😕 Error renew expired Certificate -> the client lacks sufficient authorization

cmlaplata · April 9, 2020, 10:16pm

Hello guys!!! I have a problem, I install the certificate some months ago, yestarday expired and the cron job dont work. So the certificate expired. I install the certificate using this tutoria:

Now im traying to renew the certificate using “sudo certbot renew” but not working.
Sorry for my english i am from Argentina.
Thanks so much, Pablo.

My domain is: www.laveleria.com.ar

I ran this command: sudo certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/laveleria.com.ar.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for laveleria.com.ar
http-01 challenge for www.laveleria.com.ar
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (laveleria.com.ar) from /etc/letsencrypt/renewal/laveleria.com.ar.conf produced an unexpected error: Failed authorization procedure. www.laveleria.com.ar (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.laveleria.com.ar/.well-known/acme-challenge/U7iDT-5G03R6SnKlnaTIqexagKBNNYJtxrnSmT_m7Tg [2606:4700:3037::6818:7006]: "\n\n<!–[if IE 7]> <html class="no-js ", laveleria.com.ar (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://laveleria.com.ar/.well-known/acme-challenge/OWgPzZ34NknVU2PLQtABMNj77mWBtytp44mnxqnP66s [2606:4700:3037::6818:7006]: "\n\n<!–[if IE 7]> <html class="no-js ". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/laveleria.com.ar/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/laveleria.com.ar/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: www.laveleria.com.ar
Type: unauthorized
Detail: Invalid response from
http://www.laveleria.com.ar/.well-known/acme-challenge/U7iDT-5G03R6SnKlnaTIqexagKBNNYJtxrnSmT_m7Tg
[2606:4700:3037::6818:7006]: "\n<!–[if lt IE 7]>
\n\n <html class=\"no-js "
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version): Digital Ocean, apache, wordpress

The operating system my web server runs on is (include version): Digital Ocean, apache, wordpress

My hosting provider, if applicable, is: Digital Ocean, apache, wordpress

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.

JuergenAuer · April 9, 2020, 10:32pm

Hi @cmlaplata

checking your domain that can't work - https://check-your-website.server-daten.de/?q=laveleria.com.ar

You use Cloudflare, so http is redirected to https, so the Apache authenticator can't work.

And your certificate is expired, so Cloudflare can't connect your webserver.

Use the Cloudflare integrated solution
Remove that Cloudflare proxy, create a certificate, add Cloudflare, then switch to webroot.

https://certbot.eff.org/docs/using.html

schoen · April 9, 2020, 10:55pm

Hmmmm, but the Apache authenticator in Certbot correctly supports HTTP-01 challenges since the deprecation of the old TLS-SNI-01 method. They can also be valid when HTTP is redirected to HTTPS, although there might be situations in which this doesn't work.

I think your advice may be correct but it's still not clear that this should inherently fail to work.

@cmlaplata, si tiene la intención de seguir usando Cloudflare, también puede considerar la opción de utilizar el certificado de origen de Cloudfare, lo que eliminaría la necesidad de un certificado Let's Encrypt.

cmlaplata · April 9, 2020, 11:40pm

So first i need to remove de Lets encrypt Certificate? Oh i feel is so difficult this things.

cmlaplata · April 9, 2020, 11:45pm

First of all thanks!! When say maybe a solution can be use Cloudflare integrated solution or Cloudflare origin certificate is this? Image here off cloudflare: https://i.imgur.com/8XjstOB.jpg
I found that. If i configure that my website work again?

schoen · April 10, 2020, 12:26am

Puede ser una buena opción en vez del certificado Let’s Encrypt.

Otra posibilidad, si quiere otra opción, sería actualizar su versión de Certbot (0.31 está bastante desactualizada).

cmlaplata · April 10, 2020, 12:33am

Thanks! I dont know if you answer in spanish or the website translate the answer jajaja.
First i gonna try turn off cloudfare, redirect the dns to Digital Ocean and try to renew certificate. If does not work i gonna try to install the origin server Cloudflare certificate!

system · May 10, 2020, 2:38am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.