Failed Authorization on Multisite

pbourque · February 2, 2018, 6:58pm

Running into an issue that seems pretty common, but I’m unable to troubleshoot using existing threads, possibly because this group of certs is for a Wordpress Multisite using multiple domains. There are 3 domains under the multisite, and it looks like only 1 is failing the autorenew which is preventing the entire network from renewing. All 3 domains are bundled under 1 cert package and all have the same webroot, so it’s odd that only 1 site is failing.

nginx version: nginx/1.4.6 (Ubuntu)

Here is the output when running certbot-auto renew:

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/crwnewspapers.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for crwnewspapers.com
http-01 challenge for advertisercrw.com
http-01 challenge for saratogaweekly.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (crwnewspapers.com) from /etc/letsencrypt/renewal/crwnewspapers.com.conf produced an unexpected error: Failed authorization procedure. advertisercrw.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://advertisercrw.com/.well-known/acme-challenge/iBEPf5Iw_bgd5eItEXJr6KBB_G1s7bgGBEWoj6rkDLY: "
<!doctype html>
<html lang="en-US" prefix="og: http://ogp.me/ns#">
  <head>
    <meta charset="utf-8">
    <meta http-equiv="x-". Skipping.

Here is the crwnewspapers.com.conf:

# renew_before_expiry = 30 days
version = 0.19.0
archive_dir = /etc/letsencrypt/archive/crwnewspapers.com
cert = /etc/letsencrypt/live/crwnewspapers.com/cert.pem
privkey = /etc/letsencrypt/live/crwnewspapers.com/privkey.pem
chain = /etc/letsencrypt/live/crwnewspapers.com/chain.pem
fullchain = /etc/letsencrypt/live/crwnewspapers.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = None
account = 0e445af71186649f9bb10e100021eaf9
webroot_path = /var/www/html/etc/renewals/crwnewspapers,
[[webroot_map]]
saratogaweekly.com = /var/www/html/etc/renewals/crwnewspapers
crwnewspapers.com = /var/www/html/etc/renewals/crwnewspapers
advertisercrw.com = /var/www/html/etc/renewals/crwnewspapers

And finally the /etc/nginx/renewals/crwnewspapers.com:

server {
	listen 80;
	server_name crwnewspapers.com *.crwnewspapers.com saratogaweekly.com *.saratogaweekly.com advertisercrw.com *.advertisercrw.com;
	root /var/www/html/etc/renewals/crwnewspapers;

	server_tokens off;
	gzip off;
}

Any help with this is greatly appreciated!

jared.m · February 2, 2018, 7:55pm

Certbot is trying to put challenge files in /var/www/html/etc/renewals/crwnewspapers/.well-known/acme-challenge and have Let’s Encrypt’s validation authority request those files. Instead, your server is responding with some HTML file. Try creating a test.txt file here and see if you can request that successfully with cURL. If so. a common issue is if you have an AAAA record, but IPv6 handling is not set up properly on your web server. If not, you need to find out why your web server isn’t serving these files properly.

(Also moved this to “Help” instead of “Server”)

pbourque · February 2, 2018, 8:32pm

I get a 404 when I try to navigate to a testing.txt URL…cURL just gets that 404 page.

Does it matter that certificates for every other site on this server work fine? I checked any DNS configuration as well as general setup, and it’s all identical to the problem site.

Our senior developer set this server up and has left the company, I’m filling in until we find a replacement so a lot of this is discovering how things are set up. But like I said, the structure and setup looks identical to other sites we have running that work fine.

schoen · February 2, 2018, 8:44pm

Do you also get a 404 if you access that URL via another one of the domain names?

pbourque · February 2, 2018, 8:46pm

Yep. Examples:

https://crwnewspapers.com/.well-known/acme-challenge/testing.txt
https://advertisercrw.com/.well-known/acme-challenge/testing.txt

schoen · February 2, 2018, 8:49pm

Sorry, I misread your “Yep” as “No” (and originally posted a different reply)!

So, perhaps the renewal is just giving up when the first failure occurs.

schoen · February 2, 2018, 8:56pm

Can you get any files to appear anywhere on the sites by putting them into /var/www/html/etc/renewals/crnewspapers?

Maybe more relevant: how would you normally add content to these sites? This declaration seems to relate only to Let’s Encrypt renewals, but where do other files or information on the sites come from?

_az · February 2, 2018, 9:01pm

$ curl -X GET -Ik https://crwnewspapers.com/.well-known/acme-challenge/test.txt
HTTP/1.1 404 Not Found
Server: AOLserver/4.5.2

How does AOLServer relate to nginx in your web setup? Is it handling SSL for you, rather than nginx?

Does this domain point to your nginx server at all?

pbourque · February 5, 2018, 3:12pm

Negative. The website files are all stored in /var/www/html/prod/crwnewspapers.

I’ll also add that even for the sites on this server successfully running Let’s Encrypt, there’s no actual /acme-challenge/ folder in /var/www/html/etc/renewals/website-name/.well-known/.

Our previous developer had all of our sites running a daily cronjob to update each set of certificates. He forgot to include this group of multisites before he left, I thought I added them into the daily cron like any other site on the server but the automatic attempt at updating the certs failed too. I can post the cronjob information if helpful.

pbourque · February 5, 2018, 3:13pm

Yes the domain points to our nginx server and as far as I know, nginx handles the SSL.

system · March 7, 2018, 3:13pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.