Failed authorization procedure. www.martincar.hu (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization

bluelight · January 21, 2019, 11:02am

Hi guys,

I found a problem on one of my servers I just cannot seem to solve by myself.

I have multiple domains with SSL on this server and they are all good, but this one. The “simple” version of the domain “martincar.hu” has no problems, but the www version cannot seem to be able to renew.

I tried lots of things, but no luck. I even tried to create “.well-known/acme-challenge/QELwlUDWBpPIsczWd9tgM01c8l6imCxmF7zIYMchX2w” by hand to make sure it works, and it does:
http://www.martincar.hu/.well-known/acme-challenge/QELwlUDWBpPIsczWd9tgM01c8l6imCxmF7zIYMchX2w

The domain works without errors: http://dnsviz.net/d/www.martincar.hu/dnssec/

I cannot find the problem. Can you help me out? Thanks in advance!

My domain is:
www.martincarhu
I ran this command:
/opt/certbot/certbot-auto renew
It produced this output:
"- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.martincar.hu.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.martincar.hu
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (www.martincar.hu) from /etc/letsencrypt/renewal/www.martincar.hu.conf produced an unexpected error: Failed authorization procedure. www.martincar.hu (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.martincar.hu/.well-known/acme-challenge/QELwlUDWBpPIsczWd9tgM01c8l6imCxmF7zIYMchX2w: “\n\n404 Not Found\n\n

Not Found

\n<p”. Skipping.

"

My web server is (include version):
Apache 2.4.7
The operating system my web server runs on is (include version):
Ubuntu 14.04
My hosting provider, if applicable, is:
mhosting
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
ISPConfig 3.1.2
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.30.0

_az · January 21, 2019, 11:07am

Could you please show the full output of:

apachectl -t -D DUMP_VHOSTS

When the Apache authenticator doesn’t work, it’s a pretty good sign that something is awry with the virtualhost setup (such as multiple virtualhosts with the same domain).

bluelight · January 21, 2019, 11:25am

Sure. I hope you don’t mind if I grep to ‘martincar’, because it’s a lot of output without filtering.

port 80 namevhost chiptuningbox.hu (/etc/apache2/sites-enabled/100-chiptuningbox.hu.vhost:7)
alias www.chiptuningbox.hu
alias www.gyorshajtas.hu
alias gyorshajtas.hu
alias www.martincaraudio.hu
alias martincaraudio.hu
port 80 namevhost martincar.hu (/etc/apache2/sites-enabled/100-martincar.hu.vhost:7)
alias www.martincar.hu
alias www.martin.hu
alias martin.hu
alias www.martinpeter.hu
alias martinpeter.hu
port 80 namevhost martincar.ro (/etc/apache2/sites-enabled/100-martincar.ro.vhost:7)
alias www.martincar.ro
port 80 namevhost www.martincar.hu (/etc/apache2/sites-enabled/100-www.martincar.hu.vhost:6)
alias www.martin.hu
alias martin.hu
alias www.martinpeter.hu
alias martinpeter.hu
port 443 namevhost martincar.hu (/etc/apache2/sites-enabled/10-martincar.hu-ssl.vhost:7)
port 443 namevhost www.martincar.hu (/etc/apache2/sites-enabled/10-www.martincar.hu-ssl.vhost:7)

_az · January 21, 2019, 11:32am

I can't tell if it's because of the filtering, but there does appear to be a duplicate appearance of the www.martincar.hu servername:

and

As part of its operation, Certbot's Apache authenticator inserts custom configuration into a single virtualhost in order to facilitate serving the challenge response, rather than writing a file into your webroot.

What can happen is that Certbot can get confused when it encounters a domain that is defined across more than a single virtualhost, which is a nonsensical configuration. Certbot may pick the "wrong" virtualhost (the one that is not actually doing anything), and the custom configuration essentially gets ignored.

Assuming this interpretation is correct, the fix would be to remove www.martincar.hu from one of the above virtualhosts, so that there is only a single port 80 virtualhost with that ServerName or ServerAlias.

bluelight · January 21, 2019, 11:47am

Wow sweet!

I commented out “#ServerAlias www.martincar.hu” in martincar.hu.vhost and now it works. I don’t even know why I have a separate www.martincar.hu.vhost, when they both point to the same directory, but that’s a story for another time.

I didin’t know certbot was this sensitive, but from now on I will keep that in mind.

Thank you very much for your help _az. You are awesome!

system · February 20, 2019, 11:47am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.