Failed authorization procedure for my domain

Help Aide (en français)
21

No NAT. Firewall from my Cloud provider where the server hosted.

22

Let's be sure you are at the right IP.
Show output of:
curl ifconfig.io

3 Likes
23

curl ifconfig.io
74.208.121.66

25

OK, that is the expected IP.

Please show the output of:
netstat -pant | grep -i listen | grep -E ':80|:443'

3 Likes
26 
netstat -pant | grep -i listen | grep -E ':80|:443'
tcp   0   0 0.0.0.0:80     0.0.0.0:*    LISTEN    675/apache2
tcp   0   0 0.0.0.0:8080   0.0.0.0:*    LISTEN    11998/java
tcp   0   0 0.0.0.0:443    0.0.0.0:*    LISTEN    675/apache2
27

That shows Apache is listening on port 443.
Please show (again) the complete output of:
sudo apachectl -t -D DUMP_VHOSTS

And:
ls -l /etc/apache2/sites-enabled/

3 Likes
28

sudo apachectl -t -D DUMP_VHOSTS
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 74.208.121.66. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80 demo.hologram.cd (/etc/apache2/sites-enabled/payaraSite.conf:1)
root@srvhidsdemo:~#
root@srvhidsdemo:~#
root@srvhidsdemo:~#
root@srvhidsdemo:~#
root@srvhidsdemo:~#
root@srvhidsdemo:~#
root@srvhidsdemo:~# sudo apachectl -t -D DUMP_VHOSTS
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 74.208.121.66. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80 demo.hologram.cd (/etc/apache2/sites-enabled/payaraSite.conf:1)
root@srvhidsdemo:~# ls -l /etc/apache2/sites-enabled/
total 0
lrwxrwxrwx 1 root root 34 Apr 9 2020 payaraSite.conf -> ../sites-available/payaraSite.conf

29

Would you show the contents of the above file? Please add 3 backticks before and after so we see all the Apache config like this
```
contents of conf file
```

3 Likes
30 
<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        ServerName demo.hologram.cd
        DocumentRoot /var/www/html

        # Allow access to the challenge directory
    <Directory /var/www/html/.well-known/acme-challenge/>
        Options None
        AllowOverride None
        Require all granted
    </Directory>
        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
 #Include conf-available/serve-cgi-bin.conf

        ProxyPass /pepele/ !
        ProxyPass /ucc/ !
        ProxyPass /fondationasanti !
        ProxyPass /teledeclaration !
        ProxyPass /snedac/wp-admin !
        ProxyPass /snedac_new !
        ProxyPass /reports_bi !
        ProxyPass /evisa/ !
        ProxyPass /.well-known/ !
        ProxyPass /phpinfo.php !
        ProxyPass / http://localhost:8080/
        ProxyPassReverse / http://localhost:8080/
</VirtualHost>

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

31

As a test can you try this and show us the result

sudo certbot certonly --webroot -w /var/www/html --dry-run -d demo.hologram.cd

Also, in your httpd.conf can you add a line for ServerName localhost

Yours is defaulting to the IP address and I wonder if that makes it an IP based default server that takes priority from your named VirtualHost.

3 Likes
32

sudo certbot certonly --webroot -w /var/www/html --dry-run -d demo.hologram.cd
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for demo.hologram.cd
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. demo.hologram.cd (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 74.208.121.66: Invalid response from http://demo.hologram.cd/.well-known/acme-challenge/0rlgHVztshaHkqFq7HLaWuVRR4settcp5E6BQ4lAuNQ: "<span style="color: #000000">\n0rlgHVztshaHkqFq7HLaWuVRR4settcp5E6BQ4lAuNQ.RE57Pkd71R5BawWsxegFEjBbd1q7Mj9lvIoe_bXGKPg</spa"

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: demo.hologram.cd
    Type: unauthorized
    Detail: 74.208.121.66: Invalid response from
    http://demo.hologram.cd/.well-known/acme-challenge/0rlgHVztshaHkqFq7HLaWuVRR4settcp5E6BQ4lAuNQ:
    "<span style="color:
    #000000">\n0rlgHVztshaHkqFq7HLaWuVRR4settcp5E6BQ4lAuNQ.RE57Pkd71R5BawWsxegFEjBbd1q7Mj9lvIoe_bXGKPg</spa"

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.
1 Like
33

I cannot reproduce your error with Let's Debug or with my own test server. I always get the expected "404 Not Found" when trying an acme-challenge URL test.

The above http request should return the challenge token created by Certbot. And, the data inside the "span" tags looks like the proper challenge token. But, it should not have any html tags around it. I don't have an explanation for why Apache would do that but thought it might help to point it out anyway.
"<span style="color: #000000">\n0rlgHVztshaHkqFq7HLaWuVRR4settcp5E6BQ4lAuNQ.RE57Pkd71R5BawWsxegFEjBbd1q7Mj9lvIoe_bXGKPg</spa"

3 Likes
34

You need a location block for the challenges.
Without it, all the requests are being proxied.

2 Likes
35

I am pretty sure the above proxypass prevents proxy of acme challenge requests

3 Likes
36

But before, without this proxy, the same error would occur. Even when I remove the proxy from the configuration, it still doesn't work, and the certificate installation fails.

37

Can you tell me how to create this block, how and in which configuration file? Please, can you guide me exactly and give me the real clues to solve this problem?

38

I see you still have not gotten your cert or HTTPS working.

If you want more help, please show the current output of this. Thank you

sudo apachectl -t -D DUMP_VHOSTS
3 Likes
39

sudo apachectl -t -D DUMP_VHOSTS
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 74.208.121.66. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80 localhost (/etc/apache2/sites-enabled/payaraSite.conf:1)

40

Can you make the change I described earlier and try getting a cert again? Let us know the result. Thanks.

3 Likes
41

These are the settings I've already made since the day you asked me to apply them, and I haven't modified the file yet.

1 Like