Failed authorization procedure: .well-known/acme-challenge/


#1

I’m trying to renew my certificates, and I’m running into this problem. My configuration is a bit of a mess, as there were multiple certificates issued for the same domains, but hopefully this can be troubleshooted. There are multiple domains on the server and only some of them don’t work, and I’ve singled out just one for brevity.

Putting a test file in .well-known/acme-challenge/ works, as you can see here.
http://www.bychowo.pl/.well-known/acme-challenge/test

My domain is: bychowo.pl

I ran this command: sudo /usr/bin/certbot --dry-run --apache certonly -d bychowo.pl

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for bychowo.pl
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. bychowo.pl (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://bychowo.pl/.well-known/acme-challenge/MvN-vnKVY67bW06AO7v9vrePZzWuwaM-iOlt0C1CfqM [69.87.221.76]: “\n\n<html lang=”

IMPORTANT NOTES:

My web server is (include version): Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04.2 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0


#2

Sometimes, the apache plugin has trouble with serving the token file when the VirtualHosts are set up in a “non standard” (from the perspective of certbot :wink: ) manner.

There are two ways to fix it:

  • use the webroot authenticator plugin (with -a webroot) combined with the apache installer plugin (with -i apache) and point the webroot to the webroot path with -w /path/to/webroot/
  • show us your VirtualHost sections from your Apache configuration so we might be able to “fix” it, so you can use certbot like you are using now. Please use the “code” tags (see the logo looking like </> in the post editor bar).

#3

Hi @makbet

did you fix it? Now there is a new certificate, created today ( https://check-your-website.server-daten.de/?q=bychowo.pl ):

CN=bychowo.pl
	19.02.2019
	20.05.2019
expires in 90 days	bychowo.pl - 1 entry

But you have two dns entries, www and non-www. So your certificate works only with your non-www-version, your www version is insecure.

Domainname Http-Status redirect Sec. G
http://bychowo.pl/
69.87.221.76 301 https://bychowo.pl/ 0.923 A
http://www.bychowo.pl/
69.87.221.76 301 https://bychowo.pl/ 0.300 E
https://www.bychowo.pl/
69.87.221.76 301 https://bychowo.pl/ 2.434 N
Certificate error: RemoteCertificateNameMismatch
https://bychowo.pl/
69.87.221.76 200 3.257 B

So create one certificate with two domain names:

-d byhowo.pl -d www.bychowo.pl

and use that. Then both domains + connections are secure.


closed #4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.