Error (Failed authorization procedure.) running certbot --apache

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: certbot --apache -d -d

It produced this output:

My web server is (include version): Fedora 25

The operating system my web server runs on is (include version): Linux

My hosting provider, if applicable,

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The two names resolve to the same IP and there is no IPv6 involved.
So that is a good simple start.

If you can, please rerun the command with “–verbose” and show the extra output.
In the meantime I will see what I can from the Internets’ point of view.

tls-sni-01 uses port 443.
Only port 80 is connecting to that IP.
The “–apache” parameter requires port 443.

Also show out of:
certbot --version

Also have a look at:
(If that is not what is already installed)

Also have a look at:
Combining plugins
certbot run -a webroot -i apache -w /var/www/html -d
As that may get you going and out of the “chicken and egg” problem with the “need 443, but don’t have 443” you seem to be in.

Thank you for replying.
How can I set/let port 443 to be use by tls-sni-01?
The version of certbot is 0.12.0.

To enable 443, your site would need to be using TLS(SSL)
You may be able to use the snakeoil test certs generally loaded with Apache.
If this is your first time enabling TLS(SSL) on a site, we should just go about that in a more automated direction.

0.12.0 is not that old, not sure if it is the latest.
Can you try the Fedora-Apache recommended installation method?
It should just update the current certbot (if needed).

Or you could try “certbot-auto”:
mkdir /where/you/want/it/
cd /where/you/want/it/
chmod a+x certbot-auto
sudo ./certbot-auto --apache -d -d

That’s not necessary for the tls-sni-01 challenge. It uses custom temporary certificates served through either an existing webserver (apache or nginx plugin) or a temporary Python server (standalone plugin) running on port 443.

This error is probably caused by a firewall issue.

1 Like

Indeed, it’s something of a myth that you have to have an existing HTTPS site in order to use Certbot’s --apache or --nginx options. They’re quite willing to configure your server to listen on port 443 even if it didn’t previously do so. I agree with the suggestion of a firewall issue here.

1 Like

Thank you. How can I know that it is a firewall issue. If so how can I modified my firewall?
Thank you so much.

Is it the firewall from my isp you are pertaining to?

Could be. Perhaps one running on your server. Without a functional crystal ball I can’t determine that, so that’s up to you :wink:

What are the ways to know if I have firewall running on my server?
I have run systemctl status firewalld and I have seen active (running).
How can I enable my firewall to accept certbot challenge?
Thank you. :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.