Failed authorization procedure, When I run sudo certbot --nginx -d interface.orsedd.com certonly

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:interface.orsedd.com

I ran this command: sudo certbot --nginx -d interface.orsedd.com certonly

It produced this output:

Failed authorization procedure. interface.orsedd.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://interface.orsedd.com/.well-known/acme-challenge/rz1Yq7neKMO31iNPR2JDOlXjrClGp13n7CTOl9lV4JQ: “\n\n\n The page you were looking for doesn’t exist (404)\n <style type=“text/css”>\n b”

IMPORTANT NOTES:

My web server is (include version):nginx/1.8.0

The operating system my web server runs on is (include version):ubuntu 14.04.2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

It seems that certbot can’t adequately handle your request.
I will be treating this as a new cert request with the understanding that your current site has a valid cert that is good for 5 more months. If that is NOT the case, please update the ticket.

As a first test I would like to see if the vhost configuration is clean and clear.
Please post:
nginx -T
and/or at least:
nginx -T | grep -Ei 'server_name|rewrite|listen|location'

1 Like

Please use capital T

Capital -T was added in Nginx 1.9.2. :slightly_frowning_face:

Ubuntu 14.04 goes EOL soon and this might not be a good priority, but you could upgrade Nginx.

https://nginx.org/en/linux_packages.html

nginx -T just displays your entire configuration, starting from nginx.conf and showing all included files. You can achieve the same thing by carefully manually reading it.

Edit: On second thought, upgrading Ngixn with Phusion Passenger might involve different steps.

1 Like

If the capital T is NOT an option…
Please show:
grep -Eri 'server_name|rewrite|listen|location|include' /etc/nginx/

There may be a slight conflict with these two (both using “_”):
/etc/nginx/sites-available/orsedd.conf: server_name api.orsedd.com *.orsedd.com orsedd.govannon.net _;
/etc/nginx/sites-available/default: server_name _;

should I remove one.

They seem to use different ports… so it may be OK.
[we might look at this more again]

Also see both of those also overlap the FQDN interface.orsedd.com:
The first with the wildcard and the second with the default “_”.

Please show:
ls -l /etc/nginx/sites-enabled/
grep -Eri 'root|server_name|inlcude|listen' /etc/nginx/

OK the conflicts are irrelevant; as the /etc/nginx/sites-available/default file does not appear to be enabled.

So that leaves is with:
/etc/nginx/sites-available/orsedd.conf:
listen 8080;
server_name api.orsedd.com *.orsedd.com orsedd.govannon.net _;
root /var/rails/orsedd/current/public;

This is where I would say “put a file in that folder and let’s see if we can access it from the Internet…”
But since it only listens to port 8080 it will not serve us well for LE authentication.

So, you can either add another vhost config file to handle the site interface.orsedd.com or you can also listen on port 80 on that vhost config file.

Which do you prefer?
[or perhaps you prefer some other option]

OK; ensure it includes:
listen 80;
server_name interface.orsedd.com;

Please show the file or at least the root used for it

OK, reload nginx.
And let’s try a --dry-run:
sudo certbot --nginx -d interface.orsedd.com certonly --dry-run

OK.
This is the part where we put some test files.
[use sudo if needed]

echo "test 1234" > /var/rails/orsedd_interface/current/public/delete-me-1234

mkdir /var/rails/orsedd_interface/current/public/.well-known
mkdir /var/rails/orsedd_interface/current/public/.well-known/acme-challenge
echo "test 5678" > /var/rails/orsedd_interface/current/public/.well-known/acme-challenge/delete-me-5678

[These two files can be deleted once the tests are concluded]

This is strange…
I can see both files:

more delete-me-*
::::::::::::::
delete-me-1234
::::::::::::::
test 1234
::::::::::::::
delete-me-5678
::::::::::::::
test 5678

Which means the --dry-run should have worked!

Something I’ve missed is still affecting certbot.

Let’s try --webroot instead:
sudo certbot --webroot -w /var/rails/orsedd_interface/current/public -d interface.orsedd.com certonly --dry-run

 sudo certbot --webroot -w /var/rails/orsedd_interface/current/public -d interface.orsedd.com certonly --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for interface.orsedd.com
Using the webroot path /var/rails/orsedd_interface/current/public for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. interface.orsedd.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://interface.orsedd.com/.well-known/acme-challenge/qEQI6drxrOCZcDFfjLNjkjfbXzUbf2OU7TDFK6zz3dQ: "<!DOCTYPE html>\n<html>\n<head>\n  <title>The page you were looking for doesn't exist (404)</title>\n  <style type=\"text/css\">\n    b"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: interface.orsedd.com
   Type:   unauthorized
   Detail: Invalid response from
   http://interface.orsedd.com/.well-known/acme-challenge/qEQI6drxrOCZcDFfjLNjkjfbXzUbf2OU7TDFK6zz3dQ:
   "<!DOCTYPE html>\n<html>\n<head>\n  <title>The page you were
   looking for doesn't exist (404)</title>\n  <style
   type=\"text/css\">\n    b"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Now this is even stranger!
I’m thinking maybe certbot can’t write a file in that directory.

Please show the file:
/var/log/letsencrypt/letsencrypt.log
[if it is very long, just the last 100 lines or so]

That was fruitless - we may have to return there with more verbose output…
But in the meantime, lets try going back to then nginx plugin but this time force the challenge location:

mkdir /var/ACMEchallengeTEST
mkdir /var/ACMEchallengeTEST/.well-known
mkdir /var/ACMEchallengeTEST/.well-known/acme-challenge

And modify your file to use this test challenge location:

server {
    listen 80;
    listen [::]:80;
    server_name interface.orsedd.com;
    passenger_enabled on;
    passenger_min_instances 1;
    passenger_max_instances 5;

    passenger_user 'www-data';
    passenger_group 'www-data';

    #passenger_concurrency_model 'thread';
    passenger_thread_count 5;

    location /.well-known/acme-challenge/ {
     access_log off;
     root /var/ACMEchallengeTEST/;
     try_files $uri 405;
    }

    root /var/rails/orsedd_interface/current/public;
 }

then reload nginx
then:
sudo certbot --nginx -d interface.orsedd.com certonly --dry-run

[notice: using different location and different error code (405)]

vi /etc/nginx/sites-available/orsedd_interface80.conf
root@core2:~# sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
root@core2:~# service nginx reload
 * Reloading nginx configuration nginx                                                                                                  [ OK ]
root@core2:~# sudo certbot --nginx -d interface.orsedd.com certonly --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for interface.orsedd.com
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. interface.orsedd.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://interface.orsedd.com/.well-known/acme-challenge/et1XkoLzGKBVRIxr_TDlD_DD0bYC1H-bSpWcARKB7dI: "<!DOCTYPE html>\n<html>\n<head>\n  <title>The page you were looking for doesn't exist (404)</title>\n  <style type=\"text/css\">\n    b"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: interface.orsedd.com
   Type:   unauthorized
   Detail: Invalid response from
   http://interface.orsedd.com/.well-known/acme-challenge/et1XkoLzGKBVRIxr_TDlD_DD0bYC1H-bSpWcARKB7dI:
   "<!DOCTYPE html>\n<html>\n<head>\n  <title>The page you were
   looking for doesn't exist (404)</title>\n  <style
   type=\"text/css\">\n    b"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

The location is being completely ignored!
http://interface.orsedd.com/.well-known/acme-challenge/gibberish
should return error 405
But it still returns error 404