Failed authorization procedure. The client lacks sufficient authorization

karmen79 · September 19, 2020, 7:57pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.hypnosejoaillerie.it

I ran this command: sudo certbot

It produced this output:

Domain: www.hypnosejoaillerie.it
Type: unauthorized
Detail: Invalid response from
http://www.hypnosejoaillerie.it/.well-known/acme-challenge/u5oucZ70KCvjQtceeJ8set9feZSP5a60FuUwnab7As4
[5.189.131.41]: 403

My web server is (include version): 5.189.131.41 LAMP

The operating system my web server runs on is (include version): Ubuntu 18.04 LTS

My hosting provider, if applicable, is: CONTABO (VPS)

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

I’m trying to get a SSL certificate for the domain www.hypnosejoaillerie.it hosted on my VPS as Virtual Host. I followed same procedure for the others Virtual Host hosted on my VPS, but for some reason I’m getting the error as per details above. The DNS is correct (record A). This is what the let’s encrypt log is showing:

certbot.errors.FailedChallenges: Failed authorization procedure. www.hypnosejoaillerie.it (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.hypnosejoaillerie.it/.well-known/acme-challenge/u5oucZ70KCvjQtceeJ8set9feZSP5a60FuUwnab7As4 [5.189.131.41]: 403, hypnosejoaillerie.it (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.hypnosejoaillerie.it/.well-known/acme-challenge/O3-ZQQy00335RGiz3tzGBQ2dWUfooThz95gf3hZdMhQ [5.189.131.41]: 403

Thank you in advance for your support.
Carlo

griffin · September 19, 2020, 8:26pm

Welcome to the Let’s Encrypt Community, Carlo

The Good:
I’ve noticed an extensive autorenewal history of certificates at https://crt.sh/?q=hypnosejoaillerie.it, including one that is still valid until November 16.

The Bad:
I’ve noticed some very concerning redirects and responses, including a 403 Forbidden response that will make renewal impossible. Your webserver configuration is in desperate need of repair. There are several people here who can most likely help you resolve this. Sadly, I am not one of them.

@rg305

Rudy, you up for another bout?

http://hypnosejoaillerie.it redirects to http://www.hypnosejoaillerie.it, which returns 403 Forbidden.

https://hypnosejoaillerie.it does not respond at all.

https://www.hypnosejoaillerie.it temporarily redirects to http://mennellablog.info/bussolarte-it, which redirects to https://mennellablog.info/bussolarte-it, which redirects to https://www.mennellablog.info/bussolarte-it/, which returns valid content 200 OK.

rg305 · September 19, 2020, 8:33pm

He clearly said www in the domain.
[the non-www is a whole other can of worms (not asked to be opened here)]

griffin · September 19, 2020, 8:33pm

The non-www redirects to the www.

rg305 · September 19, 2020, 8:35pm

Not for me, it doesn't:

curl -Iki www.hypnosejoaillerie.it
HTTP/1.1 403 Forbidden
Date: Sat, 19 Sep 2020 20:34:46 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1

It returns 403.
And so does any/all other folders and paths under that name (all 403 forbidden).

griffin · September 19, 2020, 8:36pm

Look at my first image, brother…

rg305 · September 19, 2020, 8:36pm

Look at my curly q’s sista - rofl

griffin · September 19, 2020, 8:37pm

I don’t doubt your mad skills, but I’m pretty sure the top redirect checker on Google isn’t broken.

I find it hilarious that it returns:

301
403 Forbidden

CONGRATULATION Everything seems to be fine.

rg305 · September 19, 2020, 8:38pm

Its all about source IP then…
Cuz I see this:

So there must be some GeoLocomotion action in play.

rg305 · September 19, 2020, 8:39pm

This is cute too:

Name:    hypnosejoaillerie.it
Addresses:  2a02:c205:0:891::1
          2a02:c207:0:842::1
          2a02:c205:0:882::1
          62.149.128.154
          62.149.128.157
          62.149.128.160
          62.149.128.163
          62.149.128.166
          62.149.128.151

Name:    www.hypnosejoaillerie.it
Address:  5.189.131.41

griffin · September 19, 2020, 8:40pm

You seriously don’t get redirected from http://hypnosejoaillerie.it to http://www.hypnosejoaillerie.it?

rg305 · September 19, 2020, 8:41pm

You first image has no www - look at his domain and then at your first image again.

griffin · September 19, 2020, 8:42pm

I know that. LOL. I was just being thorough.

rg305 · September 19, 2020, 8:43pm

Ignore the non-www - that is NOT in question here.
Start at the www and use HTTP.
Follow that leader…
It goes nowhere fast.
403 FORBIDDEN

griffin · September 19, 2020, 8:43pm

Straight into the 403 then

rg305 · September 19, 2020, 8:45pm

OK then we need to know what’s going on inside:
Server: Apache/2.4.29 (Ubuntu)
at IP: 5.189.131.41
When asked for site: www.hypnosejoaillerie.it
via: HTTP

Q1: Output of: sudo apachectl -S

griffin · September 19, 2020, 8:45pm

@rg305

As always seems to be the case when we chat, I need to eat now. Been up for 8 hours doing mostly manual labor and haven’t eaten anything yet. See you soon, brother.

@karmen79

You’re in the best of hands with Rudy.

rg305 · September 19, 2020, 8:47pm

Dang, I got to label paint cans now - rofl
[and then eat too]

But we do have one (initial) pending question waiting to be answered...

karmen79 · September 19, 2020, 8:48pm

*:443 is a NameVirtualHost
default server bussolarte.it (/etc/apache2/sites-enabled/bussolarte.it-le-ssl.conf:2)
port 443 namevhost bussolarte.it (/etc/apache2/sites-enabled/bussolarte.it-le-ssl.conf:2)
alias www.bussolarte.it
port 443 namevhost hypnosejoaillerie.com (/etc/apache2/sites-enabled/hypnosejoaillerie.com-le-ssl.conf:2)
alias www.hypnosejoaillerie.com
port 443 namevhost mennella.blog (/etc/apache2/sites-enabled/mennella.blog-le-ssl.conf:2)
alias www.mennella.blog
port 443 namevhost mennellablog.info (/etc/apache2/sites-enabled/mennellablog.info-le-ssl.conf:2)
alias www.mennellablog.info
port 443 namevhost webstorecorallo.it (/etc/apache2/sites-enabled/webstorecorallo.it-le-ssl.conf:2)
alias www.webstorecorallo.it
*:80 is a NameVirtualHost
default server vmi404536.contaboserver.net (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost vmi404536.contaboserver.net (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost bussolarte.it (/etc/apache2/sites-enabled/bussolarte.it.conf:1)
alias www.bussolarte.it
port 80 namevhost hypnosejoaillerie.com (/etc/apache2/sites-enabled/hypnosejoaillerie.com.conf:1)
alias www.hypnosejoaillerie.com
port 80 namevhost mennella.blog (/etc/apache2/sites-enabled/mennella.blog.conf:1)
alias www.mennella.blog
port 80 namevhost mennellablog.info (/etc/apache2/sites-enabled/mennellablog.info.conf:1)
alias www.mennellablog.info
port 80 namevhost mennella.blog (/etc/apache2/sites-enabled/roundcube.conf:1)
port 80 namevhost webstorecorallo.it (/etc/apache2/sites-enabled/webstorecorallo.it.conf:1)
alias www.webstorecorallo.it
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

griffin · September 19, 2020, 8:50pm

Good luck gentlemen.