Certbot using apache and webmin stop working

Help
1

Hi,

This is some permissions issue i think.

I was using letsencrypt from the beginning, before certbot auto renewal scripts or virtualmin plugins for let’sencrypt exists. So i have many cron jobs that renews certificates every month. I have about 20 virtual domains and all certificates are working and renewing great.
But i was unable to renew main server certificate. Other virtual domains has a directory in /home, im using /var/www for webroot for main server domain. I have used this method and directory other times and it worked. Now, i get the error " The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge"

log:

{
“identifier”: {
“type”: “dns”,
“value”: “main-domain.com
},
“status”: “invalid”,
“expires”: “2017-09-06T07:13:44Z”,
“challenges”: [
{
“type”: “tls-sni-01”,
“status”: “pending”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/japXEKgTWc6XnbGeyZkLEbO2S_I_9gWjoHtid7O3IeE/1872220714”,
“token”: “e29HaU2qO-7YSLuyRXsKF_525F8cNZSqEtGmcrWcYvk”
},
{
“type”: “dns-01”,
“status”: “pending”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/japXEKgTWc6XnbGeyZkLEbO2S_I_9gWjoHtid7O3IeE/1872220715”,
“token”: “WJa5f_1O3q4OPOmA8GkxelDBHQEImweg_hhxmUY2oCI”
},
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:acme:error:unauthorized”,
“detail”: “The key authorization file from the server did not match this challenge [hU6Q-TPEBTigTdZ0K666NESb-GFL8wHX_VY9kKbsEH4.wK_76T0ehmur8p__TRUwfcnxjONuLDGDr_zBnbO2tF0] != [\u003ch1\u003eWebsite Disabled\u003c/h1\u003e]”,
“status”: 403
},
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/japXEKgTWc6XnbGeyZkLEbO2S_I_9gWjoHtid7O3IeE/1872220716”,
“token”: “hU6Q-TPEBTigTdZ0K666NESb-GFL8wHX_VY9kKbsEH4”,
“keyAuthorization”: “hU6Q-TPEBTigTdZ0K666NESb-GFL8wHX_VY9kKbsEH4.wK_76T0ehmur8p__TRUwfcnxjONuLDGDr_zBnbO2tF0”,
“validationRecord”: [
{
“url”: “http://main-domain.com/.well-known/acme-challenge/hU6Q-TPEBTigTdZ0K666NESb-GFL8wHX_VY9kKbsEH4”,
“hostname”: “main-domain.com”,
“port”: “80”,
“addressesResolved”: [
“xx.xxx.xxx.xx”,
“xxxx:xxx:xxx:xxxx::xx:xxxx”
],
“addressUsed”: “xxxx:xxx:xxx:xxxx::xx:xxxx”,
“addressesTried”: []
}
]
}
],
“combinations”: [
[
1
],
[
2
],
[
0
]
]
}
2017-08-30 07:13:48,435:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: main-domain.com
Type: unauthorized
Detail: The key authorization file from the server did not match this challenge [hU6Q-TPEBTigTdZ0K666NESb-GFL8wHX_VY9kKbsEH4.wK_76T0ehmur8p__TRUwfcnxjONuLDGDr_zBnbO2tF0] != [

Website Disabled

]

I have created some text files in /var/www and /var/www/.well-known/ directory and i can see files from browser without problems.

I dont what to check now…

Thanks

2

Apparently the server is returning “\u003ch1\u003eWebsite Disabled\u003c/h1\u003e”.

Did you check whether the site looks different in IPv4 and IPv6? Let’s Encrypt will try to connect in IPv6 if possible.

Or, is there some kind of application firewall or other rule that requires that the user-agent string look like a web browser?

3

Is there a way to disable IPv6 check? I also think is the problem.

Thanks

4

Nope! We have no other way to authenticate that the certificate request is really from the domain owner, so we don't allow people requesting certificates to specify which IP addresses to check.

If the problem is with IPv6, you'll need to fix the routing or remove the AAAA record in order to obtain a certificate (or use a tool that uses the DNS-01 authentication method by updating your DNS zone to prove your control over the domain name, instead of receiving an inbound connection from the Let's Encrypt CA).

5

Thank you very much for your help. I will fix ipv6 routing and try again.

6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.