Failed authorization procedure error / 404 when trying to renew certs

I have been banging my head against the wall for the last couple of days trying to renew the certificates for my websites. However, I keep hitting the same error where it simply returns a 404 when trying to to an acme challenge. I have read through article upon article, Stackoverflow question upon Stackoverflow question, and nothing has worked. Hence, why I am asking for help here.

When I originally got the certificates I was using Cloudflare, however, due to some issues I was having with my website being blocked for using the Cloudflare proxies I decided to go back to using the normal DNS servers that were provided by enwau.wales (the place I got my domain from). I don't know if this has anything to do with the matter as I am not an expert in this type of stuff.

Then comes the question, does anyone have any ideas how to resolve this issue? If there is any more information I can provide then please let me know.

Some websites with information about the domain:

A bunch of information:

My domain is: prv.cymru

I ran this command:

sudo letsencrypt --apache

But certbot --apache, and other commands return the same error message.

It produced this output:

[pi@prv.cymru] ~/w/html ✓(master) > sudo letsencrypt --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: prv.cymru
...
12: www.prv.cymru
...
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for prv.cymru
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. prv.cymru (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://prv.cymru/.well-known/acme-challenge/3S8vPPnfB6MlbfH9GxPl3LNjHOcIeUqj4rDR78qkgYw [51.174.25.98]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: prv.cymru
   Type:   unauthorized
   Detail: Invalid response from
   http://prv.cymru/.well-known/acme-challenge/3S8vPPnfB6MlbfH9GxPl3LNjHOcIeUqj4rDR78qkgYw
   [51.174.25.98]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): apache2

Server version: Apache/2.4.38 (Raspbian)
Server built:   2021-09-30T03:50:49

The operating system my web server runs on is (include version):

Distributor ID:	Raspbian
Description:	Raspbian GNU/Linux 10 (buster)
Release:	10
Codename:	buster

My hosting provider, if applicable, is: I don't use a hosting provider.

I can login to a root shell on my machine (yes or no, or I don't know): Yes I can log in as root / use sudo.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No I am not.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

And the content of the config file for the site (prv.cymru.conf)
(I removed the https part in hopes that certbot would readd it)

<VirtualHost *:80>
	ServerName prv.cymru
	ServerAlias www.prv.cymru

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	<Directory /var/www/html>
        	Options Indexes FollowSymLinks
        	AllowOverride All
            Require all granted
    </Directory>
</VirtualHost>

The directory /var/www/html is a symlink to a different folder, but Certbot should have all the privileges it need in that directory.

Welcome to the community! Do you see the authorization attempt in the apache access.log?

2 Likes

Yes, it comes up like this:

172.104.24.29 - - [31/Dec/2021:12:46:32 +0100] "GET /.well-known/acme-challenge/letsdebug-test HTTP/1.1" 404 455 "-" "Mozilla/5.0 (compatible; Let's Debug emulating Let's Encrypt validation server; +https://letsdebug.net)"
18.196.102.134 - - [31/Dec/2021:12:46:32 +0100] "GET /.well-known/acme-challenge/bHsPybkMMysyma_RxQSaIx2xkvxEP8Sv-ZoCZbQI3Y8 HTTP/1.1" 404 455 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
172.104.24.29 - - [31/Dec/2021:12:46:32 +0100] "GET / HTTP/1.1" 200 1056 "-" "Go-http-client/1.1"
18.222.145.89 - - [31/Dec/2021:12:46:32 +0100] "GET /.well-known/acme-challenge/bHsPybkMMysyma_RxQSaIx2xkvxEP8Sv-ZoCZbQI3Y8 HTTP/1.1" 404 455 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [31/Dec/2021:12:46:32 +0100] "GET /.well-known/acme-challenge/bHsPybkMMysyma_RxQSaIx2xkvxEP8Sv-ZoCZbQI3Y8 HTTP/1.1" 404 455 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
64.71.144.196 - - [31/Dec/2021:12:49:17 +0100] "GET /.well-known/acme-challenge/3S8vPPnfB6MlbfH9GxPl3LNjHOcIeUqj4rDR78qkgYw HTTP/1.1" 404 436 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0 Safari/605.1.15"

Though, while I was waiting I tried to run it with the --webroot flag instead of the --apache flag, and now I got this:

[pi@prv.cymru] ~/website ✓(master) > sudo certbot certonly --webroot -w /var/www/html/ -d prv.cymru
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for prv.cymru
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/prv.cymru/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/prv.cymru/privkey.pem
   Your cert will expire on 2022-03-31. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

and now the access.log comes up as:

3.120.130.29 - - [31/Dec/2021:13:48:18 +0100] "GET /.well-known/acme-challenge/EvWdliq9I8Jh0-6N3SbSFmSke47dkGtqj7Qo_pJ-Qmc HTTP/1.1" 200 312 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
18.116.86.117 - - [31/Dec/2021:13:48:18 +0100] "GET /.well-known/acme-challenge/EvWdliq9I8Jh0-6N3SbSFmSke47dkGtqj7Qo_pJ-Qmc HTTP/1.1" 200 312 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
34.221.255.206 - - [31/Dec/2021:13:48:18 +0100] "GET /.well-known/acme-challenge/EvWdliq9I8Jh0-6N3SbSFmSke47dkGtqj7Qo_pJ-Qmc HTTP/1.1" 200 312 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [31/Dec/2021:13:48:19 +0100] "GET /.well-known/acme-challenge/EvWdliq9I8Jh0-6N3SbSFmSke47dkGtqj7Qo_pJ-Qmc HTTP/1.1" 200 310 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

I assume this means that I now at least have a cert, but I still need to configure the apache files?

2 Likes

You can combine the webroot authenticator and apache installer using the -a webroot -i apache option combination.

4 Likes

Omg that flag combination worked perfectly!! Thank you so, so much for all of your help!

4 Likes

It seems like you could use a cert for "1" & "12" (with: "1,12")
Especially if they provide the exact same content.

1 Like

Yes, that is correct. Using the --webroot flag and the other additional flags provided by @Osiris I was able to get and install certificates for both of them + some other subdomains that I needed it for. :slight_smile:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.