Error for renewing certbot

I appreciate your help in advance.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://www.medvoice.ca

I ran this command: sudo certbot renew --dry-run

It produced this output:

Attempting to renew cert (medvoice.ca) from /etc/letsencrypt/renewal/medvoice.ca .conf produced an unexpected error: Failed authorization procedure. medvoice.ca (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficien t authorization :: Invalid response from https://www.medvoice.ca/.well-known/acm e-challenge/RKnLGNhQdNyq6qx1z1pzsxEFNccqfCUDjVkAcQWxJP0 [35.183.161.179]: "\n<html lang=“en”>\n \n <meta charset=“utf-8”>\n <meta name=“viewport” content=“width=device-w”. Skipping.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: medvoice.ca
  Type: unauthorized
  Detail: Invalid response from
  https://www.medvoice.ca/.well-known/acme-challenge/RKnLGNhQdNyq6qx1z1pzsxEFNccqfCUDjVkAcQWxJP0
  [35.183.161.179]: "\n<html lang=“en”>\n

  \n \n <meta name=\"viewport\" content=\"width=device-w"

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

My web server is (include version): nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04.2 LTS

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Can you provide the full output of Certbot? We can’t see what authenticator it is using from just the error.

Alternatively, please post the contents of:

/etc/letsencrypt/renewal/medvoice.ca.conf

If it’s the Apache authenticator, I would really like to get some more details because people keep having an error like this and helpful forum participants keep successfully getting the users to switch over to the webroot authenticator (with no opportunity for us to figure out why the Apache authenticator fails this way!).

The server’s running nginx in this case

Heh! Well, it seems like this situation is less common with the Certbot nginx authenticator, but still…

Is it secure if I put the content of the file here? Does this file include private data?

No, there is no sensitive information in there. You can obsecure the account ID from it, if you want.

This is the content of /etc/letsencrypt/renewal/medvoice.ca.conf

I don’t think medvoice.ca is using the Nginx server.

medvoice.ca is using Amazon CloudFront and the Server header says the backend is running on S3. And it’s using a valid ACM certificate, not a Let’s Encrypt certificate.

www.medvoice.ca has an EC2 IP address.

Nice catch!

So when the redirect is occuring from http://medvoice.ca/.well-known/… to https://www.medvoice.ca/.well-known/… , nginx isn’t producing the challenge response, because it only writes the challenge response rule to the port 80 virtualhost …

Incidentally, fixing that would also fix https://github.com/certbot/certbot/issues/7275

True, I think we used cloud front to direct www to non-www

Since you do not need the medvoice.ca SSL certificate on your nginx server (because Cloudfront/ACM cover it for you), you could just redefine the certificate to only include www.medvoice.ca.

certbot --nginx --cert-name medvoice.ca -d www.medvoice.ca

Thanks _az and mnordhoff for your help. That solved the issue. I appreciate your help

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.