Error: unauthorized; Detail: invalid response

igryski · January 5, 2020, 7:43pm

Hi all,

certbot can not renew a certificate using webroot option due to unauthorized error. The webroot is /usr/www/letsencrypt.

I tried using option 1 (Spin up temporary webserver: standalon) but it produced similar error (see below output).

My domain is: git.sky-echo.space

I ran this command: ./certbot-auto certonly -d git.sky-echo.space - sky-echo.space

(Oddly, running: “./certbot-auto certonly -d git.sky-echo.space” worked just fine, but the https did not show in the browser, so I tried to expand the list of domains using the comand above.)

It produced this output:
Requesting to rerun ./certbot-auto with root privileges…
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
Plugins selected: Authenticator standalone, Installer None

You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/git.sky-echo.space.conf)

It contains these names: git.sky-echo.space

You requested these names for the new certificate: git.sky-echo.space,
sky-echo.space.

Do you want to expand and replace this existing certificate with the new
certificate?

(E)xpand/©ancel: E
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for sky-echo.space
Waiting for verification…
Challenge failed for domain sky-echo.space
http-01 challenge for sky-echo.space
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: sky-echo.space
Type: unauthorized
Detail: Invalid response from
http://sky-echo.space/.well-known/acme-challenge/INbsmdLJ_EdVAjnYGrwsAs6IdIG7zzLZuMhkqzyUBQ0
[217.70.184.38]: "\n<html class=“no-js” lang=en>\n
\n \n <meta name=\"viewport\" content=\"width=device"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

JuergenAuer · January 5, 2020, 7:49pm

Hi @igryski

checking both domains with nslookup:

D:\temp>nslookup git.sky-echo.space.
…
Name: git.sky-echo.space
Address: 34.240.205.81

D:\temp>nslookup sky-echo.space.
…
Name: sky-echo.space
Address: 217.70.184.38

Different ip addresses. So if every ip address has it’s own machine, you can’t use that command and http validation to create one certificate with both domain names.

PS: Ok, very tricky (with a redirect and webroot) it’s possible. But I don’t think this is your setup.

-> create one certificate per domain name.

igryski · January 5, 2020, 8:07pm

Thanks for the DNS check, indeed the only correct IP is supposed to be the first one: 34.240.205.81 (IP of the machine). I don’t see where the second IP address came from. It is an AWS instance, and DNS is a coupled as a subdomain from Gandi (DNS provider).

I tried to run certificate request for the second domain name (-d sky-echo.space), but got this error now:

./certbot-auto certonly -d sky-echo.space --dry-run
Requesting to rerun ./certbot-auto with root privileges…
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for sky-echo.space
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.

So the status now is:

the certificate for domain git.sky-echo.space was issues successfully, but it is not showing
I try to fix it by requesting the certificate for domain sky-echo.space, but it can not be issued do to port 80 error.

Any clue where to go from here?

JuergenAuer · January 5, 2020, 8:21pm

You must run that command on the 217.* ip address.

What’s the command you have used? Certonly doesn’t install a certificate, minimal a server restart is required.

Checking https://check-your-website.server-daten.de/?q=sky-echo.space - looks like a parking page.

Visible Content: This domain name has been registered with Gandi.net View the WHOIS data for sky-echo.space to see the domain’s public registration information. sky-echo.space is registered Want your own domain name? Learn more about the domain name extensions we manage Find a domain name similar to sky-echo.space Gandi.net Register Domain Names Transfer Domain Names SSL Certificates Web Hosting Cloud News Help

You need a working webserver.

Read

then

igryski · January 5, 2020, 8:46pm

I used this command to generate certificate for git.sky-echo.space, below is the output as well:

./certbot-auto certonly -d git.sky-echo.space
Requesting to rerun ./certbot-auto with root privileges…
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for git.sky-echo.space
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/git.sky-echo.space/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/git.sky-echo.space/privkey.pem
Your cert will expire on 2020-04-04. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew all of your certificates, run
“certbot-auto renew”
If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Maybe simply this hard machine reboot is needed in order that certificate to show in the browser? I usually reboot the gitlab services with this command (but it now does not activate the SSL certificate):

sudo gitlab-ctl restart
ok: run: alertmanager: (pid 3310) 1s
ok: run: crond: (pid 3317) 0s
ok: run: gitaly: (pid 3328) 1s
ok: run: gitlab-monitor: (pid 3333) 0s
ok: run: gitlab-workhorse: (pid 3340) 0s
ok: run: logrotate: (pid 3352) 1s
ok: run: nginx: (pid 3359) 1s
ok: run: node-exporter: (pid 3366) 0s
ok: run: postgres-exporter: (pid 3408) 1s
ok: run: postgresql: (pid 3523) 0s
ok: run: prometheus: (pid 3526) 0s
ok: run: redis: (pid 3532) 0s
ok: run: redis-exporter: (pid 3537) 0s
ok: run: sidekiq: (pid 3557) 0s
ok: run: unicorn: (pid 3574) 1s

The second domain with a different IP address (sky-echo.space) is a DNS from Gandi, without a working webserver from our side. Perhaps this domain doesn’t have to have a working SSL certificate? Our goal is just to have a working SSL certificate on git.sky-echo.space domain

JuergenAuer · January 5, 2020, 8:55pm

There is a nginx and a Bad Gateway error - https://check-your-website.server-daten.de/?q=git.sky-echo.space

The nginx has the expired certificate:

CN=git.sky-echo.space
	25.09.2019
	24.12.2019
12 days expired	git.sky-echo.space - 1 entry

What says

nginx -T
certbot-auto certificates

igryski · January 5, 2020, 9:13pm

Yeap, nginx could be the problem. Unfortunately, machine runs a Bitnami - Gitlab image, where nginx is bundled in a stack of Bitnami services. Here is their description of activating letsencrypt certificate, where all Bitnami services need to be restarted (including nginx) after certificate has been created:
https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/

I reset the nginx using:
sudo /opt/bitnami/ctlscript.sh stop nginx
sudo /opt/bitnami/ctlscript.sh start nginx

But no luck. nginx command is not available, neither as user nor root.

./certbot-auto certificates says this:

Requesting to rerun ./certbot-auto with root privileges…
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: git.sky-echo.space
Domains: git.sky-echo.space
Expiry Date: 2020-04-04 18:03:57+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/git.sky-echo.space/fullchain.pem
Private Key Path: /etc/letsencrypt/live/git.sky-echo.space/privkey.pem

JuergenAuer · January 5, 2020, 9:21pm

You have installed the certificate. So do that again.

igryski · January 6, 2020, 8:37am

You mean to restart Bitnami services (including nginx)? I did it, but no luck with showing SSL certificate in the browser

system · February 5, 2020, 8:37am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.