Failed authorization procedure. ucdirector.oitdev.io (http-01): urn:ietf:params:acme:error:unauthorized

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

ucdirector.oitdev.io

I ran this command:

sudo certbot renew --dry-run

It produced this output:

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for ucdirector.oitdev.io
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (ucdirector.oitdev.io) from /etc/letsencrypt/renewal/ucdirector.oitdev.io.conf produced an unexpected error: Failed authorization procedure. ucdirector.oitdev.io (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://ucdirector.oitdev.io/.well-known/acme-challenge/cTdVUTXeqyKFSeRH6lI8Xgl7_AfFqbrhJ9KfCVZZZls [165.227.80.130]: "\n\n400 Bad Request\n\n

Bad Request</h1". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ucdirector.oitdev.io/fullchain.pem (failure)

My web server is (include version):

Nodejs 8.10.0

The operating system my web server runs on is (include version):

Ubuntu 18.04

My hosting provider, if applicable, is:

Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

0.31.0

/etc/letsencrypt/renewal/ucdirector.oitdev.io.conf

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/ucdirector.oitdev.io
cert = /etc/letsencrypt/live/ucdirector.oitdev.io/cert.pem
privkey = /etc/letsencrypt/live/ucdirector.oitdev.io/privkey.pem
chain = /etc/letsencrypt/live/ucdirector.oitdev.io/chain.pem
fullchain = /etc/letsencrypt/live/ucdirector.oitdev.io/fullchain.pem

Options used in the renewal process

[renewalparams]
account = 15bff7ef306a542ec3675d543bb7b9c9
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory

/etc/apache2/sites-available/ucdirector.oitdev.io.conf

<VirtualHost *:443>

ServerName ucdirector.oitdev.io
ServerAlias www.ucdirector.oitdev.io

DocumentRoot /var/www/html/ucdirector/build

ProxyRequests Off
ProxyPreserveHost On

SSLProxyEngine On
ProxyVia Full
<Proxy *>
Require all granted

SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/ucdata1.oitdev.io/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ucdata1.oitdev.io/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/ucdata1.oitdev.io/fullchain.pem

/etc/apache2/sites-available/000-default.conf

<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html/ucdirector/build

<Directory /var/www/html/ucdirector>
Options Indexes FollowSymLinks Multiviews
AllowOverride All
Require all granted

ServerName ucdirector.oitdev.io
ServerAlias ucdirector.oitdev.io
RewriteEngine on

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

#

DirectoryIndex server.js index.php index.pl index.cgi index.html index.xhtml index.htm

#
#RewriteCond %{SERVER_NAME} = ucdirector.oitdev.io
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

2

Hi @DaviCaamano

checking your domain your http is wrong, that's https - https://check-your-website.server-daten.de/?q=ucdirector.oitdev.io

http has a http status 400 - Bad Request.

But the wrong combination

 https://ucdirector.oitdev.io:80/

https over port 80 works and answers with your login page. So

  • your vHost configuration is wrong (or)
  • you have a router or something else, port 80 extern is forwarded to port 443 intern, that's wrong.

So checking your validation file via http / port 80 can't work, that's your error message "Bad Request".

What says

apachectl -S
3

apachectl -S returns:

AH00526: Syntax error on line 45 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/ucdirector.oitdev.io/fullchain.pem' does not exist or is empty
Action '-S' failed.
The Apache error log may have more information.

4

My /etc/apache2/sites-enabled/000-default-le-ssl.conf

< IfModule mod_ssl.c >
< VirtualHost :443 >
"# The ServerName directive sets the request scheme, hostname and port that
"# the server uses to identify itself. This is used when creating
"# redirection URLs. In the context of virtual hosts, the ServerName
"# specifies what hostname must appear in the request's Host: header to
"# match this virtual host. For the default virtual host (this file) this
"# value is not decisive as it is used as a last resort host regardless.
"# However, you must set it for any further virtual host explicitly.
"#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html/ucdirector/build
ServerName ucdirector.oitdev.io
"# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
"# error, crit, alert, emerg.
"# It is also possible to configure the loglevel for particular
"# modules, e.g.
"#LogLevel info ssl:warn
"ErrorLog ${APACHE_LOG_DIR}/error.log
"CustomLog ${APACHE_LOG_DIR}/access.log combined
"# For most configuration files from conf-available/, which are
"# enabled or disabled at a global level, it is possible to
"# include a line for only one particular virtual host. For example the
"# following line enables the CGI configuration for this host only
"# after it has been globally disabled with "a2disconf".
"#Include conf-available/serve-cgi-bin.conf
"#/IncludeOptional sites-enabled/.conf
RewriteEngine on
"#RewriteCond %{SERVER_NAME} =ucdirector.oitdev.io
"#RewriteRule ^ http://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
"# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

"#RewriteEngine On
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -f [OR]
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -d
RewriteRule ^ - [L]
RewriteRule ^ /index.html [L]

< Directory /var/www/html/ucdirector/build>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require all granted
< /Directory>

SSLCertificateFile /etc/letsencrypt/live/ucdirector.oitdev.io/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ucdirector.oitdev.io/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
< /VirtualHost>
< /IfModule>

5

However the file does exist:

And does have a certificate within it.

6

Run that command as sudo.

7

Boy is my face red...

VirtualHost configuration:
*:443 ucdirector.oitdev.io (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80 ucdirector.oitdev.io (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

If it's in any way illuminating, the Nodejs project files are located in

/var/www/html/ucdirector

8

That

says: Your config file

isn't used.

But that doesn't explain why your port 80 is a https port. Is there a router?

Share the complete content of

/etc/apache2/sites-enabled/000-default.conf
9

No router.
I greatly appreciate the quickness and frequency of your response.

/etc/apache2/sites-enabled/000-default.conf

< VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html/ucdirector/build

< Directory /var/www/html/ucdirector>
Options Indexes FollowSymLinks Multiviews
AllowOverride All
Require all granted
< /Directory>

ServerName ucdirector.oitdev.io
ServerAlias ucdirector.oitdev.io
RewriteEngine on

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

"#
"# DirectoryIndex server.js index.php index.pl index.cgi index.html index.xhtml index.htm
"#< /IfModule>
"#RewriteCond %{SERVER_NAME} = ucdirector.oitdev.io
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
< /VirtualHost>

10

The configuration looks ok.

So I don't understand why there is a https answer.

Checking that url:

https://ucdirector.oitdev.io:80/

there is a redirect

https://ucdirector.oitdev.io:80/login

UC Director

What's that? Looks like that creates it's own thing, so the Apache configuration isn't used.

11

I added ucdirector.oitdev.io.conf to enabled through a2ensite.

/etc/apache2/sites-enabled/ucdirector.oitdev.io.conf

< VirtualHost *:443>

ServerName ucdirector.oitdev.io
ServerAlias www.ucdirector.oitdev.io

DocumentRoot /var/www/html/ucdirector/build
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/ucdirector.oitdev.io/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ucdirector.oitdev.io/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/ucdirector.oitdev.io/fullchain.pem

< /VirtualHost>

12

The problem isn't your port 443 host.

The problem is your port 80.

Creating a certificate Letsencrypt checks your port 80.

But doing that -> there is a https answer - port 80 -> bad request. That's the configuration you have to fix.

13

Update:

apachectl -S

VirtualHost configuration:
*:80 ucdirector.oitdev.io (/etc/apache2/sites-enabled/000-default.conf:1)
*:443 is a NameVirtualHost
default server ucdirector.oitdev.io (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
port 443 namevhost ucdirector.oitdev.io (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
port 443 namevhost ucdirector.oitdev.io (/etc/apache2/sites-enabled/ucdirector.oitdev.io.conf:1)
alias www.ucdirector.oitdev.io
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

This is my port 80 virtual host
/etc/apache2/sites-available/000-default.conf

< VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html/ucdirector/build
ServerName ucdirector.oitdev.io
ServerAlias ucdirector.oitdev.io

< Directory /var/www/html/ucdirector>
Options Indexes FollowSymLinks Multiviews
AllowOverride All
Require all granted
< /Directory>

< /VirtualHost>

Port 443 virtual host

< VirtualHost *:443>

ServerName ucdirector.oitdev.io
ServerAlias www.ucdirector.oitdev.io

DocumentRoot /var/www/html/ucdirector/build

SSLProxyEngine On
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/ucdirector.oitdev.io/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ucdirector.oitdev.io/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/ucdirector.oitdev.io/fullchain.pem

< /VirtualHost>

14

After Trying to do

certbot renew --dry-run

I'm getting this Error

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/ucdirector.oitdev.io.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for ucdirector.oitdev.io
Cleaning up challenges
Attempting to renew cert (ucdirector.oitdev.io) from /etc/letsencrypt/renewal/ucdirector.oitdev.io.conf produced an unexpected error: Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ucdirector.oitdev.io/fullchain.pem (failure)

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ucdirector.oitdev.io/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

15

That's the problem. You don't have a working port 80. Why?

There must be another instance running, your defined port 80 doesn't work.

Is there a Listen 80 directive?

16

Not in any apache config files.

17

That’s the problem - add one.

18

Of course, now we return to this error

certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/ucdirector.oitdev.io.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for ucdirector.oitdev.io
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (ucdirector.oitdev.io) from /etc/letsencrypt/renewal/ucdirector.oitdev.io.conf produced an unexpected error: Failed authorization procedure. ucdirector.oitdev.io (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://ucdirector.oitdev.io/.well-known/acme-challenge/UxO2M-9VjWndQGvPzjbPWdhfy_-yTZPq8Kox0IdfNjA [165.227.80.130]: "\n\n400 Bad Request\n\n

Bad Request</h1". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ucdirector.oitdev.io/fullchain.pem (failure)

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ucdirector.oitdev.io/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

19

apachectl -S

VirtualHost configuration:
*:80 ucdirector.oitdev.io (/etc/apache2/sites-enabled/000-default.conf:1)
*:443 is a NameVirtualHost
default server ucdirector.oitdev.io (/etc/apache2/sites-enabled/default-ssl.conf:2)
port 443 namevhost ucdirector.oitdev.io (/etc/apache2/sites-enabled/default-ssl.conf:2)
port 443 namevhost ucdirector.oitdev.io (/etc/apache2/sites-enabled/ucdirector.oitdev.io.conf:1)
alias www.ucdirector.oitdev.io
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

20

I think the *:443 in /etc/apache2/sites-enabled/000-default.conf is somehow confusing the system.
You probably don't need any part of that there at all.
Try removing that part from the config.