Failed authorization procedure for second issue virtualhost proxied

Help
1

Hi Support,

we have added a new one virtualhost, with the 10555 port proxied.
The first request was fine, and none problem.
From the second (auto) request Certbot was unable to complete the activation procedure, obtaining the follow errors:

Failed authorization procedure. attivazione.3x1t.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://attivazione.3x1t.org [2a02:c207:2023:4846::1]: "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"UTF-8\">\n <meta name=\"viewport\" content=\"width=device-width, initial-scale="

We had already rightly entered both DNS A/AAAA record(s), and actually we are using Certbot "0.28.0-1~deb9u3" on Debian stretch.

Here the virtualhost:

<VirtualHost *:80>
    ServerName attivazione.3x1t.org
    ServerAlias attivazione.3x1t.org
    RewriteEngine On
    RewriteRule ^(.*)$ https://%{HTTP_HOST} [R=301,L]

    Alias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/
    <Directory "/var/www/letsencrypt/.well-known/acme-challenge/">
        Options None
        AllowOverride None
        ForceType text/plain
       # RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
    </Directory>

</VirtualHost>

<VirtualHost *:443>
    ServerAdmin 3x1t@3x1t.org
    ServerName attivazione.3x1t.org
    ServerAlias attivazione.3x1t.org
    Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
    SSLEngine on
    SSLCompression off
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLHonorCipherOrder on
    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    SSLSessionTickets off
   
### REVERSE PROXY PER COLLEGARSI DIRETTAMENTE ALL'APPLICAZIONE JAVA ###

    ProxyPass / http://localhost:10555/
    ProxyPassReverse / http://localhost:10555/

    ExpiresActive On
    ExpiresDefault "access plus 1 hour"
    Header always set Strict-Transport-Security "max-age=63072000"
    Header set Content-Security-Policy "default-src 'self' 'unsafe-inline'; img-src https://www.3x1t.org 'self'; object-src 'none'; frame-ancestors 'none'"
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "DENY"
    Header set X-XSS-Protection "1; mode=block"

#    DocumentRoot /var/www/attivazione.3x1t.org/public_html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

### LOCATION OF CERT FILES ###

    SSLCertificateFile /etc/letsencrypt/live/server.3x1t.org/fullchain.pem
    SSLCertificateChainFile /etc/letsencrypt/live/server.3x1t.org/chain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/server.3x1t.org/privkey.pem

</VirtualHost>

The first question could be: why the first issue was successful?
The second: what can cause this error?

Many thanks!

2

Here Let'sEncrypt logs:

HTTP 200
Server: nginx
Date: Mon, 31 May 2021 14:45:47 GMT
Content-Type: application/json
Content-Length: 1532
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "attivazione.3x1t.org"
  },
  "status": "invalid",
  "expires": "2021-06-07T14:45:34Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Invalid response from https://attivazione.3x1t.org [2a02:c207:2023:4846::1]: \"\u003c!DOCTYPE html\u003e\\n\u003chtml\u003e\\n  \u003chead\u003e\\n    \u003cmeta charset=\\\"UTF-8\\\"\u003e\\n    \u003cmeta name=\\\"viewport\\\" content=\\\"width=device-width, initial-scale=\"",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/13594039950/qncgoQ",
      "token": "BBBIsZD-p51N2pBTgjiPjpllVND-ofCiu0tWuRMNWRs",
      "validationRecord": [
        {
          "url": "http://attivazione.3x1t.org/.well-known/acme-challenge/BBBIsZD-p51N2pBTgjiPjpllVND-ofCiu0tWuRMNWRs",
          "hostname": "attivazione.3x1t.org",
          "port": "80",
          "addressesResolved": [
            "5.189.129.55",
            "2a02:c207:2023:4846::1"
          ],
          "addressUsed": "2a02:c207:2023:4846::1"
        },
        {
          "url": "https://attivazione.3x1t.org",
          "hostname": "attivazione.3x1t.org",
          "port": "443",
          "addressesResolved": [
            "5.189.129.55",
            "2a02:c207:2023:4846::1"
          ],
          "addressUsed": "2a02:c207:2023:4846::1"
        }
      ],
      "validated": "2021-05-31T14:45:41Z"
    }
  ]
}
2021-05-31 16:45:47,170:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: attivazione.3x1t.org
Type:   unauthorized
Detail: Invalid response from https://attivazione.3x1t.org [2a02:c207:2023:4846::1]: "<!DOCTYPE html>\n<html>\n  <head>\n    <meta charset=\"UTF-8\">\n    <meta name=\"viewport\" content=\"width=device-width, initial-scale="
3

Did you already have the HTTP to HTTPS redirect in place at that time?

Because all certificate requests are ending up on the service running on port 10555.

4

Yes, the virtualhost was the same

Ah, understand! Thanks!

Anyway I've moved from certbot to acme.sh and all now (I hope in the next month too) is working right :wink:

Thanks again!

5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.