Certbot renewal unauthorized error, acme-challenge invalid response

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
justatest.com
I ran this command:
certbot renew
It produced this output:
{
“identifier”: {
“type”: “dns”,
“value”: “justatest.com
},
“status”: “invalid”,
“expires”: “2019-12-22T13:06:09Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:unauthorized”,
“detail”: “Invalid response from http://justatest.com/.well-known/acme-challenge/jHWNhn3zNZKSetrZlIC49AjDNCVdXnFWk_vudh2WagM [204.93.193.135]: “\u003chtml\u003e\u003chead\u003e\u003ctitle\u003eAdministrative Quarantine\u003c/title\u003e\u003c/head\u003e\u003cbody\u003e\u003cfont size=2\u003e\u003ctable width=\“100%!\(MISSING)”\u003e\u003ctr\u003e\u003ctd bgcolor=#3300cc align=””,
“status”: 403
},
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/1743662771/JkbLfQ”,
“token”: “jHWNhn3zNZKSetrZlIC49AjDNCVdXnFWk_vudh2WagM”,
“validationRecord”: [
{
“url”: “http://justatest.com/.well-known/acme-challenge/jHWNhn3zNZKSetrZlIC49AjDNCVdXnFWk_vudh2WagM”,
“hostname”: “justatest.com”,
“port”: “80”,
“addressesResolved”: [
“204.93.193.135”
],
“addressUsed”: “204.93.193.135”
}
]
},
{
“type”: “dns-01”,
“status”: “invalid”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/1743662771/kWMWug”,
“token”: “jHWNhn3zNZKSetrZlIC49AjDNCVdXnFWk_vudh2WagM”
},
{
“type”: “tls-alpn-01”,
“status”: “invalid”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/1743662771/K09xZA”,
“token”: “jHWNhn3zNZKSetrZlIC49AjDNCVdXnFWk_vudh2WagM”
}
]
}

My web server is (include version):
Apache Tomcat Version 8.5.14
The operating system my web server runs on is (include version):
Ubuntu 14.04.6 LTS
My hosting provider, if applicable, is:
n.a.
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no panel
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

Renewing this time failed with the error above, though renewal has worked fine in the past. I’m not sure what has changed that would cause the above message for the domain justatest.com.
The DNS A records for domain justatest.com and www.justatest.com point to my tomcat webserver. The cert on that server handles other virtual hosts (one of which is justatest.com).
Tips to troubleshoot this are gratefully appreciated.
thanks!
jp.

2

Hi @justatest

there are too much missing informations.

What's the content of your certbot renew config?

Checking your domain there is a redirect http -> https - https://check-your-website.server-daten.de/?q=justatest.com

But your error says, that the http answer is wrong (not a https result). So you may have used a wrong authenticator that doesn't work with your Tomcat.

1 Like
3

Hello Juergen… many thanks for replying on this. I’m not sure what the certbot renew config is but in the:

/etc/letsencrypt/renewal

directory, there are two sub-directories (one of which isn’t used and I should remove):

  1. www.artprocess.net-0001.conf
  2. www.artprocess.net.conf

The tomcat server refers to 1)

The contents of 1) are:
pref_challs = http-01

[renewalparams]
authenticator = standalone
account = 1efb768643dd5289418eb1655ac2736b
server = https://acme-v02.api.letsencrypt.org/directory

Apologies I’m a newbie so I don’t understand the specific reference in your sentence:

“…But your error says, that the http answer is wrong (not a https result). So you may have used a wrong authenticator that doesn’t work with your Tomcat.”

Which error are you referring to? And what is the authenticator that certbot uses and expects in reply?

Kind regards
jp

1 Like
4

Please start with some basics:

Then read

and the Certbot documentation.

standalone should always work. But that requires to stop the running webserver.

What's an

Administrative Quarantine

Looks like there are other systems running. What's the content of the other config file?

1 Like
5

OK I’ll go though those docs thanks for pointing me to them.

I’m not sure how I missed this but I made a mistake by not including all the renewal net-0001.conf file:

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/www.artprocess.net-0001
cert = /etc/letsencrypt/live/www.artprocess.net-0001/cert.pem
privkey = /etc/letsencrypt/live/www.artprocess.net-0001/privkey.pem
chain = /etc/letsencrypt/live/www.artprocess.net-0001/chain.pem
fullchain = /etc/letsencrypt/live/www.artprocess.net-0001/fullchain.pem

Options used in the renewal process

Added this: (jp 20190118)

pref_challs = http-01

[renewalparams]
authenticator = standalone
account = 1efb768643dd5289418eb1655ac2736b
server = https://acme-v02.api.letsencrypt.org/directory

The other file net.conf contains similar (only the dirs are different):

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/www.artprocess.net
cert = /etc/letsencrypt/live/www.artprocess.net/cert.pem
privkey = /etc/letsencrypt/live/www.artprocess.net/privkey.pem
chain = /etc/letsencrypt/live/www.artprocess.net/chain.pem
fullchain = /etc/letsencrypt/live/www.artprocess.net/fullchain.pem

Options used in the renewal process

Added this: (jp 20190118)

pref_challs = http-01

[renewalparams]
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = standalone
account = 1efb768643dd5289418eb1655ac2736b

Do you think it might be easier if I just delete these certs and create a new one instead, or better to try figure out what the problem is?

thanks,
jp

6

I deleted the unused certifcate:

www.artprocess.net

using the certbot delete command.

I then removed www.justatest.com and justatest.com domains from the certificate in use:

www.artprocess.net-0001

using the command certbot certonly --cert-name www.artprocess.net-0001 (by listing the -d domains I wanted and leaving out the justatest ones). The certificate was renewed successfully.

However when I try to add in the justatest domains again using the [certbot certonly --standalone -d www.justatest.com -d justatest.com -d others…] command, I get the unauthorized invalid response error again:

Invalid response from
http://www.justatest.com/.well-known/acme-challenge/wN9W-9Pw8ZiEZHE0qvZwZNXWrr5eiKTOo362-2kabbs

How do I re-create an acme-challenge that will solve this problem? I’ve added a .well-known/acme-challenge directories to the justatest.com webroot and created a test file containing the word ‘success’.

thanks,
jp

1 Like
7

Hi @justatest,

It seems like you might be confusing standalone and webroot. The webroot method involves creating files on your existing webserver (which Certbot should do for you—you don’t have to do it yourself), while the standalone method is a complete alternative to your existing web server, which normally requires you to stop the existing server process while obtaining your certificate.

Right now, there is something listening on http://justatest.com/ on port 80, so if you want to use the standalone method, you would have to shut that down temporarily in order to free up port 80 for Certbot to use.

1 Like
8

Thanks Seth,

You’re right, I had confused them at first.
But now I’ve come up against a server renew limit (oops!) as I wasn’t aware that I should have been using the
–dry-run
flag. From what I understand, I need to wait until next week for it to clear.

However even when I tried webroot and specified the directory, the unauthorized error kept occurring. I can’t seem to overwrite the acme-challenge with a new one - is that possible?

I think the original problem stemmed from the fact that I deleted and re-created the justatest directory structure on the webserver some weeks ago. I wasn’t aware of .well-known/acme-challenge directories.

BTW, I don’t see any other “.well-known” directories on the webserver for the artprocess.* domains? Is is possible that the challenge type used is not HTTP-01? How can I confirm which type of challenge is being used?

thanks
jp

1 Like
9

Certbot creates those for you too, so you should never need to create them yourself. Nor should accidentally deleting them prevent Certbot from working. Remember that what you need to specify with -w when using --webroot is the top level of the site, not the /.well-known/acme-challenge path (Certbot will take care of that part).

If you successfully used any method other than --webroot, you wouldn't necessarily have these directories because they wouldn't have been used, or would have been created in a completely ephemeral way.

You can find out from the logs in /var/log/letsencrypt, or you can look in /etc/letsencrypt/renewal to see what the authentication method used for each certificate was.

If you try again next week and get an unauthorized error, we can try to help figure it out. I agree with @JuergenAuer that it would be helpful to understand what "administrative quarantine" means here and where that message is coming from.

1 Like
10

The exact relationship between Certbot authentication plugins and ACME authentication methods is described in our documentation at

https://certbot.eff.org/docs/challenges.html

(Currently no Certbot plugin supports the ALPN-01 challenge, which means that if you're using Certbot you're either going to be using HTTP-01 or DNS-01. Most Certbot users use HTTP-01 almost all of the time unless they're creating a wildcard certificate, but plugins other than webroot won't create a /.well-known/acme-challenge directory in a persistent way that you can see.)

1 Like
11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.