Cloudflare renewal failing [The client lacks sufficient authorization]

My domain is:
https://debates.discord.cx

I ran this command:
sudo certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/debates.discord.cx.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for debates.discord.cx
http-01 challenge for www.debates.discord.cx
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (debates.discord.cx) from /etc/letsencrypt/renewal/debates.discord.cx.conf produced an unexpected error: Failed authorization procedure. debates.discord.cx (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://debates.discord.cx/.well-known/acme-challenge/94HkcG5LhdwNOuhlxQUVVIKQZTKC8Arvg4xhph6gCyA [2606:4700:30::6812:2454]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]>    <html class=\"no-js ", www.debates.discord.cx (http-01): urn:ietf:params:acme:error:tls :: The server experienced a TLS error during domain verification :: Fetching https://www.debates.discord.cx/.well-known/acme-challenge/pMNmx3hUF3mOkdwx0PSr-_SmGJ4bLLSaXSpFt4eE2cs: remote error: tls: handshake failure. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/debates.discord.cx/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/debates.discord.cx/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: debates.discord.cx
   Type:   unauthorized
   Detail: Invalid response from
   https://debates.discord.cx/.well-known/acme-challenge/94HkcG5LhdwNOuhlxQUVVIKQZTKC8Arvg4xhph6gCyA
   [2606:4700:30::6812:2454]: "<!DOCTYPE html>\n<!--[if lt IE 7]>
   <html class=\"no-js ie6 oldie\" lang=\"en-US\">
   <![endif]-->\n<!--[if IE 7]>    <html class=\"no-js "

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - The following errors were reported by the server:

   Domain: www.debates.discord.cx
   Type:   tls
   Detail: Fetching
   https://www.debates.discord.cx/.well-known/acme-challenge/pMNmx3hUF3mOkdwx0PSr-_SmGJ4bLLSaXSpFt4eE2cs:
   remote error: tls: handshake failure

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   you have an up-to-date TLS configuration that allows the server to
   communicate with the Certbot client.

My web server is (include version):

Server version: Apache/2.4.25 (Debian)
Server built:   2019-10-13T15:43:54

The operating system my web server runs on is (include version):

Distributor ID: Debian
Description:    Debian GNU/Linux 9.9 (stretch)
Release:        9.9
Codename:       stretch

My hosting provider, if applicable, is:
Google Cloud Platform

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.28.0

My /etc/apache2/sites-available/000-default-le-ssl.conf file:

<IfModule mod_ssl.c>
SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
<VirtualHost *:443>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf


ServerName debates.discord.cx
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias www.debates.discord.cx
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/debates.discord.cx/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/debates.discord.cx/privkey.pem
Header always set Strict-Transport-Security "max-age=31536000"
SSLUseStapling on
Header always set Content-Security-Policy upgrade-insecure-requests

ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
AddDefaultCharset Off
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://0.0.0.0:8000/
ProxyPassReverse / http://0.0.0.0:8000/
</VirtualHost>
</IfModule>

Details:
I’m running behind cloudflare with Full (strict) mode for SSL encryption mode.

Command I initially ran before the certificates expired:
sudo certbot --authenticator webroot --installer apache -w /var/www/html/ --agree-tos --redirect --uir --hsts --staple-ocsp --must-staple -d debates.discord.cx,www.debates.discord.cx --email admin@discord.cx

How do I solve this issue?

Hi @daegontaven

checking your domain that's not possible to find an error - https://check-your-website.server-daten.de/?q=debates.discord.cx

There are only Cloudflare 526 Origin SSL Certificate errors visible.

Remove Cloudflare and fix your server. Or share your real ip address, so it's possible to test that ip address directly.

Cloudflare should only be activated if you have a working configuration. Not with a wrong config.

Now the problem is visible - checking the ip, using the domain name as hostname - https://check-your-website.server-daten.de/?q=35.190.130.94&h=debates.discord.cx

You use webroot, http is redirected to https, so Cloudflare is used - that can't work if your certificate isn't valid.

It would work if you wouldn't use Cloudflare, then Letsencrypt would ignore the expired certificate.

But with Cloudflare -> it can't work.

So you have two options:

• remove Cloudflare, create a certificate, install it, add Cloudflare
• use dns validation + --manual, that should always work to create a correct certificate.

Thank you the manual verification worked!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.