Certbot Apache "Failed authorization procedure"


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: thinkingwithnumbers.com

I ran this command: sudo certbot --apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Which names would you like to activate HTTPS for?


1: thinkingwithnumbers.com
2: www.thinkingwithnumbers.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for thinkingwithnumbers.com
http-01 challenge for www.thinkingwithnumbers.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.thinkingwithnumbers.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.thinkingwithnumbers.com/.well-known/acme-challenge/5YES6r6I6kTK8dqBbi8WxCbIbTl4jizXzLMWnUd97bs: q%!(EXTRA string=

404 Not Found

Not Found

<p), thinkingwithnumbers.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://thinkingwithnumbers.com/.well-known/acme-challenge/94tGeKzOuxv-hOb43aMZPI3B_tZ5lIppRudUOb6zNEY: q%!(EXTRA string= 404 Not Found

Not Found

<p)

IMPORTANT NOTES:

My web server is (include version): 2.4.18

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: Digital Ocean (Domain and DNS: GoDaddy)

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


#2

Please show:
ls -l /etc/apache2/sites-enabled/
grep -Eri 'servername|serveralias|thinkingwithnumbers' /etc/apache2/


#3

Thanks for the quick reply. Below are the results from both commands.

ls -l /etc/apache2/sites-enabled/
total 0
lrwxrwxrwx 1 root root 39 Sep 25 2017 000-apps.vhost -> /etc/apache2/sites-available/apps.vhost
lrwxrwxrwx 1 root root 43 Sep 22 2017 000-ispconfig.conf -> /etc/apache2/sites-available/ispconfig.conf
lrwxrwxrwx 1 root root 44 Sep 25 2017 000-ispconfig.vhost -> /etc/apache2/sites-available/ispconfig.vhost
lrwxrwxrwx 1 root root 58 Sep 25 2017 100-thinkingwithnumbers.com.vhost -> /etc/apache2/sites-available/thinkingwithnumbers.com.vhost
lrwxrwxrwx 1 root root 27 Jul 6 03:44 twn.conf -> …/sites-available/twn.conf

grep -Eri ‘servername|serveralias|thinkingwithnumbers’ /etc/apache2/
/etc/apache2/sites-available/twn.conf: ServerName thinkingwithnumbers.com
/etc/apache2/sites-available/twn.conf: ServerAlias www.thinkingwithnumbers.com
/etc/apache2/sites-available/thinkingwithnumbers.com.vhost:<Directory /var/www/thinkingwithnumbers.com>
/etc/apache2/sites-available/thinkingwithnumbers.com.vhost: DocumentRoot /var/www/thinkingwithnumbers.com/web
/etc/apache2/sites-available/thinkingwithnumbers.com.vhost: ServerName thinkingwithnumbers.com
/etc/apache2/sites-available/thinkingwithnumbers.com.vhost: ServerAlias www.thinkingwithnumbers.com
/etc/apache2/sites-available/thinkingwithnumbers.com.vhost: ServerAdmin webmaster@thinkingwithnumbers.com
/etc/apache2/sites-available/thinkingwithnumbers.com.vhost: ErrorLog /var/log/ispconfig/httpd/thinkingwithnumbers.com/error.log
/etc/apache2/sites-available/thinkingwithnumbers.com.vhost: Alias /error/ “/var/www/thinkingwithnumbers.com/web/error/”
/etc/apache2/sites-available/thinkingwithnumbers.com.vhost: <Directory /var/www/thinkingwithnumbers.com/web>
/etc/apache2/sites-available/thinkingwithnumbers.com.vhost: php_admin_value sendmail_path “/usr/sbin/sendmail -t -i -fwebmaster@thinkingwithnumbers.com
/etc/apache2/sites-available/thinkingwithnumbers.com.vhost: php_admin_value open_basedir /home/igor/twn:/usr/share/php:/var/www/clients/client0/web1/web:/var/www/clients/client0/web1/private:/var/www/clients/client0/web1/tmp:/var/www/thinkingwithnumbers.com/web:/srv/www/thinkingwithnumbers.com/web:/usr/share/php5:/usr/share/php:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/dev/random:/dev/urandom
/etc/apache2/mods-available/info.conf: # http://servername/server-info (requires that mod_info.c be loaded).
/etc/apache2/mods-available/status.conf: # with the URL of http://servername/server-status


#4

You have the same two FQDNs in two active configs:
/etc/apache2/sites-available/twn.conf: ServerName thinkingwithnumbers.com
/etc/apache2/sites-available/twn.conf: ServerAlias www.thinkingwithnumbers.com
/etc/apache2/sites-available/thinkingwithnumbers.com.vhost: ServerName thinkingwithnumbers.com
/etc/apache2/sites-available/thinkingwithnumbers.com.vhost: ServerAlias www.thinkingwithnumbers.com

Please show both files:
/etc/apache2/sites-available/twn.conf
/etc/apache2/sites-available/thinkingwithnumbers.com.vhost


#6

Ah yes you are right. Thanks again for your help! Below are both files.
/etc/apache2/sites-available/twn.conf

<VirtualHost *:80>
    ServerAdmin ADMIN
    DocumentRoot "/home/igor/twn/public"
    ServerName thinkingwithnumbers.com
    ServerAlias www.thinkingwithnumbers.com
    ErrorLog "/var/log/apache2/twn-error.log"
    CustomLog "/var/log/apache2/twn-access.log" common

    <Directory "/home/igor/twn">
        Options FollowSymLinks Multiviews
        MultiviewsMatch Any
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>

/etc/apache2/sites-available/thinkingwithnumbers.com.vhost

<Directory /var/www/thinkingwithnumbers.com>
		AllowOverride None
				Require all denied
		</Directory>

<VirtualHost 45.55.210.211:80>

		DocumentRoot /var/www/thinkingwithnumbers.com/web
						
		ServerName thinkingwithnumbers.com
		ServerAlias www.thinkingwithnumbers.com
		ServerAdmin ADMIN

		ErrorLog /var/log/ispconfig/httpd/thinkingwithnumbers.com/error.log

		Alias /error/ "/var/www/thinkingwithnumbers.com/web/error/"
		ErrorDocument 400 /error/400.html
		ErrorDocument 401 /error/401.html
		ErrorDocument 403 /error/403.html
		ErrorDocument 404 /error/404.html
		ErrorDocument 405 /error/405.html
		ErrorDocument 500 /error/500.html
		ErrorDocument 502 /error/502.html
		ErrorDocument 503 /error/503.html

		<IfModule mod_ssl.c>
		</IfModule>

		<Directory /var/www/thinkingwithnumbers.com/web>
				# Clear PHP settings of this website
				<FilesMatch ".+\.ph(p[345]?|t|tml)$">
						SetHandler None
				</FilesMatch>
				Options +FollowSymLinks
				AllowOverride All
								Require all granted
						</Directory>
		<Directory /var/www/clients/client0/web1/web>
				# Clear PHP settings of this website
				<FilesMatch ".+\.ph(p[345]?|t|tml)$">
						SetHandler None
				</FilesMatch>
				Options +FollowSymLinks
				AllowOverride All
								Require all granted
						</Directory>

		**_php_admin stuff here_**

		# add support for apache mpm_itk
		<IfModule mpm_itk_module>
			AssignUserId web1 client0
		</IfModule>

		<IfModule mod_dav_fs.c>
		# Do not execute PHP files in webdav directory
			<Directory /var/www/clients/client0/web1/webdav>
				<ifModule mod_security2.c>
					SecRuleRemoveById 960015
					SecRuleRemoveById 960032
				</ifModule>
				<FilesMatch "\.ph(p3?|tml)$">
					SetHandler None
				</FilesMatch>
			</Directory>
			DavLockDB /var/www/clients/client0/web1/tmp/DavLock
			# DO NOT REMOVE THE COMMENTS!
			# IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
                        # WEBDAV BEGIN
			# WEBDAV END
		</IfModule>
              
              DocumentRoot "/home/igor/twn/public"
              <Directory "/home/igor/twn">
                  Options FollowSymLinks Multiviews
                  MultiviewsMatch Any
                  AllowOverride All
                  Require all granted
             </Directory> 
</VirtualHost>

#7

I don’t understand why you have two files for the same names…
Which provide two different directory contents:
DocumentRoot "/home/igor/twn/public"
DocumentRoot /var/www/thinkingwithnumbers.com/web

You should probably figure out which is correct and remove the other.


#8

Our site is managed by a couple of admins. Another administrator set it up in this fashion to allow some admins, those that only need access to the “/home/igor/twn/public”, only the ability to access the “public” directory via FTP. Though I’m not sure why the two config files for the same names…

Does certbot have the option of specifying which of the two “DocumentRoot” paths to place the acme challenge files and perform the authorization process? Or do you believe there is another problem entirely?

Thanks!


#9

These configs are for web services relating to port 80 - they have nothing to do with FTP (port 21).
You should figure out which of the two configs is correct and remove the other.


#10

You were right. The admin forgot to delete the old version of the config file after combining code in: /etc/apache2/sites-available/thinkingwithnumbers.com.vhost.

After removing the twn.conf file, https was enabled successfully!

You the best, thanks!


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.