Failed authorization procedure (Obtaining SSL HTTPS)

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
www.lindcreation.se

I ran this command:
sudo certbot --apache

It produced this output:
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.lindcreation.se
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.lindcreation.se (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.lindcreation.se/.well-known/acme-challenge/UEZyhJSP4Uvn1OtIw7zlrlclVEEtt4QoC3GK8K_3bKQ: "

404 Not Found

Not Found

<p"

IMPORTANT NOTES:

My web server is (include version):
Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version):
Linux version 4.4.0-127-generic (buildd@lcy01-amd64-023) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9) ) #153-Ubuntu SMP Sat May 19 10:58:46 UTC 2018
NAME=“Ubuntu”
VERSION=“16.04.4 LTS (Xenial Xerus)”

My hosting provider, if applicable, is:
bought domain on misshosting but I run the hosting

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

2

Hi @worldofjimmy,

That’s interesting, we don’t usually see this particular combination of failures!

Is there anything unusual about your Apache configuration, like multiple versions of Apache installed or configuration files in an unusual location? Did you customize your Apache configuration in some other way?

Could you post the associated Certbot log from /var/log/letsencrypt?

3

Not a usual Apache configuration that I know. Currently running one copy of it.
I have the configuration files for the website under another directory than the standard /var/www/ I have it under /media/10gb/websites/Lindcreation/ This is a mounted ssd.

Not sure which part of the log file to copy because it is miles long.

2018-07-03 20:44:45,411:INFO:certbot.main:Obtaining a new certificate
2018-07-03 20:44:45,653:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0006_key-certbot.pem
2018-07-03 20:44:45,656:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0006_csr-certbot.pem
2018-07-03 20:44:45,658:DEBUG:acme.client:Requesting fresh nonce
2018-07-03 20:44:45,658:DEBUG:acme.client:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz.
2018-07-03 20:44:45,853:DEBUG:requests.packages.urllib3.connectionpool:“HEAD /acme/new-authz HTTP/1.1” 405 0
2018-07-03 20:44:45,854:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Date: Tue, 03 Jul 2018 18:44:45 GMT
Connection: keep-alive
Pragma: no-cache
Content-Length: 91
Allow: POST
Cache-Control: max-age=0, no-cache, no-store
Replay-Nonce: hYFmtwgba0bZrtIypKIbdLHBp6L7-mQPSdU_QzzYoUg
Expires: Tue, 03 Jul 2018 18:44:45 GMT
Content-Type: application/problem+json

2018-07-03 20:44:45,854:DEBUG:acme.client:Storing nonce: hYFmtwgba0bZrtIypKIbdLHBp6L7-mQPSdU_QzzYoUg
2018-07-03 20:44:45,855:DEBUG:acme.client:JWS payload:
b’{\n “identifier”: {\n “value”: “lindcreation.se”,\n “type”: “dns”\n },\n “resource”: “new-authz”\n}’
2018-07-03 20:44:45,863:DEBUG:acme.client:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
“signature”: “2r1PiwkbkVfK1yiLcJSRGSE-ETDk6yc9ezIGu3os1LSpqQzxXF6j4-uSvSqpFSzFl4jI6vCJsBSMCAJNbIUnw3gDoz64-IUY_3COZl8loN0PTPhJuxvh53LhHeWXexNopR4cZJ0IT5stUhuo9S_bBZtNnTufynhDtxAe3XVHaEBvFeZ7uwBB-u1yMiRATnIWkxACMDCJ3T9lVEJfBVe5Uvm-6pySr91s77o8krZ3OpbwwJN_ufNQq6VScfv7HyPIKmh5ZwOMa9nMVX3zZoPImRm55cY9Fas18RVygGG7NSCuAm5TuuTxZ8YreA28BhbLMORIoksD8jTLlooGQjgbYQ”,
“protected”: “eyJqd2siOiB7Imt0eSI6ICJSU0EiLCAiZSI6ICJBUUFCIiwgIm4iOiAiM0RFTklEOUs0SC1CSGFLMUkxOWdxLXdsUW9NUUt1cGVuMXhpMmZPY1J1aFkxdmwyNEU1TVFNSV83WkJvbHhLTW00R0dxaHRUdkt0QlpEaVhTa0JMQzhxLXBfbW5kdUt6RG03dW94Z2otU0pId1pmcmRMOUR6a1NjWmIwY1RBUGFuNnJ6bGVEX3NuazRVMGtkYV9XZUZfaFhCSnFqckxTSE9JUi1NaXdHSlhIS21oSVVCWWFaOXp4U044cDdIQ0U3b3NQdUNqX0JxUFgtTzgybnRQcjZXNG9iM2tJWnVxUVhkVHQ3ajFkakNaRXdtelUwU2lvbnhRNUNpZWo4dlhXQmtUcktrYzVGV1Jyc2xYVW9KUHlqQW41YW1XbU5wZWVOTVVNbGZOLVlFNXExR3VYRDF2aVRUQm00b2Y2LUdrREQ0TTdkRlNndHFYeTZtSFJkUXMxM2VRIn0sICJhbGciOiAiUlMyNTYiLCAibm9uY2UiOiAiaFlGbXR3Z2JhMGJacnRJeXBLSWJkTEhCcDZMNy1tUVBTZFVfUXp6WW9VZyJ9”,
“payload”: “ewogICJpZGVudGlmaWVyIjogewogICAgInZhbHVlIjogImxpbmRjcmVhdGlvbi5zZSIsCiAgICAidHlwZSI6ICJkbnMiCiAgfSwKICAicmVzb3VyY2UiOiAibmV3LWF1dGh6Igp9”
}
2018-07-03 20:44:46,068:DEBUG:requests.packages.urllib3.connectionpool:“POST /acme/new-authz HTTP/1.1” 201 720
2018-07-03 20:44:46,069:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Tue, 03 Jul 2018 18:44:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Expires: Tue, 03 Jul 2018 18:44:46 GMT
Link: https://acme-v01.api.letsencrypt.org/acme/new-cert;rel=“next”
Boulder-Requester: 37714464
Content-Type: application/json
X-Frame-Options: DENY
Pragma: no-cache
Content-Length: 720
Strict-Transport-Security: max-age=604800
Connection: keep-alive
Replay-Nonce: P0cTefHauM-fXHGpYzXJ_w1bmmdBKxCELLoqQi_IME0
Location: https://acme-v01.api.letsencrypt.org/acme/authz/hmraQQ9CTZteocs_Wb_AxjJRjwAm3IvSxRMIPAP3Zgc

{
“identifier”: {
“type”: “dns”,
“value”: “lindcreation.se”
},
“status”: “pending”,
“expires”: “2018-07-10T18:44:45Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “pending”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/hmraQQ9CTZteocs_Wb_AxjJRjwAm3IvSxRMIPAP3Zgc/5438696212”,
“token”: “iMR9-iF851vb–dlf6pii8iCpD15s2sqltSDRSZuU5w”
},
{
“type”: “dns-01”,
“status”: “pending”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/hmraQQ9CTZteocs_Wb_AxjJRjwAm3IvSxRMIPAP3Zgc/5438696213”,
“token”: “j4-ZzD7Jk7820hmgvgdfXhOqcm8ufxuuqcUlNVZmPXM”
}
],
“combinations”: [
[
1
],
[
0
]
]
}
2018-07-03 20:44:46,070:DEBUG:acme.client:Storing nonce: P0cTefHauM-fXHGpYzXJ_w1bmmdBKxCELLoqQi_IME0
2018-07-03 20:44:46,071:INFO:certbot.auth_handler:Performing the following challenges:
2018-07-03 20:44:46,071:INFO:certbot.auth_handler:http-01 challenge for lindcreation.se
2018-07-03 20:44:46,156:DEBUG:certbot_apache.http_01:Adding a temporary challenge validation Include for name: www.Lindcreation.se in: /etc/apache2/sites-enabled/Hairbyj.conf
2018-07-03 20:44:46,157:DEBUG:certbot_apache.http_01:writing a pre config file with text:
RewriteEngine on
RewriteRule ^/.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ /var/lib/letsencrypt/http_challenges/$1 [END]

2018-07-03 20:44:46,157:DEBUG:certbot_apache.http_01:writing a post config file with text:
<Directory /var/lib/letsencrypt/http_challenges>
Require all granted

<Location /.well-known/acme-challenge>
Require all granted

2018-07-03 20:44:46,178:DEBUG:certbot.reverter:Creating backup of /etc/apache2/sites-enabled/Hairbyj.conf
2018-07-03 20:44:49,361:INFO:certbot.auth_handler:Waiting for verification…
2018-07-03 20:44:49,363:DEBUG:acme.client:JWS payload:
b’{\n “keyAuthorization”: “iMR9-iF851vb–dlf6pii8iCpD15s2sqltSDRSZuU5w.1ofBs-nV6z44Fd9_921XmMv0i3m8Orde4DDRHORtPmE”,\n “resource”: “challenge”,\n “type”: “http-01”\n}’
2018-07-03 20:44:49,372:DEBUG:acme.client:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/challenge/hmraQQ9CTZteocs_Wb_AxjJRjwAm3IvSxRMIPAP3Zgc/5438696212:
{
“signature”: “j23vBjZ5xOhXrsmpI7XGrNjHLzWiu3O3tUXGlv7fqnSs1ACwo5LfuN9joNE3wQofuBSyilTfrKxL2UAVhFwtE93tijVO-8whk7V36RwOmPzP-iqhmCA-71FfFwCcqludyIM5r-VeUW5ri6ePYLBZb0AB42ZC-Dy9RkSMO4TrO1Q191mM65uBssEVAhXENVCJ7wQlQepbuEz8hHWVO_Mvmd5sO0A68NJG0dFR6yY5ClpnyIvLL3bD0Ha9J4Yb9q3g-e8T4XbAryBcW-9wPT4WmFvhgz7Da4mx_RMg6zxTMcbqwYsZIjBLmZP0BAzY8S2uoBho3vVbucsypHj9uXl0tQ”,
“protected”: “eyJqd2siOiB7Imt0eSI6ICJSU0EiLCAiZSI6ICJBUUFCIiwgIm4iOiAiM0RFTklEOUs0SC1CSGFLMUkxOWdxLXdsUW9NUUt1cGVuMXhpMmZPY1J1aFkxdmwyNEU1TVFNSV83WkJvbHhLTW00R0dxaHRUdkt0QlpEaVhTa0JMQzhxLXBfbW5kdUt6RG03dW94Z2otU0pId1pmcmRMOUR6a1NjWmIwY1RBUGFuNnJ6bGVEX3NuazRVMGtkYV9XZUZfaFhCSnFqckxTSE9JUi1NaXdHSlhIS21oSVVCWWFaOXp4U044cDdIQ0U3b3NQdUNqX0JxUFgtTzgybnRQcjZXNG9iM2tJWnVxUVhkVHQ3ajFkakNaRXdtelUwU2lvbnhRNUNpZWo4dlhXQmtUcktrYzVGV1Jyc2xYVW9KUHlqQW41YW1XbU5wZWVOTVVNbGZOLVlFNXExR3VYRDF2aVRUQm00b2Y2LUdrREQ0TTdkRlNndHFYeTZtSFJkUXMxM2VRIn0sICJhbGciOiAiUlMyNTYiLCAibm9uY2UiOiAiUDBjVGVmSGF1TS1mWEhHcFl6WEpfdzFibW1kQkt4Q0VMTG9xUWlfSU1FMCJ9”,
“payload”: “ewogICJrZXlBdXRob3JpemF0aW9uIjogImlNUjktaUY4NTF2Yi0tZGxmNnBpaThpQ3BEMTVzMnNxbHRTRFJTWnVVNXcuMW9mQnMtblY2ejQ0RmQ5XzkyMVhtTXYwaTNtOE9yZGU0RERSSE9SdFBtRSIsCiAgInJlc291cmNlIjogImNoYWxsZW5nZSIsCiAgInR5cGUiOiAiaHR0cC0wMSIKfQ”
}
2018-07-03 20:44:49,581:DEBUG:requests.packages.urllib3.connectionpool:“POST /acme/challenge/hmraQQ9CTZteocs_Wb_AxjJRjwAm3IvSxRMIPAP3Zgc/5438696212 HTTP/1.1” 202 336
2018-07-03 20:44:49,582:DEBUG:acme.client:Received response:
HTTP 202
Server: nginx
Date: Tue, 03 Jul 2018 18:44:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Expires: Tue, 03 Jul 2018 18:44:49 GMT
Link: https://acme-v01.api.letsencrypt.org/acme/authz/hmraQQ9CTZteocs_Wb_AxjJRjwAm3IvSxRMIPAP3Zgc;rel=“up”
Boulder-Requester: 37714464
Content-Type: application/json
Pragma: no-cache
Content-Length: 336
Connection: keep-alive
Replay-Nonce: MBmta3Dx2hEClq_cdhSGmbkzJopygZ0owu7Vuuz1QZQ
Location: https://acme-v01.api.letsencrypt.org/acme/challenge/hmraQQ9CTZteocs_Wb_AxjJRjwAm3IvSxRMIPAP3Zgc/5438696212

{
“type”: “http-01”,
“status”: “pending”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/hmraQQ9CTZteocs_Wb_AxjJRjwAm3IvSxRMIPAP3Zgc/5438696212”,
“token”: “iMR9-iF851vb–dlf6pii8iCpD15s2sqltSDRSZuU5w”,
“keyAuthorization”: “iMR9-iF851vb–dlf6pii8iCpD15s2sqltSDRSZuU5w.1ofBs-nV6z44Fd9_921XmMv0i3m8Orde4DDRHORtPmE”
}
2018-07-03 20:44:49,583:DEBUG:acme.client:Storing nonce: MBmta3Dx2hEClq_cdhSGmbkzJopygZ0owu7Vuuz1QZQ
2018-07-03 20:44:52,588:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/hmraQQ9CTZteocs_Wb_AxjJRjwAm3IvSxRMIPAP3Zgc.
2018-07-03 20:44:52,779:DEBUG:requests.packages.urllib3.connectionpool:“GET /acme/authz/hmraQQ9CTZteocs_Wb_AxjJRjwAm3IvSxRMIPAP3Zgc HTTP/1.1” 200 1658
2018-07-03 20:44:52,780:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 03 Jul 2018 18:44:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Expires: Tue, 03 Jul 2018 18:44:52 GMT
Link: https://acme-v01.api.letsencrypt.org/acme/new-cert;rel=“next”
Content-Type: application/json
X-Frame-Options: DENY
Pragma: no-cache
Content-Length: 1658
Strict-Transport-Security: max-age=604800
Connection: keep-alive
Replay-Nonce: u7dLwlX-6Za7UHHHqdR7vSTCD1kV0uuUQQM6oG37Bug

{
“identifier”: {
“type”: “dns”,
“value”: “lindcreation.se”
},
“status”: “invalid”,
“expires”: “2018-07-10T18:44:45Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:acme:error:unauthorized”,
“detail”: “Invalid response from http://lindcreation.se/.well-known/acme-challenge/iMR9-iF851vb--dlf6pii8iCpD15s2sqltSDRSZuU5w: “\u003c!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”\u003e\n\u003chtml\u003e\u003chead\u003e\n\u003ctitle\u003e404 Not Found\u003c/title\u003e\n\u003c/head\u003e\u003cbody\u003e\n\u003ch1\u003eNot Found\u003c/h1\u003e\n\u003cp””,
“status”: 403
},
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/hmraQQ9CTZteocs_Wb_AxjJRjwAm3IvSxRMIPAP3Zgc/5438696212”,
“token”: “iMR9-iF851vb–dlf6pii8iCpD15s2sqltSDRSZuU5w”,
“keyAuthorization”: “iMR9-iF851vb–dlf6pii8iCpD15s2sqltSDRSZuU5w.1ofBs-nV6z44Fd9_921XmMv0i3m8Orde4DDRHORtPmE”,
“validationRecord”: [
{
“url”: “http://lindcreation.se/.well-known/acme-challenge/iMR9-iF851vb--dlf6pii8iCpD15s2sqltSDRSZuU5w”,
“hostname”: “lindcreation.se”,
“port”: “80”,
“addressesResolved”: [
“213.67.202.187”
],
“addressUsed”: “213.67.202.187”
}
]
},
{
“type”: “dns-01”,
“status”: “invalid”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/hmraQQ9CTZteocs_Wb_AxjJRjwAm3IvSxRMIPAP3Zgc/5438696213”,
“token”: “j4-ZzD7Jk7820hmgvgdfXhOqcm8ufxuuqcUlNVZmPXM”
}
],
“combinations”: [
[
1
],
[
0
]
]
}
2018-07-03 20:44:52,782:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: lindcreation.se
Type: unauthorized
Detail: Invalid response from http://lindcreation.se/.well-known/acme-challenge/iMR9-iF851vb--dlf6pii8iCpD15s2sqltSDRSZuU5w: "

404 Not Found

Not Found

<p"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2018-07-03 20:44:52,783:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 155, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 226, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. lindcreation.se (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://lindcreation.se/.well-known/acme-challenge/iMR9-iF851vb--dlf6pii8iCpD15s2sqltSDRSZuU5w: "

404 Not Found

Not Found

<p"

2018-07-03 20:44:52,784:DEBUG:certbot.error_handler:Calling registered functions
2018-07-03 20:44:52,784:INFO:certbot.auth_handler:Cleaning up challenges
2018-07-03 20:44:53,084:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/letsencrypt”, line 11, in
load_entry_point(‘certbot==0.25.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1323, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1086, in run
certname, lineage)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 120, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 383, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 326, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 362, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 155, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 226, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. lindcreation.se (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://lindcreation.se/.well-known/acme-challenge/iMR9-iF851vb--dlf6pii8iCpD15s2sqltSDRSZuU5w: "

404 Not Found

Not Found

<p"
4

Hi @worldofjimmy

there is a certbot-option --webroot, there you can define your path /media/10gb/websites/Lindcreation/ direct. Test this (perhaps use the stage / testsystem first).

5

The document root the website is using isn’t supposed to matter – “certbot --apache” is supposed to figure everything out on its own.

1 Like
6

When I run with the --webroot option this is the output

sudo certbot --webroot /media/10gb/websites/Lindcreation/
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] …

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: /media/10gb/websites/Lindcreation/

7

Yes, there may be additional options required. -d domain etc. Or use first the stage / testsystem, so you can do a lot of tests.

If the simple command (certbot --apache) does not work: Reduce the problem by using more options.

8

The --webroot option is the name of a plugin rather than a way to specify the webroot. The way to specify the webroot is with -w.

Therefore the corrected form of this command would be

sudo certbot --webroot -w /media/10gb/websites/Lindcreation/

9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.