Certbot does not generate authorization files


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: office.hb-os.de

I ran this command: certbot renew --dry-run

It produced this output:Attempting to renew cert (office.hb-os.de) from /etc/letsencrypt/renewal/office.hb-os.de.conf produced an unexpected error: Failed authorization procedure. office.hb-os.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://office.hb-os.de/.well-known/acme-challenge/YhFfcxB9HzhNLAl79MF2_MWdrw92LiuEPEH4gthlXuw

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Debian 9

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0

I accidently deleted before the .well-known folder, so I made it again with 777 right. I also made acme-challenge below. Both is reachable from outside. The problem itself is that certbot does not generate the files. I checked the webroot in conf-file and it has the right setting. Does anybody has an idea why the files are not generated?

Best regards
Holger


#2

Could you show your renewal .conf file? I want to see what the authenticator is set to.

I noticed your webserver identifies itself as LANCOM and a request to the /.well-known/acme-challenge/ directory results in a 404.

If you could comment on what that webserver is and what relation it has to your Apache server, that could be helpful.

Edit: some quick Googling indicates that LANCOM could be a modem/router or a printer. So maybe something funky is going on with port forwarding and reflected NAT.


#3

What was the rest of Certbot’s output?


#4

If you are testing via https, then you are not accurately simulating the authorization requests:
Invalid response from http://office.hb-os.de/.well-known/acme-challenge/...

As @_az pointed out, the connections to port 80 don’t match the connections to port 443:

curl -Iki http://office.hb-os.de/
HTTP/1.1 400 Bad Request
Connection: close
Server: LANCOM
Date: Fri, 15 Feb 2019 22:56:57 GMT
Content-Type: text/html

curl -Iki https://office.hb-os.de/
HTTP/1.1 200 OK
Date: Fri, 15 Feb 2019 22:57:03 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Mon, 10 Oct 2016 09:35:05 GMT
ETag: “29cd-53e7f79999535”
Accept-Ranges: bytes
Content-Length: 10701
Vary: Accept-Encoding
Content-Type: text/html


#5

OMG - it was really the port topic. Now it is working - thanks for your fast and helpfull replies!

Best regards
Holger


closed #6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.