Failed authorization procedure ? server configuration

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
rusticana.info www.rusticana.info
I ran this command:
sudo letsencrypt certonly --webroot -w /var/lib/dhis2 -d rusticana.info -d www.rusticana.info --dry-run
It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for rusticana.info
http-01 challenge for www.rusticana.info
Using the webroot path /var/lib/dhis2 for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.rusticana.info (http-01): urn:ietf:params:ac                                                                                                             me:error:unauthorized :: The client lacks sufficient authorization :: Invalid re                                                                                                             sponse from https://www.rusticana.info/.well-known/acme-challenge/9Ponh699EUnh9n                                                                                                             yjUt7dJEUkONDMJHgBjAe7pFuZzVg [178.128.35.65]: "<html>\r\n<head><title>404 Not F                                                                                                             ound</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1                                                                                                             ></center>\r\n<hr><center>", rusticana.info (http-01): urn:ietf:params:acme:erro                                                                                                             r:unauthorized :: The client lacks sufficient authorization :: Invalid response                                                                                                              from https://rusticana.info/.well-known/acme-challenge/YzZFk3zyoa0L11CidwXEqoxkp                                                                                                             Pp2Pv_a34pJqJ4mUnE [178.128.35.65]: "<html>\r\n<head><title>404 Not Found</title                                                                                                             ></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\                                                                                                             r\n<hr><center>"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.rusticana.info
   Type:   unauthorized
   Detail: Invalid response from
   https://www.rusticana.info/.well-known/acme-challenge/9Ponh699EUnh9nyjUt7dJEU                                                                                                             kONDMJHgBjAe7pFuZzVg
   [178.128.35.65]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404
   Not Found</h1></center>\r\n<hr><center>"

   Domain: rusticana.info
   Type:   unauthorized
   Detail: Invalid response from
   https://rusticana.info/.well-known/acme-challenge/YzZFk3zyoa0L11CidwXEqoxkpPp                                                                                                             2Pv_a34pJqJ4mUnE
   [178.128.35.65]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404
   Not Found</h1></center>\r\n<hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):
nginx 1.14.0
The operating system my web server runs on is (include version):
Ubuntu 18.04
My hosting provider, if applicable, is:
Digital Ocean
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

Hi @prcleary

I see, you have already checked your domain via https://check-your-website.server-daten.de/?q=rusticana.info

There is a http status 403 - Forbidden

Not 404. Looks like you have already changed something.

But if webroot doesn't work, then (1) it's the wrong webroot or (2) you have additional definitions.

So create the two subdirectories

/var/lib/dhis2/.well-known/acme-challenge

there a file (file name 1234) and try to load this file.

http://www.rusticana.info/.well-known/acme-challenge/1234

PS: Use your http vHost the same webroot as your https vHost?

Thanks for the quick response.

I did create that file and can download it.

I have nginx as a reverse proxy for a Web service called DHIS 2. The nginx configuration was created by a utility script provided by the DHIS 2 developers. It did work fine until the last few weeks, when I have been using the droplet for something else (but not changing the nginx configuration as far as I remember).

This is the configuration of the virtual host (I just added the final location section):

# cat /etc/nginx/sites-available/dhis2

# apply these settings to all backends
proxy_cache_path  /var/cache/nginx  keys_zone=dhis:250m  inactive=1d;
proxy_redirect    off;
proxy_set_header  Host               $host;
proxy_set_header  X-Real-IP          $remote_addr;
proxy_set_header  X-Forwarded-For    $proxy_add_x_forwarded_for;
proxy_set_header  X-Forwarded-Proto  https;
#proxy_cache       dhis;


# redirect http to https server
server {
  listen     80;
  rewrite    ^ https://$host$request_uri? permanent;
}

# HTTPS server
server {
  listen               443;
  root /var/lib/dhis2/dhis2/webapps/dhis2; # added by PC
  server_name rusticana.info www.rusticana.info;  # added by PC
  client_max_body_size 400M;  # edited from 10M by PC

  # ssl stuff
  ssl                  on;
  ssl_certificate      /etc/letsencrypt/live/rusticana.info/fullchain.pem;  # added by PC
  ssl_certificate_key  /etc/letsencrypt/live/rusticana.info/privkey.pem;  # added by PC
  ssl_session_timeout  30m;
  ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
  ssl_session_cache shared:SSL:10m;
  ssl_prefer_server_ciphers  on;
  proxy_ssl_session_reuse off;  # added by PC

  # This is quite strict.  If you have much older windoze browsers
  # to support you might need the line below instead.
  ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

  # ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

  # Enable HSTS
  add_header Strict-Transport-Security max-age=63072000;

  # Do not allow this site to be displayed in iframes
  add_header X-Frame-Options DENY;

  # Do not permit Content-Type sniffing.
  add_header X-Content-Type-Options nosniff;

  # You need to generate the dh parameters before using this setting
  # Command:  openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
  ssl_dhparam /etc/ssl/certs/dhparam.pem;


  # nominate a backend as the default
  rewrite ^/$ /dhis/;

  # Proxy pass to servlet containers
  location /dhis { proxy_pass  http://localhost:8080/dhis; }

# Added to try to fix certbot issue
  location ~ /.well-known {
            allow all;
            root /usr/share/nginx/html;
  }

}

There

is your webroot. And add #

to these lines, so they are ignored.

Thanks I commented out the final location bit.

Now I get a 403 error instead of downloading the file, and the same error when I try to renew the certificate.

Then there are insufficient rights.

Check the directory permissions.

And create the test file to check if this is the correct directory.

PS: Or you have more then one location with the same name.

Thanks.

The permissions did look wrong so I used:

sudo chown -R www-data:www-data /var/lib/dhis2/.well-known/acme-challenge/*
sudo chmod -R 0755 /var/lib/dhis2/.well-known/acme-challenge/*
sudo service nginx restart

but still get the same error trying to renew the certificate.

I can only see the location shown above in the nginx configuration.

Edit: and the “1234” file is there

This

is your webroot you have to use.

Your http is redirected to https, that's ok. But then you have to use the root of your https vHost.

Good point!

This is strange.

sudo mkdir -p /var/lib/dhis2/dhis2/webapps/dhis2/.well-known/acme-challenge
sudo touch /var/lib/dhis2/dhis2/webapps/dhis2/.well-known/acme-challenge/1234
sudo ls /var/lib/dhis2/dhis2/webapps/dhis2/.well-known/acme-challenge/
# 1234
sudo chown -R www-data:www-data /var/lib/dhis2/dhis2/webapps/dhis2/.well-known/acme-challenge/*
# chown: cannot access '/var/lib/dhis2/dhis2/webapps/dhis2/.well-known/acme-challenge/*': No such file or directory

I must be doing something wrong.

Edit: I was chown does not use -R. Changed to root user and changed owner and permissions and restarted nginx. Still getting the 403 error when I try to renew the certificate.

I uncommented the location again and this time it worked!

Thanks very much for your help - you have been great and so quick to respond.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.