Failed authorization procedure. indycrowd.scot (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization

#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:indycrowd.scot

I ran this command:certbot -d indycrowd.scot certonly --manual

It produced this output:Failed authorization procedure. indycrowd.scot (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://indycrowd.scot/.well-known/acme-challenge/QZw240YvGOHVNR7rqNrorq36ypZmVb60K_7X3_c5kFE [2001:8d8:100f:f000::2dd]: 204

My web server is (include version):Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version):Ubuntu 18.04.1 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.28.0

I have tried all the possibilities to install letsencrypt on my webserver. On the above method, certbot requested me to create a file QZw240YvGOHVNR7rqNrorq36ypZmVb60K_7X3_c5kFE and paste the content. I did it and the page is working when we directly access the same. However, its still failing to validate by letsencrypt.

http://indycrowd.scot/.well-known/acme-challenge/QZw240YvGOHVNR7rqNrorq36ypZmVb60K_7X3_c5kFE

#2

Hi @pheonixsolutions

your domain has ipv4 and ipv6 - addresses ( https://check-your-website.server-daten.de/?q=indycrowd.scot ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
indycrowd.scot A 46.101.46.122 yes 1 0
AAAA 2001:8d8:100f:f000::2dd yes
www.indycrowd.scot A 46.101.46.122 yes 1 0
AAAA 2001:8d8:100f:f000::2dd yes

But these ip addresses send different answers:

Domainname Http-Status redirect Sec. G
http://www.indycrowd.scot/
46.101.46.122 301 http://indycrowd.scot/ 0.260 D
http://indycrowd.scot/
46.101.46.122 200 0.863 H
http://indycrowd.scot/
2001:8d8:100f:f000::2dd 200 0.053 H
http://www.indycrowd.scot/
2001:8d8:100f:f000::2dd 200 0.054 H
https://indycrowd.scot/
46.101.46.122 -2 1.053 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 46.101.46.122:443
https://indycrowd.scot/
2001:8d8:100f:f000::2dd -10 0.054 P
SecureChannelFailure - The request was aborted: Could not create SSL/TLS secure channel.
https://www.indycrowd.scot/
46.101.46.122 -2 1.067 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 46.101.46.122:443
https://www.indycrowd.scot/
2001:8d8:100f:f000::2dd -10 0.050 P
SecureChannelFailure - The request was aborted: Could not create SSL/TLS secure channel.
http://www.indycrowd.scot/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
46.101.46.122 301 http://indycrowd.scot/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.247 D
http://indycrowd.scot/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
46.101.46.122 -8 0.376 W
ConnectionClosed - The request was aborted: The connection was closed unexpectedly.
http://indycrowd.scot/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2001:8d8:100f:f000::2dd 204 0.050 A
http://www.indycrowd.scot/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2001:8d8:100f:f000::2dd 204 0.050 A

If you want to use http-01 - validation, Certbot creates a file in /.well-known/acme-challenge, Letsencrypt checks this file.

But your ipv4 has a redirect, then a ConnectionClosed. Your ipv6 sends a http status 204 - no content.

Letsencrypt prefers ipv6, so it’s impossible to validate the file and your domain.

So:

  • check your webserver ipv6 configuration, so that ipv6 answers correct
  • remove your ipv6 address in your nameserver settings (AAAA entry)
#3

Although it looks like you have removed the IPv6 problem,
Name: indycrowd.scot
Address: 46.101.46.122
Name: www.indycrowd.scot
Address: 46.101.46.122

there has not yet been any cert issued for either name:
https://crt.sh/?q=indycrowd.scot
https://crt.sh/?q=www.indycrowd.scot

So I would change:

to include the “www” and specify the --webroot directly:

certbot -d indycrowd.scot -d www.indycrowd.scot certonly --webroot -w /site/root

NOTE: Replace “/site/root” with corresponding http vhost config file found with:
grep -Eri 'ServerName|ServerAlias' /etc/apache2 | grep indycrowd.scot

[ensure you include both names in your config(s)]

closed #4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.