Certbot Failed authorization procedure

Hi there, I foudf here some similar issues but no solution for me.

My domain is: meet.fleetinnovation.de

the domain is hosted by another provider, and the Subdomain pointe to right IP-Address, A-Record.
All worked fine until the renew process.

I ran this command: sudo certbot --apache -d meet.fleetinnovation.de

It produced this output:
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. meet.fleetinnovation.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://meet.fleetinnovation.de/.well-known/acme-challenge/0i5qPOcja_P8jeGmLLhmhSjU6p0fPQw0uXXC0BSkQuw [85.235.67.149]: “\n\n404 Not Found\n\n< h1>Not Found\n<p”
…
IMPORTANT NOTES:

• The following errors were reported by the server:
  Domain: meet.fleetinnovation.de
  Type: unauthorized
  Detail: Invalid response from
  http://meet.fleetinnovation.de/.well-known/acme-challenge/0i5qPOcja_P8jeGmLLhmhSjU6p0fPQw0uXXC0BSkQuw
  [85.235.67.149]: “\n\n404 Not
  Found\n\n< h1>Not Found\n<p”

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.
  I made no changes.

My web server is (include version): Apache/2.4.29 (Ubuntu 8.04.1)

The operating system my web server runs on is (include version): Ubuntu 8.04.1

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

=> **/ect/letsencrypt/renewval/meet.fleetinnovation.de.conf**
 # renew_before_expiry = 30 days
version = 1.3.0
archive_dir = /etc/letsencrypt/archive/meet.fleetinnovation.de
cert = /etc/letsencrypt/live/meet.fleetinnovation.de/cert.pem
privkey = /etc/letsencrypt/live/meet.fleetinnovation.de/privkey.pem
chain = /etc/letsencrypt/live/meet.fleetinnovation.de/chain.pem
fullchain = /etc/letsencrypt/live/meet.fleetinnovation.de/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
account = 9f297f7b275de890b079bcb776d2d4b8
webroot_path = /usr/share/jitsi-meet,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]

Vitual Host:

=> /ect/apache2/sites-enabled/meet.fleetinnovation.de.conf

<VirtualHost *:80>
    ServerName meet.fleetinnovation.de
    Redirect permanent / https://meet.fleetinnovation.de/
</VirtualHost>

<VirtualHost *:443>

  ServerName meet.fleetinnovation.de

  SSLProtocol TLSv1 TLSv1.1 TLSv1.2
  SSLEngine on
  SSLProxyEngine on
  SSLCertificateFile /etc/letsencrypt/live/meet.fleetinnovation.de/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/meet.fleetinnovation.de/privkey.pem
 SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESG   CM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK  :!SRP:!DSS:!RC4:!SEED"
  SSLHonorCipherOrder on
  Header set Strict-Transport-Security "max-age=31536000"

  DocumentRoot "/usr/share/jitsi-meet"
  <Directory "/usr/share/jitsi-meet">
    Options Indexes MultiViews Includes FollowSymLinks
    AddOutputFilter Includes html
    AllowOverride All
    Order allow,deny
    Allow from all
  </Directory>

  ErrorDocument 404 /static/404.html

  Alias "/config.js" "/etc/jitsi/meet/meet.fleetinnovation.de-config.js"
  <Location /config.js>
    Require all granted
  </Location>

  Alias "/external_api.js" "/usr/share/jitsi-meet/libs/external_api.min.js"
  <Location /external_api.js>
    Require all granted
  </Location>

  ProxyPreserveHost on
  ProxyPass /http-bind http://localhost:5280/http-bind/
  ProxyPassReverse /http-bind http://localhost:5280/http-bind/

  RewriteEngine on
  RewriteRule ^/([a-zA-Z0-9]+)$ /index.html
</VirtualHost>

Hi @Kai700

why do you use --apache if your config file has a webroot definition?

Try only

certbot renew

so the configuration is used.

Thanks for fast response…
I did ‘certbot renew’ . th eoutput:

Processing /etc/letsencrypt/renewal/meet.fleetinnovation.de.conf

Attempting to parse the version 1.3.0 renewal configuration file found at /etc/letsencrypt/renewal/meet.fleetinnovation.de.conf with version 0.31.0 of Certbot. This might not work.
Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for meet.fleetinnovation.de
Cleaning up challenges
Attempting to renew cert (meet.fleetinnovation.de) from /etc/letsencrypt/renewal/meet.fleetinnovation.de.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Input the webroot for meet.fleetinnovation.de:. Skipping.
…

Cert not yet due for renewal
All renewal attempts failed. The following certs could not be renewed:
…
/etc/letsencrypt/live/meet.fleetinnovation.de/fullchain.pem (failure)
…

No other solutions possible? Can i delete the cert and install a new one? How?

If you don't answer the questions Certbot asks, you can't create a certificate.

Hm, the initial one seems to have worked.
Does it mean, i have to put a config line into meet.fleetinnovation.de.conf, such like;

webroot_path = /usr/share/jitsi-meet,

I gave the answer, but same error:

 Input the webroot for meet.fleetinnovation.de: (Enter 'c' to cancel): /usr/share/jitsi-meet
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. meet.fleetinnovation.de (http-01): urn:ietf:params:acme:error:unauthorized     :: The client lacks sufficient authorization :: Invalid response from http://meet.fleetinnovation.de/.well-    known/acme-challenge/9uV76gDvlxsi8_kdWa4gbxdozJq5QF64CHCOagdr5z8 [85.235.67.149]:     "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not     Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

There is no: /.well-known/acme-challenge/9uV76gDvlxsi8_kdWa4gbxdozJq5QF64CHCOagdr5z8

I think here are some generell information: https://letsencrypt.org/de/docs/challenge-types/
too complicated for me

If webroot doesn’t work, you use the wrong webroot.

Or you have additional definitions so your webroot input isn’t correct / doesn’t work with your real configuration.

Create the two subdirectories

yourwebroot/.well-known/acme-challenge

there a file (file name 1234), then try to load that file via

http://meet.fleetinnovation.de/.well-known/acme-challenge/1234

If that works, you have found your correct webroot. If it doesn’t work, creating a certificate with that webroot can’t work.

1234 doesnt work, i dont know why, because i didn’t change anything after initial. and at the beginning it worked fine. maybe its an jitsi special…

thanks

Challenge failed for domain meet.fleetinnovation.de
http-01 challenge for meet.fleetinnovation.de
Cleaning up challenges
Some challenges have failed.

Then you have to find the reason and to fix that. A working webserver is required if you want to create certificates.

Cant work, because there is a permanent redirect to httpS (see above) which hasn’t worked since expire ssl. I will check the vhost again.

Just now “1234” is available. But the same error. The token is every time different. i dont know, what its looking for.

What's the complete path of that file?

its done!!! the webroot-path was wrong.
thanks

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.