I received a notice that my ssl certificates were going to expire. I tried to renew them in CWP, but I am getting the following error message:
Failed authorization procedure. bettysantlermix.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://bettysantlermix.com/.well-known/acme-challenge/_2fTBt7iu1vld50MKKy7_n6Khj7P25MRxxXhOg6m9YM: "
It looks like LE is unable to generate the file. I created a .well-known/acme-challenge/test.html file and I’m able to view it in my browser. I set the permissions to 755 for both the .well-known and acme-challenge folders.
Any idea what else I need to do to allow the LE script to do what it needs to do?
Please fill out the fields below so we can help you better.
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
I ran this command:
It produced this output:bettysantlermix.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://bettysantlermix.com/.well-known/acme-challenge/_2fTBt7iu1vld50MKKy7_n6Khj7P25MRxxXhOg6m9YM: "
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
schoen
July 30, 2017, 6:47am
4
Hi @pmc2010 ,
It looks to me like the trouble is that your web server is configured differently in IPv4 and IPv6. It answers connections on the advertised addresses 45.79.90.138 and 2600:3c01::f03c:91ff:fec8:65d9, but it returns a web application for the IPv4 address and an “It works” dummy site for the IPv6 address.
Let’s Encrypt is validating on IPv6 in preference to IPv4 so it’s probably encountering the dummy site, while your browser is showing you the IPv4 version of the site.
If you can configure your web server to work properly in response to IPv6 requests, the renewal should go ahead without trouble. You could also temporarily disable your IPv6 address in DNS just for the duration of the renewal if you’re finding it challenging to figure out how to configure the server to answer in IPv6 and need the certificate renewed right away.
I’m not sure that is the issue. The problem seems to be that the token file is not being created. Here is the debug output from using .acme.sh from the command line:
[root@li1189-138 .acme.sh]# ./acme.sh --issue -d bettysantlermix.com -w /home/bpearce/public_html --debugSCRIPT =’./acme.sh’https://github.com/Neilpang/acme.sh bettysantlermix.com ’bettysantlermix.com ’bettysantlermix.com ’bettysantlermix.com ’https://acme-v01.api.letsencrypt.org/acme/new-authz ’bettysantlermix.com ”}}’https://acme-v01.api.letsencrypt.org/directory ’https://acme-v01.api.letsencrypt.org/acme/new-authz ’
[Sun Jul 30 00:02:02 PDT 2017] entry=’“type”:“http-01”,“status”:“pending”,“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/5tqJr_87n7v1Ebj7nxEE_ha-X6ju7A4OirvW1tH1peU/1645379982",“token”:"rhDzXcoj28moDO7vY6PaViAGn1VI0nHeMMxFSYj https://acme-v01.api.letsencrypt.org/acme/challenge/5tqJr_87n7v1Ebj7nxEE_ha-X6ju7A4OirvW1tH1peU/1645379982 ’bettysantlermix.com#rhDzXcoj28moDO7vY6PaViAGn1VI0nHeMMxFSYjkl0A.1i0hOvv1TEjqv4Z6xFimwvIYZdFYAvCSGnUu9yeOgKE#https://acme-v01.api.letsencrypt.org/acme/challenge/5tqJr_87n7v1Ebj7nxEE_ha-X6ju7A4OirvW1t bettysantlermix.com#rhDzXcoj28moDO7vY6PaViAGn1VI0nHeMMxFSYjkl0A.1i0hOvv1TEjqv4Z6xFimwvIYZdFYAvCSGnUu9yeOgKE#https://acme-v01.api.letsencrypt.org/acme/challenge/5tqJr_87n7v1Ebj7nxEE_ha-X6ju7A4OirvW1tH bettysantlermix.com ’https://acme-v01.api.letsencrypt.org/acme/challenge/5tqJr_87n7v1Ebj7nxEE_ha-X6ju7A4OirvW1tH1peU/1645379982 ’https://acme-v01.api.letsencrypt.org/acme/challenge/5tqJr_87n7v1Ebj7nxEE_ha-X6ju7A4OirvW1tH1peU/1645379982 ’
[Sun Jul 30 00:02:02 PDT 2017] POSThttps://acme-v01.api.letsencrypt.org/acme/challenge/5tqJr_87n7v1Ebj7nxEE_ha-X6ju7A4OirvW1tH1peU/1645379982 ’https://acme-v01.api.letsencrypt.org/acme/challenge/5tqJr_87n7v1Ebj7nxEE_ha-X6ju7A4OirvW1tH1peU/1645379982 ’bettysantlermix.com :Verify error:Invalid response from http://bettysantlermix.com/.well-known/acme-challenge/rhDzXcoj28moDO7vY6PaViAGn1VI0nHeMMxFSYjkl0A: http://bettysantlermix.com/.well-known/acme-challenge/rhDzXcoj28moDO7vY6PaViAGn1VI0nHeMMxFSYjkl0A ’
404 Not Found
Not Found
The requested URL /.well-known/acme-challenge/rhDzXcoj28moDO7vY6PaViAGn1VI0nHeMMxFSYjkl0A was not found on this server.
[Sun Jul 30 00:02:04 PDT 2017] ret='0'
[Sun Jul 30 00:02:04 PDT 2017] Debugging, skip removing: /home/bpearce/public_html/.well-known/acme-challenge/rhDzXcoj28moDO7vY6PaViAGn1VI0nHeMMxFSYjkl0A
[Sun Jul 30 00:02:04 PDT 2017] pid
[Sun Jul 30 00:02:04 PDT 2017] No need to restore nginx, skip.
[Sun Jul 30 00:02:04 PDT 2017] _clearupdns
[Sun Jul 30 00:02:04 PDT 2017] Dns not added, skip.
[Sun Jul 30 00:02:04 PDT 2017] _on_issue_err
[Sun Jul 30 00:02:04 PDT 2017] Please add '--debug' or '--log' to check more details.
[Sun Jul 30 00:02:04 PDT 2017] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Sun Jul 30 00:02:04 PDT 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/5tqJr_87n7v1Ebj7nxEE_ha-X6ju7A4OirvW1tH1peU/1645379982'
[Sun Jul 30 00:02:04 PDT 2017] payload='{"resource": "challenge", "keyAuthorization": "rhDzXcoj28moDO7vY6PaViAGn1VI0nHeMMxFSYjkl0A.1i0hOvv1TEjqv4Z6xFimwvIYZdFYAvCSGnUu9yeOgKE"}'
[Sun Jul 30 00:02:04 PDT 2017] POST
[Sun Jul 30 00:02:04 PDT 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/5tqJr_87n7v1Ebj7nxEE_ha-X6ju7A4OirvW1tH1peU/1645379982'
[Sun Jul 30 00:02:04 PDT 2017] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
[Sun Jul 30 00:02:05 PDT 2017] _ret='0'
[Sun Jul 30 00:02:05 PDT 2017] code='400'
[Sun Jul 30 00:02:05 PDT 2017] Diagnosis versions:
I went ahead and deleted the ipv6 A record and tried again and it still failed. It could be that the changes take some time to propagate, but I’m still not convinced that is the issue. When I pull up this url: http://[2600:3c01::f03c:91ff:fec8:65d9]/~bpearce
it takes me to the correct page of the site. Similar for other users on the server.
Ok, it worked after waiting a while. So it does appear to be the ipv6 thing. Thank you for your help!
system
August 29, 2017, 7:31am
10
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.