x  6 root     root      4096 nov 10 19:25 ..
drwxr-xr-x 32 www-data www-data  4096 nov 10 11:55 3rdparty
drwxr-xr-x 44 www-data www-data  4096 nov 19 19:34 apps
-rw-r--r--  1 www-data www-data 12063 nov 10 11:55 AUTHORS
drwxr-xr-x  2 www-data www-data  4096 nov 23 11:41 config
-rw-r--r--  1 www-data www-data  3805 nov 10 11:55 console.php
-rw-r--r--  1 www-data www-data 34520 nov 10 11:55 COPYING
drwxr-xr-x 23 www-data www-data  4096 nov 10 11:55 core
-rw-r--r--  1 www-data www-data  4986 nov 10 11:55 cron.php
drwxr-xr-x  2 www-data www-data  4096 nov 11 10:15 data
-rw-r--r--  1 www-data www-data  2480 nov 11 10:15 .htaccess
-rw-r--r--  1 www-data www-data   156 nov 10 11:55 index.html
-rw-r--r--  1 www-data www-data  3172 nov 10 11:55 index.php
-rw-r--r--  1 root     root       207 nov 11 13:34 info.html
drwxr-xr-x  6 www-data www-data  4096 nov 10 11:55 lib
-rw-r--r--  1 www-data www-data   283 nov 10 11:55 occ
drwxr-xr-x  2 www-data www-data  4096 nov 10 11:55 ocm-provider
drwxr-xr-x  2 www-data www-data  4096 nov 10 11:55 ocs
drwxr-xr-x  2 www-data www-data  4096 nov 10 11:55 ocs-provider
-rw-r--r--  1 www-data www-data  2951 nov 10 11:55 public.php
-rw-r--r--  1 www-data www-data  5139 nov 10 11:55 remote.php
drwxr-xr-x  4 www-data www-data  4096 nov 10 11:55 resources
-rw-r--r--  1 www-data www-data    26 nov 10 11:55 robots.txt
drwxr-xr-x 12 www-data www-data  4096 nov 10 11:55 settings
-rw-r--r--  1 www-data www-data  2232 nov 10 11:55 status.php
-rwxrwxrwx  1 www-data www-data   215 nov 10 13:52 test.php
drwxr-xr-x  3 www-data www-data  4096 nov 10 11:55 themes
drwxr-xr-x  2 www-data www-data  4096 nov 10 11:55 updater
-rw-r--r--  1 www-data www-data   101 nov 10 11:55 .user.ini
-rw-r--r--  1 www-data www-data   362 nov 10 11:55 version.php
drwxr-xr-x  3 www-data www-data  4096 nov 22 10:37 .well-known

_az · November 23, 2019, 11:22am

Are you sure that your DNS setup is correct?

$ dig +noall +answer nextcloud.eduardo.com
nextcloud.eduardo.com.  534     IN      A       45.33.23.183
nextcloud.eduardo.com.  534     IN      A       45.56.79.23
nextcloud.eduardo.com.  534     IN      A       45.79.19.196
nextcloud.eduardo.com.  534     IN      A       96.126.123.244
nextcloud.eduardo.com.  534     IN      A       198.58.118.167
nextcloud.eduardo.com.  534     IN      A       45.33.2.79

These IPs seem more to be some kind of domain forwarder running on openresty.

What is the IP address of your webserver?

In order to issue a certificate, your domain name needs to point to the public IP address of your eduardo-VirtualBox server. If the server is not accessible from the public internet, then trying to acquire a certificate using this method is not possible.

ejgutierrez74 · November 23, 2019, 11:37am

Dont know exactly what you mean, im working in a local virtual machine, no DNS, no host… i have a bridged virtual machine, with access to internet… the ip is 192.168.1.52… But as said all local

_az · November 23, 2019, 11:53am

When you run Certbot, Let’s Encrypt tries to connect to nextcloud.eduardo.com, over the internet, in order to validate that you actually control the domain name.

Since your domain isn’t actually connected to your local virtual machine, it’s not actually possible for this process to succeed.

If you want a locally trusted certificate (rather than a publicly trusted one), you could try a tool like https://github.com/FiloSottile/mkcert .

JimPas · November 24, 2019, 9:58pm

Your “http” is actually redirecting to “http://www6” for your domain name, as is your “https”. The non-www does as well.
The redirect link also shows a token in the path.
The page also shows no content - empty white page.

system · December 24, 2019, 9:58pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.