Certbot failed authorization procedure


#1

I’m having issues trying to renew my certificate using certbot. I know I have a duplication error with my Dovecot (it’s in the ufw as both ipv4 and ipv6) but I don’t think that this should matter in this case?

I’m doing the dry run so as not to do too many requests and get locked out.

I manually created a test file which I can access through the browser:
https://www.danh.co.uk/.well-known/acme-challenge/test

so i’m now lost as to why.

As far as I know I have my A record in my DNS set up correctly (i’m using entrydns) and I don’t have an AAAA record for my domain.

My domain is:
www.danh.co.uk

I ran this command:
sudo certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /letsencryptlocation/www.danh.co.uk.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Running pre-hook command: ufw allow http
Output from ufw:
Rule updated
Rule updated (v6)

Error output from ufw:
WARN: Duplicate profile ‘Dovecot IMAP’, using last found
WARN: Duplicate profile ‘Dovecot Secure IMAP’, using last found
WARN: Duplicate profile ‘Dovecot POP3’, using last found
WARN: Duplicate profile ‘Dovecot Secure POP3’, using last found

Renewing an existing certificate
Performing the following challenges:
http-01 challenge for danh.co.uk
http-01 challenge for www.danh.co.uk
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (www.danh.co.uk) from /letsencryptlocation/www.danh.co.uk.conf produced an unexpected error: Failed authorization procedure. danh.co.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://danh.co.uk/.well-known/acme-challenge/PbwT3OTDIC0Ra_TeR5E-0FiNoIjt2nq6f3TJ-VnL7RM: “\n\n400 Bad Request\n\n

Bad Request</h1”, www.danh.co.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.danh.co.uk/.well-known/acme-challenge/aWHaJn_l1pQozJC9IMTDIVTZR99dKJOxKWyEfjPqv3g: “\n\n400 Bad Request\n\n

Bad Request</h1”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/letsencryptlocation/www.danh.co.uk/chain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/letsencryptlocation//www.danh.co.uk/chain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


Running post-hook command: ufw deny http
Output from ufw:
Rule updated
Rule updated (v6)

Error output from ufw:
WARN: Duplicate profile ‘Dovecot IMAP’, using last found
WARN: Duplicate profile ‘Dovecot Secure IMAP’, using last found
WARN: Duplicate profile ‘Dovecot POP3’, using last found
WARN: Duplicate profile ‘Dovecot Secure POP3’, using last found

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version):
apache2

The operating system my web server runs on is (include version):
ubuntu 18.04

I can login to a root shell on my machine yes

I’m using a control panel to manage my site
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.26.1

Thanks!


#2

Your Apache is listening on port 80 using the HTTPS protocol: i.e. https://danh.co.uk:80.

This can be caused by one of two things:

  • Wrong port forwarding (external 80 forwarding to internal 443), or
  • Apache configuration with HTTPS configured inside one or more *:80 virtual hosts.

Either way, this will prevent the validation process from succeeding.


#3

ok thanks I’ll have a look into it!


#4
  1. the link shows https (the real test is http).
  2. The file is not there via https (404)
    and the https connection times out:
    wget http://www.danh.co.uk/.well-known/acme-challenge/test
    --2019-01-29 22:03:24-- http://www.danh.co.uk/.well-known/acme-challenge/test
    Resolving www.danh.co.uk (www.danh.co.uk)... 87.239.207.227
    Connecting to www.danh.co.uk (www.danh.co.uk)|87.239.207.227|:80... failed: Connection timed out.

Receiving error 400 is not as bad as it sounds; there is at least some communication via http.
Now you just have to “fix” it.


#5

Thanks for the help guys. I ended up temporarily disabling my vhosts, ran certbot renew and then reactivated it. It’s a cheat but it worked. Now to set up my https vhosts properly
@rg305 it does indeed show https because I set up my site to redirect everything to https so even if I try to go through on http, it will automatically redirect to https.

Thanks again!


#6

Hi @lehobhob

but your way is wrong.

Your http://danh.co.uk:443/ works, this is fatal.

You need an open http://danh.co.uk:80/, there a redirect (http status 301 to https://danh.co.uk/) and an open https://danh.co.uk:443/.

But one port can’t handle http and https requests. So you must have two different ports, every port with one protocol.

Now you have only http - port 80 and port 443.


#7

Thanks for your input Juergen. I understand that it’s wrong so I’m having a look at it now. I’m not sure where in my config I set it up to do that so will go back to the beginning to find out where


#8

This result is created by something like

<VirtualHost *:443>

</VirtualHost>

without SSL-definition.

So the standard SSL port 443 is active, but accepts http requests.


closed #9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.