Certificate renew fails with unauthorized error

Help
1

Hello everyone:

Im having some issues with the renewal of one of my SSL certificates.

When I run “letsencrypt renew” I got an “unauthorized” type error.

As stated on many others post, I’ve creted a test file on unecta.cl/.well-known/acme-challenge/ that is accesible by http. I tested this with curl:
$ curl -I http://unecta.cl/.well-known/acme-challenge/test

HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Mon, 05 Jun 2017 20:43:55 GMT
Content-Type: application/octet-stream
Content-Length: 6
Last-Modified: Mon, 05 Jun 2017 19:57:20 GMT
Connection: keep-alive
ETag: "5935b7a0-6"
Accept-Ranges: bytes

When I ran this command:
letsencrypt renew --debug

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/unecta.cl.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for unecta.cl
http-01 challenge for www.unecta.cl
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/unecta.cl.conf produced an unexpected error: Failed authorization procedure. www.unecta.cl (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.unecta.cl/.well-known/acme-challenge/Kha0V6tOyqg2MrWzPhyHvRuvjzxjSVUdUi9zNx9g4Wk: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>", unecta.cl (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://unecta.cl/.well-known/acme-challenge/LYxcCYApkq0OR_o3BqsOvwqVbYr7OCnKOuHPNBvksas: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>". Skipping.

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/kausana.cl.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/demo.unecta.cl.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/kausana.cl/fullchain.pem (skipped)
  /etc/letsencrypt/live/demo.unecta.cl/fullchain.pem (skipped)
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/unecta.cl/fullchain.pem (failure)
Traceback (most recent call last):
  File "/usr/bin/letsencrypt", line 11, in <module>
    load_entry_point('certbot==0.10.2', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 849, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 655, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 430, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)


IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.unecta.cl
   Type:   unauthorized
   Detail: Invalid response from
   http://www.unecta.cl/.well-known/acme-challenge/Kha0V6tOyqg2MrWzPhyHvRuvjzxjSVUdUi9zNx9g4Wk:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: unecta.cl
   Type:   unauthorized
   Detail: Invalid response from
   http://unecta.cl/.well-known/acme-challenge/LYxcCYApkq0OR_o3BqsOvwqVbYr7OCnKOuHPNBvksas:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

My nginx config file looks like this:

    server {
        # Config HTTP

            listen 80;
            server_name unecta.cl www.unecta.cl;

        location /.well-known {
            root /opt/yunta/src/yunta/letsencrypt/unecta.cl;
            allow all
            }  

        location /static {
                    alias /opt/yunta/src/assets;
                    expires 5m;
                    access_log off;
                    add_header Cache-Control "public";
            }

        location /media {
                    autoindex on;
                    alias /opt/yunta/src/media;
            }

        location / {
                    proxy_pass http://127.0.0.1:9010;
                    proxy_set_header Host $host;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

                    add_header P3P 'CP="ALL DSP COR PSAa PSDa OUR NOR ONL UNI COM NAV"';
            }

            }

    server {
        # Config HTTPS

        listen 443 ssl;

        server_name unecta.cl www.unecta.cl;

        ssl_certificate /etc/letsencrypt/live/unecta.cl/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/unecta.cl/privkey.pem;

        error_log /var/log/nginx/unecta.cl.error.log;
        access_log /var/log/nginx/unecta.cl.access.log;


        location /.well-known {
               root /opt/yunta/src/yunta/letsencrypt/unecta.cl;
               allow ALL;
           }


        location /static {
                    alias /opt/yunta/src/assets;
            expires 5m;
                    access_log off;
                    add_header Cache-Control "public";
            }

        location /media {
                    autoindex on;
                    alias /opt/yunta/src/media;
            }

        location / {
                    proxy_pass http://127.0.0.1:9030;
                    proxy_set_header Host $host;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

                    add_header P3P 'CP="ALL DSP COR PSAa PSDa OUR NOR ONL UNI COM NAV"';
            }
        # enable gzip compression
            gzip on;
            gzip_min_length  500;
            gzip_buffers  4 32k;
            gzip_types    text/plain application/x-javascript text/xml text/css image/svg+xml application/javascript;
            gzip_vary on;
        # end gzip configuration

        # Standard security SSL

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_stapling on;
        ssl_stapling_verify on;
        add_header Strict-Transport-Security max-age=15768000;


        }

I’m really running out of ideas to try. Any help would be greatly apreciated.

My domain: unecta.cl
My web server is: nginx 1.6.2
The operating system my web server runs on is: Debian 8
My hosting provider: DigitalOcean

Thanks in advance.

2

Hi @kausana,

Could you please show the content of /etc/letsencrypt/renewal/unecta.cl.conf?.

Cheers,
sahsanu

3

Hi @sahsanu, thanks for your fast response.

Here is the renewal config:

# renew_before_expiry = 30 days
version = 0.9.3
cert = /etc/letsencrypt/live/unecta.cl/cert.pem
privkey = /etc/letsencrypt/live/unecta.cl/privkey.pem
chain = /etc/letsencrypt/live/unecta.cl/chain.pem
fullchain = /etc/letsencrypt/live/unecta.cl/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = None
account = c4c5fc3e0c201106b7352ee0789a6207
webroot_path = /opt/yunta/src/yunta/letsencrypt,
[[webroot_map]]
unecta.cl = /opt/yunta/src/yunta/letsencrypt
www.unecta.cl = /opt/yunta/src/yunta/letsencrypt
4

This might be helpful: https://www.magwinya.co.za/install-letsencrypt-nginx

5

@kausana,

You are not using the same document root, in your nginx conf the document root is:

/opt/yunta/src/yunta/letsencrypt/unecta.cl

But the renewal conf says that the documet root is:

/opt/yunta/src/yunta/letsencrypt

Or you fix the path on your nginx conf or you fix the path in the renewal conf file.

I hope this helps,
sahsanu

1 Like
6

@sahsanu that was exactly the problem!

Thanks for your awesome help!

1 Like
7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.