Failed authorization procedure for my site

ajay2916 · November 26, 2017, 4:33am

I followed this tutorial https://www.youtube.com/watch?v=m9aa7xqX67c to config the ssl…it was working fine, when I tried to renew it says failed.

Failed authorization procedure. blog.merakiinfotech.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://blog.merakiinfotech.com/.well-known/acme-challenge/mz8HEqgAmGsI3ADnHyyDnsFMC6lRb726jht-fZAIsCw: "<!DOCTYPE html>
<html>

<head>
    <meta charset="UTF-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: blog.merakiinfotech.com
   Type:   unauthorized
   Detail: Invalid response from
   http://blog.merakiinfotech.com/.well-known/acme-challenge/mz8HEqgAmGsI3ADnHyyDnsFMC6lRb726jht-fZAIsCw:
   "<!DOCTYPE html>
   <html>

   <head>
       <meta charset="UTF-8" />
       <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"
   />"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
Reloading nginx
Renewal process finished for domain merakiinfotech.com

I cannot understand what is the problem, can you please help me resolve this.

jared.m · November 26, 2017, 4:50am

That’s an exceptionally outdated tutorial, unfortunately. While it will still work (mostly), there are much more efficient ways to handle this now that Nginx is fully supported by Certbot. You can still keep this method working without issue, however. The main issue is that Let’s Encrypt is attempting to load the challenge file, which is a text file located in .well-known/acme-challenge/. However, instead of returning this text file, your server is returning an html page. Would you post your nginx configs? It seems something is preventing your server from serving files from this location.

ajay2916 · November 26, 2017, 5:31am

Thanks for your kind response, here is my nginx code

server {
    listen 80;
    server_name blog.merakiinfotech.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name blog.merakiinfotech.com;

    ssl_certificate /etc/letsencrypt/live/merakiinfotech.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/merakiinfotech.com/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';


    location = /favicon.ico { access_log off; log_not_found off; }
    location ^/static/ {
        root /home/webapps/blog/blog/staticfiles;
    }

    location / {
        include proxy_params;
        proxy_pass http://unix:/home/webapps/blog/blog/blog.sock;
    }
}

jared.m · November 26, 2017, 5:48am

So this is your issue. All requests (besides favicon) are passed to that unix socket. You'll need to add an additional location block to catch requests for /.well-known/acme-challenge and handle them differently. It should look something like (edited because @mnordhoff is right):

location /.well-known/acme-challenge {
    root /path/to/webroot;
}

Note that the root path for this block will need to be the webroot folder Certbot is looking for (often something like /usr/share/nginx/html or /var/www/html), with the .well-known/acme-challenge appended to it. That way, when Certbot places the challenge files there, the server will properly serve that file.

(Also moved this to "help".)

mnordhoff · November 26, 2017, 6:03am

Just “root /path/to/webroot;”. Nginx appends the “/.well-known/acme-challenge/”.

ajay2916 · November 26, 2017, 6:55am

What would be the path of my webroot, this is a django application served by gunicorn.

jared.m · November 26, 2017, 7:04am

In this case, whatever it was when you initially issued the certificate. The application itself doesn’t really have a relevant one, which is why we need that new block. It will revert your nginx functionality back to it was when you first issued the certificate, which seems to have been before you set up this application, but only for that specific path.

I don’t have the ability to verify the path immediately, but there should be a renewal.conf file somewhere in /etc/letsencrypt/ that will contain this information.

ajay2916 · November 26, 2017, 7:15am

Thanks buddy, finally the issue is solved. and it will expire on 2018-02-24 , how can I auto renew this using crontab

system · December 26, 2017, 7:15am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.