Cert renewal unauthorized error


#1

Hi,

I have tried to renew my cert with this command:
certbot-auto renew


I can create a file in the web-root and view it here:
https://wiki.fairtragen.de/.well-known/asdf

I ran the command manually:
certbot-auto certonly -v --manual --dry-run -d wiki.fairtragen.de --webroot-path /usr/share/moin

During the process this message came up:
“Make sure your web server displays the following content at
http://wiki.fairtragen.de/.well-known/acme-challenge/jwLo4QQY_lCkcpep2mNnfsDOVKAEh7dWYCpPDxeQC6A before continuing:”

I tried, and also looked into the webroot-path folder, but no file was there.

What am I doing wrong?


I run apache on Debian. uname gives: Linux 3.2.41-042stab120.6 #1 SMP Thu Oct 27 16:59:03 MSK 2016 i686 GNU/Linux


#2

Can you test creating the test file /usr/share/moin/.well-known/acme-challenge/asdf

and checking access via https://wiki.fairtragen.de/.well-known/acme-challenge/asdf


#3

that works, too :slight_smile:


ps: this post has to be longer than 20 chars…


#4

That all looks good then. And the “certbot-auto renew” still gives the same error ? If so, can you add --debug to the command and paste the log from just before the error please.


#5

here comes the --debug-log:

2017-01-24 21:14:22,926:DEBUG:acme.client:Storing nonce: mvskioa7MgGBegzURMeao71m5_OC381maYNEILh6G5w
2017-01-24 21:14:22,927:DEBUG:acme.client:JWS payload:
{
“identifier”: {
“type”: “dns”,
“value”: “wiki.fairtragen.de
},
“resource”: “new-authz”
}
2017-01-24 21:14:22,944:DEBUG:root:Sending POST request to https://acme-staging.api.letsencrypt.org/acme/new-authz:
{
“header”: {
“alg”: “RS256”,
“jwk”: {
“e”: “AQAB”,
“kty”: “RSA”,
“n”: “tt5p3OzB7LZp12OTnWQ4o3W7QfO-ub8mhrWefKBRrmN4g6rC3-WVfC5hY7msEOIY966DJl90PZEEgJOF9FH9HwyW5Ya0LX4px7YBwRn82fRw04zzz5AbtQNPR8UYG6M7ES1_6GcW_MZsso9PP-A6sWl9ctpJkpu-FF9DBxgfsnQuljxUa1hmJgx16xdDlLUxIDkClTHS_n9PZP4cnKRz6OzTUnwWJm9WOrQYhKKr6WeLyDG2iRsdF85edQEJDb-WEyjw6ZlhtZxDRCLINapLt_Y45F5zUlYKlvzVQsUv5AjtnTiM87wQH5lvEexGOR3S61Oiqq7W5uqS3zrw9DFjxQ”
}
},
“protected”: “eyJub25jZSI6ICJtdnNraW9hN01nR0JlZ3pVUk1lYW83MW01X09DMzgxbWFZTkVJTGg2RzV3In0”,
“payload”: “ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAid2lraS5mYWlydHJhZ2VuLmRlIgogIH0sIAogICJyZXNvdXJjZSI6ICJuZXctYXV0aHoiCn0”,
“signature”: “gDrEwz-jSlzWbkFUCPNFYnFQC6euYRVFLMfGvEqQcjWrcRlvfKaPK-ejB_xfGxU7Pi5GC5YHFJUh5hgg5rD66Dth1thBULKDwOneskqprrr1fTv7ER5yxHq3IaHC_Q9vAQBA4bAOH2nWjNom6O2Wl1DkGjNUWOss5auVafFtFP72q5TcXZdM0ZTMiAMl2ahQ8I9frGuME9sfKG9lE4ioFWMq0eEUo36od4tA1XIoET6-aDv5wkvRp5kOIRqimf8bEZvePzpnB5x_VexCLiMmbMdM6_k59ZLEHG9Il8v4vxVkXXFN1KRbac99NF_u-zKb9t_6AdSj-QkbFTUBjIfntA”
}
2017-01-24 21:14:23,162:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 “POST /acme/new-authz HTTP/1.1” 201 1012
2017-01-24 21:14:23,163:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 1012
Boulder-Request-Id: XnklO52dqJnLe4npnXdfSCjuSnDXFH3MkgWzD0Gl_hg
Boulder-Requester: 474184
Link: https://acme-staging.api.letsencrypt.org/acme/new-cert;rel="next"
Location: https://acme-staging.api.letsencrypt.org/acme/authz/qnhSzrzw_r1693qgOg-jYjl9HahxESfcv1tGZdkuxtk
Replay-Nonce: hLT4CxS5oyOANPj8lwkRTkw1NOBjMzLHiJN__fajdjQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 24 Jan 2017 21:14:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 24 Jan 2017 21:14:23 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “wiki.fairtragen.de
},
“status”: “pending”,
“expires”: “2017-01-31T21:14:23.062067108Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/qnhSzrzw_r1693qgOg-jYjl9HahxESfcv1tGZdkuxtk/23456537”,
“token”: “69rrVN-boFKro3G9uhuEn0xoRQx8_pmbotTkNFkuGdY”
},
{
“type”: “http-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/qnhSzrzw_r1693qgOg-jYjl9HahxESfcv1tGZdkuxtk/23456538”,
“token”: “RN2fy8sEew1CEpeLpwanayIMzeUhPXbWBYynlp_ZS3A”
},
{
“type”: “tls-sni-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/qnhSzrzw_r1693qgOg-jYjl9HahxESfcv1tGZdkuxtk/23456539”,
“token”: “VyNMRFWCGi7Yx0L_7mI8rIAWKD9cmYvukqNlbF2xcno”
}
],
“combinations”: [
[
2
],
[
1
],
[
0
]
]
}
2017-01-24 21:14:23,164:DEBUG:acme.client:Storing nonce: hLT4CxS5oyOANPj8lwkRTkw1NOBjMzLHiJN__fajdjQ
2017-01-24 21:14:23,165:INFO:certbot.auth_handler:Performing the following challenges:
2017-01-24 21:14:23,165:INFO:certbot.auth_handler:http-01 challenge for wiki.fairtragen.de
2017-01-24 21:14:23,165:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /usr/share/moin/.well-known/acme-challenge
2017-01-24 21:14:23,171:DEBUG:certbot.plugins.webroot:Attempting to save validation to /usr/share/moin/.well-known/acme-challenge/RN2fy8sEew1CEpeLpwanayIMzeUhPXbWBYynlp_ZS3A
2017-01-24 21:14:23,171:INFO:certbot.auth_handler:Waiting for verification…
2017-01-24 21:14:23,172:DEBUG:acme.client:JWS payload:
{
“keyAuthorization”: “RN2fy8sEew1CEpeLpwanayIMzeUhPXbWBYynlp_ZS3A.snprLb5Eu_rbykeg9W6JBV2JxMVQVN1xTSGNP4brPFU”,
“type”: “http-01”,
“resource”: “challenge”
}
2017-01-24 21:14:23,189:DEBUG:root:Sending POST request to https://acme-staging.api.letsencrypt.org/acme/challenge/qnhSzrzw_r1693qgOg-jYjl9HahxESfcv1tGZdkuxtk/23456538:
{
“header”: {
“alg”: “RS256”,
“jwk”: {
“e”: “AQAB”,
“kty”: “RSA”,
“n”: “tt5p3OzB7LZp12OTnWQ4o3W7QfO-ub8mhrWefKBRrmN4g6rC3-WVfC5hY7msEOIY966DJl90PZEEgJOF9FH9HwyW5Ya0LX4px7YBwRn82fRw04zzz5AbtQNPR8UYG6M7ES1_6GcW_MZsso9PP-A6sWl9ctpJkpu-FF9DBxgfsnQuljxUa1hmJgx16xdDlLUxIDkClTHS_n9PZP4cnKRz6OzTUnwWJm9WOrQYhKKr6WeLyDG2iRsdF85edQEJDb-WEyjw6ZlhtZxDRCLINapLt_Y45F5zUlYKlvzVQsUv5AjtnTiM87wQH5lvEexGOR3S61Oiqq7W5uqS3zrw9DFjxQ”
}
},
“protected”: “eyJub25jZSI6ICJoTFQ0Q3hTNW95T0FOUGo4bHdrUlRrdzFOT0JqTXpMSGlKTl9fZmFqZGpRIn0”,
“payload”: “ewogICJrZXlBdXRob3JpemF0aW9uIjogIlJOMmZ5OHNFZXcxQ0VwZUxwd2FuYXlJTXplVWhQWGJXQll5bmxwX1pTM0Euc25wckxiNUV1X3JieWtlZzlXNkpCVjJKeE1WUVZOMXhUU0dOUDRiclBGVSIsIAogICJ0eXBlIjogImh0dHAtMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9”,
“signature”: “D4C_IzMeVcg4xjAB-z-Xm7lsIZMZ4x63xuOXgphImkrs7MOw0feIn524QkEMfle9pqijgfHpJDYDyAO61CGZJxJQp-RgSmiHwXp_rCHsjLnkQK08FJ50DTXHnqTwFwps0ihxvO-jazAQNgfWHleXKxlqGEfXMh6kZdXJ_f-B-tQl1FbBPyn4MOvjJaMMwd9E-73vTAEl1egQvGIp74KHa1kXv3ohQGujrseN4h1_X5NejaTdw33sjT_ZZb83Cb8NAD9zxdXPMQen_tdXqWRgvMgEZd72jcizwnNdPwZFQVPoLmHlW6T7BNElehWQv0SIrxd3MEzD5zwkaTlrKqvS4g”
}
2017-01-24 21:14:23,399:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 “POST /acme/challenge/qnhSzrzw_r1693qgOg-jYjl9HahxESfcv1tGZdkuxtk/23456538 HTTP/1.1” 202 338
2017-01-24 21:14:23,401:DEBUG:acme.client:Received response:
HTTP 202
Server: nginx
Content-Type: application/json
Content-Length: 338
Boulder-Request-Id: hZ1kkEqCy6QS1pEqZP9J2z9ckWYuvjvbYsonxnv7RfU
Boulder-Requester: 474184
Link: https://acme-staging.api.letsencrypt.org/acme/authz/qnhSzrzw_r1693qgOg-jYjl9HahxESfcv1tGZdkuxtk;rel="up"
Location: https://acme-staging.api.letsencrypt.org/acme/challenge/qnhSzrzw_r1693qgOg-jYjl9HahxESfcv1tGZdkuxtk/23456538
Replay-Nonce: nEE3w28O4Ds6popEWXvaBUwNlH4cCf8Vht0NF8hqfnc
Expires: Tue, 24 Jan 2017 21:14:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 24 Jan 2017 21:14:23 GMT
Connection: keep-alive

{
“type”: “http-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/qnhSzrzw_r1693qgOg-jYjl9HahxESfcv1tGZdkuxtk/23456538”,
“token”: “RN2fy8sEew1CEpeLpwanayIMzeUhPXbWBYynlp_ZS3A”,
“keyAuthorization”: “RN2fy8sEew1CEpeLpwanayIMzeUhPXbWBYynlp_ZS3A.snprLb5Eu_rbykeg9W6JBV2JxMVQVN1xTSGNP4brPFU”
}
2017-01-24 21:14:23,401:DEBUG:acme.client:Storing nonce: nEE3w28O4Ds6popEWXvaBUwNlH4cCf8Vht0NF8hqfnc
2017-01-24 21:14:26,403:DEBUG:root:Sending GET request to https://acme-staging.api.letsencrypt.org/acme/authz/qnhSzrzw_r1693qgOg-jYjl9HahxESfcv1tGZdkuxtk.
2017-01-24 21:14:26,599:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 “GET /acme/authz/qnhSzrzw_r1693qgOg-jYjl9HahxESfcv1tGZdkuxtk HTTP/1.1” 200 2230
2017-01-24 21:14:26,602:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
ontent-Type: application/json
Boulder-Request-Id: AXaDsfy3hoRH57l2Wj1823OpSFP19n-SP5zyuDukXNE
Link: https://acme-staging.api.letsencrypt.org/acme/new-cert;rel="next"
Replay-Nonce: -tSls7oug9d1kH5HJEe0hW6c0rZa_m2s26m4Z1Zjedw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Content-Length: 2230
Expires: Tue, 24 Jan 2017 21:14:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 24 Jan 2017 21:14:26 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “wiki.fairtragen.de
},
“status”: “invalid”,
“expires”: “2017-01-31T21:14:23Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/qnhSzrzw_r1693qgOg-jYjl9HahxESfcv1tGZdkuxtk/23456537”,
“token”: “69rrVN-boFKro3G9uhuEn0xoRQx8_pmbotTkNFkuGdY”
},
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:acme:error:unauthorized”,
“detail”: "Invalid response from http://wiki.fairtragen.de/.well-known/acme-challenge/RN2fy8sEew1CEpeLpwanayIMzeUhPXbWBYynlp_ZS3A: “\u003c!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01//EN” “http://www.w3.org/TR/html4/strict.dtd”\u003e\n\u003chtml\u003e\n\u003chead\u003e\n\u003cmeta http-equiv=“Conte””,
“status”: 403
},
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/qnhSzrzw_r1693qgOg-jYjl9HahxESfcv1tGZdkuxtk/23456538”,
“token”: “RN2fy8sEew1CEpeLpwanayIMzeUhPXbWBYynlp_ZS3A”,
“keyAuthorization”: “RN2fy8sEew1CEpeLpwanayIMzeUhPXbWBYynlp_ZS3A.snprLb5Eu_rbykeg9W6JBV2JxMVQVN1xTSGNP4brPFU”,
“validationRecord”: [
{
“url”: “http://wiki.fairtragen.de/.well-known/acme-challenge/RN2fy8sEew1CEpeLpwanayIMzeUhPXbWBYynlp_ZS3A”,
“hostname”: “wiki.fairtragen.de”,
“port”: “80”,
“addressesResolved”: [
“85.214.139.246”
],
“addressUsed”: “85.214.139.246”
},
{
“url”: “https://wiki.fairtragen.de/usr/share/moin/.well-known/acme-challenge/RN2fy8sEew1CEpeLpwanayIMzeUhPXbWBYynlp_ZS3A”,
“hostname”: “wiki.fairtragen.de”,
“port”: “443”,
“addressesResolved”: [
“85.214.139.246”
],
“addressUsed”: “85.214.139.246”
}
]
},
{
“type”: “tls-sni-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/qnhSzrzw_r1693qgOg-jYjl9HahxESfcv1tGZdkuxtk/23456539”,
“token”: “VyNMRFWCGi7Yx0L_7mI8rIAWKD9cmYvukqNlbF2xcno”
}
],
“combinations”: [
[
2
],
[
1
],
[
0
]
]
}
2017-01-24 21:14:26,603:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: wiki.fairtragen.de
Type: unauthorized
Detail: Invalid response from http://wiki.fairtragen.de/.well-known/acme-challenge/RN2fy8sEew1CEpeLpwanayIMzeUhPXbWBYynlp_ZS3A: "

<meta http-equiv="Conte"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
2017-01-24 21:14:26,603:INFO:certbot.auth_handler:Cleaning up challenges
2017-01-24 21:14:26,605:DEBUG:certbot.plugins.webroot:Removing /usr/share/moin/.well-known/acme-challenge/RN2fy8sEew1CEpeLpwanayIMzeUhPXbWBYynlp_ZS3A
2017-01-24 21:14:26,605:INFO:certbot.plugins.webroot:Unable to clean up challenge directory /usr/share/moin/.well-known/acme-challenge
2017-01-24 21:14:26,606:DEBUG:certbot.plugins.webroot:Error was: [Errno 39] Directory not empty: '/usr/share/moin/.well-known/acme-challenge’
2017-01-24 21:14:26,606:DEBUG:certbot.plugins.webroot:Error was: [Errno 39] Directory not empty: '/usr/share/moin/.well-known/acme-challenge’
2017-01-24 21:14:26,606:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/wiki.fairtragen.de.conf produced an unexpected error: Failed authorization procedure. wiki.fairtragen.de (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://wiki.fairtragen.de/.well-known/acme-challenge/RN2fy8sEew1CEpeLpwanayIMzeUhPXbWBYynlp_ZS3A: "

<meta http-equiv="Conte". Skipping. 2017-01-24 21:14:26,649:DEBUG:certbot.renewal:Traceback was: Traceback (most recent call last): File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/renewal.py", line 390, in handle_renewal_request main.obtain_cert(lineage_config, plugins, renewal_candidate) File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 626, in obtain_cert action, _ = _auth_from_available(le_client, config, domains, certname, lineage) File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 103, in _auth_from_available renewal.renew_cert(config, domains, le_client, lineage) File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/renewal.py", line 273, in renew_cert new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains) File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py", line 262, in obtain_certificate self.config.allow_subset_of_names) File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 78, in get_authorizations self._respond(resp, best_effort) File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 135, in _respond self._poll_challenges(chall_update, best_effort) File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 199, in _poll_challenges raise errors.FailedChallenges(all_failed_achalls) FailedChallenges: Failed authorization procedure. wiki.fairtragen.de (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://wiki.fairtragen.de/.well-known/acme-challenge/RN2fy8sEew1CEpeLpwanayIMzeUhPXbWBYynlp_ZS3A: " <meta http-equiv="Conte"

#6

maybe this is of some help:

During the manual renewal process there is a bash command that creates the acme-challenge file.
I have carried out that command in my webroot. The file was created and I could reach it with my browser.
(the first line in my apache access log)
After that I continued the renewal process, but got the same error as above. In the access-log I find a 301 “Moved Permanently” and then a 404 error. I have no idea why…

188.96.81.85 - - [25/Jan/2017:13:37:42 +0100] “GET /.well-known/acme-challenge/QTsUzYV2_UtPYaRR1LvKPu3GqtJok8MSc2jPdpngf7U HTTP/1.1” 200 3772 “-” "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
66.133.109.36 - - [25/Jan/2017:13:37:50 +0100] “GET /.well-known/acme-challenge/QTsUzYV2_UtPYaRR1LvKPu3GqtJok8MSc2jPdpngf7U HTTP/1.1” 301 609 “-” "Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [25/Jan/2017:13:37:51 +0100] “GET /usr/share/moin/.well-known/acme-challenge/QTsUzYV2_UtPYaRR1LvKPu3GqtJok8MSc2jPdpngf7U HTTP/1.1” 404 5492 “http://wiki.fairtragen.de/.well-known/acme-challenge/QTsUzYV2_UtPYaRR1LvKPu3GqtJok8MSc2jPdpngf7U” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”


#7

oh no! It was my mistake!

In my apache-conf-file I had an error in the http (port 80) section.
Since letsencrypt tried to reach my server through http, but I always used https I did not see the problem.

Now it works! Thanks for all the help!


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.