Failed authorization procedure. Multiple virtualhosts apache

olokos · March 22, 2018, 11:35pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
olokos.pl
kiepownica.pl
I ran this command:
sudo certbot --apache
It produced this output:
tls-sni-01 challenge for kiepownica.pl
tls-sni-01 challenge for www.kiepownica.pl
http-01 challenge for olokos.pl
http-01 challenge for www.olokos.pl
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.olokos.pl (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.olokos.pl/.well-known/acme-challenge/sjVI_BcgxRZOg_DhnU27tuePmUZpuvqL5b9gkfe6Nh4: "

404 Not Found

Not Found

<p", olokos.pl (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://olokos.pl/.well-known/acme-challenge/ZkSp-d9zFmC-NOj4vFKw2Rr273IYuE7xiL_3peBKEuE: " 404 Not Found

Not Found

<p"

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: www.olokos.pl
Type: unauthorized
Detail: Invalid response from
http://www.olokos.pl/.well-known/acme-challenge/sjVI_BcgxRZOg_DhnU27tuePmUZpuvqL5b9gkfe6Nh4:
"
404 Not Found
Not Found
<p"
Domain: olokos.pl
Type: unauthorized
Detail: Invalid response from
http://olokos.pl/.well-known/acme-challenge/ZkSp-d9zFmC-NOj4vFKw2Rr273IYuE7xiL_3peBKEuE:
"
404 Not Found
Not Found
<p"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version):
Apache/2.4.18
The operating system my web server runs on is (include version):
Ubuntu Server 16.04 LTS
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

I seen loads of topics with the same issue, yet none of those helped me…

rg305 · March 23, 2018, 12:25am

try placing a TEST.TXT file in the challenge folder to ensure it can be accessed from the Internet.

olokos · March 23, 2018, 6:32pm

http://olokos.pl/.well-known/acme-challenge/TEST.TXT
It is accessible without any problem.

stevenzhu · March 24, 2018, 2:00am

Hi,

There is a universal redirection that change all path to 404. Can you share the conf block or try to add exemption for .well-known?

Thank you

olokos · March 24, 2018, 2:44pm

<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com

ServerAdmin kiepownica@localhost
DocumentRoot <MYLOCATIONHERE i censored it >
ServerName olokos.pl
ServerAlias www.olokos.pl


# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf

ErrorDocument 400 /ErrorPages/HTTP400.html
ErrorDocument 401 /ErrorPages/HTTP401.html
ErrorDocument 403 /ErrorPages/HTTP403.html
ErrorDocument 404 /ErrorPages/HTTP404.html
ErrorDocument 500 /ErrorPages/HTTP500.html
ErrorDocument 501 /ErrorPages/HTTP501.html
ErrorDocument 502 /ErrorPages/HTTP502.html
ErrorDocument 503 /ErrorPages/HTTP503.html

RewriteEngine off
RewriteCond %{SERVER_NAME} =olokos.pl [OR]
RewriteCond %{SERVER_NAME} =www.olokos.pl
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

stevenzhu · March 26, 2018, 5:50am

Hi,

I’m sorry but i don’t know whats going on with your server…

In the meantime, you can try using a web-based utility (zerossl.com or sslforfree.com) to acquire a certificate

(There is one thing that might help, comment out
ErrorDocument 404 /ErrorPages/HTTP404.html
and try again)

Thank you

olokos · March 26, 2018, 3:13pm

I don’t know either. Might be nice if somebody could help me out.
That directive only replaces default 404 message with a nice and clean error page, doesn’t do anything else so it can’t be the problem. It was the same without it anyway.

olokos · April 2, 2018, 5:20pm

bumpy bump bump bumpy bumpy.

rg305 · April 3, 2018, 5:31am

You are not showing where the problem is and hide more than you need to.
The vhost files for the TLS are unknown.
https://olokos.pl/ shows a cert for “kiepownica.pl”
There is no way for anyone to help you without more information.

try also showing the output of:
certbot --version
certbot-auto --version
which certbot
which certbot-auto
certbot certificates

olokos · April 3, 2018, 5:05pm

Nobody has really asked me to show anything else than my conf block, which I did, censoring only document root. If it's neccesary I can show it aswell, just let me know and I will provide anything thats needed to be looked into.

kiepownica@kiepownica:~$ certbot --version
certbot 0.22.2
kiepownica@kiepownica:~$ certbot-auto --version
certbot-auto: command not found
kiepownica@kiepownica:~$ which certbot
/usr/bin/certbot
kiepownica@kiepownica:~$ which certbot-auto
kiepownica@kiepownica:~$ certbot certificates
The following error was encountered:
[Errno 13] Permission denied: '/var/log/letsencrypt/.certbot.lock'
Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.
kiepownica@kiepownica:~$ sudo certbot certificates
[sudo] password for kiepownica:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Found the following certs:
Certificate Name: kiepownica.pl
Domains: kiepownica.pl www.kiepownica.pl
Expiry Date: 2018-05-21 10:38:50+00:00 (VALID: 47 days)
Certificate Path: /etc/letsencrypt/live/kiepownica.pl/fullchain.pem
Private Key Path: /etc/letsencrypt/live/kiepownica.pl/privkey.pem

schoen · April 3, 2018, 5:09pm

@bmw, could you take a look at this? It’s a failure with --apache in HTTP-01 challenges with 0.22.2, while TLS-SNI-01 challenges (possibly) work for the renewals on the same server.

@olokos, could you post the associated log file from /var/log/letsencrypt?

schoen · April 3, 2018, 5:11pm

This test is a good one, but it's only relevant for issuance using --webroot, not for the recently-added HTTP-01 support in --apache. The --apache support doesn't use your existing webroot directory, so this test doesn't predict its behavior accurately.

olokos · April 3, 2018, 9:01pm

Traceback (most recent call last):
File “/usr/bin/letsencrypt”, line 9, in
load_entry_point(‘letsencrypt==0.4.1’, ‘console_scripts’, ‘letsencrypt’)()
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 1955, in main
“–strict-permissions” in cli_args)
File “/usr/lib/python2.7/dist-packages/letsencrypt/le_util.py”, line 104, in $
os.makedirs(directory, mode)
File “/usr/lib/python2.7/os.py”, line 157, in makedirs
mkdir(name, mode)
OSError: [Errno 13] Permission denied: ‘/etc/letsencrypt’

I corrected that directory to 644 perms but the issue is quite similar
Failed authorization procedure. www.olokos.pl (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.olokos.pl/.well-known/acme-challenge/wYLlDpLpq1xYC-ekb_KaG4LNaJDGEeZZM3j1BehIPQU: "

schoen · April 3, 2018, 9:25pm

Are you running with sudo?

olokos · April 3, 2018, 11:49pm

It won’t let me run it without sudo due to .lock file

schoen · April 4, 2018, 12:06am

OK, please post your log file from /var/log/letsencrypt somewhere so we can have a look at it.

olokos · April 4, 2018, 1:47am

I did. It’s in the post at 11:01pm

schoen · April 4, 2018, 2:06am

Sorry, I don’t see it—could you give a direct link to the forum post where you posted it?

rg305 · April 4, 2018, 5:31am

That seems to be the default apt-get installed version - not the certbot version shown above:

So it seems you have two versions installed.

olokos · April 4, 2018, 1:09pm

Traceback (most recent call last):
File “/usr/bin/letsencrypt”, line 9, in
load_entry_point(‘letsencrypt==0.4.1’, ‘console_scripts’, ‘letsencrypt’)()
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 1955, in main
“–strict-permissions” in cli_args)
File “/usr/lib/python2.7/dist-packages/letsencrypt/le_util.py”, line 104, in $
os.makedirs(directory, mode)
File “/usr/lib/python2.7/os.py”, line 157, in makedirs
mkdir(name, mode)
OSError: [Errno 13] Permission denied: ‘/etc/letsencrypt’

It was that one

@rg305 its only a packet from what I know, it shouldn’t matter too much from what I know, but what should I do in that case? Remove letsencrypt and keep just certbot?