Certbot does not generate authorization files


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: office.hb-os.de

I ran this command: certbot renew --dry-run

It produced this output:Attempting to renew cert (office.hb-os.de) from /etc/letsencrypt/renewal/office.hb-os.de.conf produced an unexpected error: Failed authorization procedure. office.hb-os.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://office.hb-os.de/.well-known/acme-challenge/YhFfcxB9HzhNLAl79MF2_MWdrw92LiuEPEH4gthlXuw

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Debian 9

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0

I accidently deleted before the .well-known folder, so I made it again with 777 right. I also made acme-challenge below. Both is reachable from outside. The problem itself is that certbot does not generate the files. I checked the webroot in conf-file and it has the right setting. Does anybody has an idea why the files are not generated?

Best regards


Could you show your renewal .conf file? I want to see what the authenticator is set to.

I noticed your webserver identifies itself as LANCOM and a request to the /.well-known/acme-challenge/ directory results in a 404.

If you could comment on what that webserver is and what relation it has to your Apache server, that could be helpful.

Edit: some quick Googling indicates that LANCOM could be a modem/router or a printer. So maybe something funky is going on with port forwarding and reflected NAT.


What was the rest of Certbot’s output?


If you are testing via https, then you are not accurately simulating the authorization requests:
Invalid response from http://office.hb-os.de/.well-known/acme-challenge/...

As @_az pointed out, the connections to port 80 don’t match the connections to port 443:

curl -Iki http://office.hb-os.de/
HTTP/1.1 400 Bad Request
Connection: close
Server: LANCOM
Date: Fri, 15 Feb 2019 22:56:57 GMT
Content-Type: text/html

curl -Iki https://office.hb-os.de/
HTTP/1.1 200 OK
Date: Fri, 15 Feb 2019 22:57:03 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Mon, 10 Oct 2016 09:35:05 GMT
ETag: “29cd-53e7f79999535”
Accept-Ranges: bytes
Content-Length: 10701
Vary: Accept-Encoding
Content-Type: text/html


OMG - it was really the port topic. Now it is working - thanks for your fast and helpfull replies!

Best regards

closed #6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.