Failed authorization procedure

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
wed.dyndns.org
I ran this command:
letsencrypt
It produced this output:
root@linuxserver:~# letsencrypt
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?


1: wed.dyndns.org


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for wed.dyndns.org
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. wed.dyndns.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://wed.dyndns.org/.well-known/acme-challenge/IvDsn3Um-lNcpsc3PGm0QOm7t0nrVR-oc8IhTdeag8s [62.54.176.98]: “\n\n404 Not Found\n\n

Not Found

\n<p”

IMPORTANT NOTES:


root@linuxserver:~# apachectl -S
VirtualHost configuration:
*:443 wed.dyndns.org (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80 linuxserver.lan.wed (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex fcgid-proctbl: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
Mutex mpm-accept: using_defaults
Mutex fcgid-pipe: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: ENABLE_USR_LIB_CGI_BIN
User: name=“www-data” id=1001
Group: name=“www-data” id=1001

My web server is (include version):
Apache 2.4.38 (-3+deb10u3)
The operating system my web server runs on is (include version):
debian buster amd64
My hosting provider, if applicable, is:
own server via dyndns.org
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0-1

open this file and replace linuxserver.lan.wed with wed.dyndns.org

show us the contents of the .conf files in sites-enables. use the </> button in the reply editor

In the 000-default.conf is no entry “linuxserver.lan.wed”
…/sites-enabled/000-default.conf:
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
Protocols h2c http/1.1
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf

RewriteEngine on
RewriteCond %{SERVER_NAME} =wed.dyndns.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

<Directory /var/www/html>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted

vim: syntax=apache ts=4 sw=4 sts=4 sr noet


…/sites-enabled/000-default-le-ssl.conf:

# The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. #ServerName www.example.com Protocols h2 http/1.1 ServerAdmin webmaster@localhost DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf

SSLCertificateFile /etc/letsencrypt/live/wed.dyndns.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/wed.dyndns.org/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ServerName wed.dyndns.org

<Directory /var/www/html>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

…/sites-enabled/kivitendo.conf:

AliasMatch ^/kivitendo-erp/[^/]+.pl /var/www/html/kivitendo-erp/dispatcher.fcgi
Alias /kivitendo-erp/ /var/www/html/kivitendo-erp/

FcgidMaxRequestLen 10485760

<Directory /var/www/html/kivitendo-erp>

AddHandler fcgi-script .fpl

AllowOverride All
Options ExecCGI Includes FollowSymlinks
Require all granted

<DirectoryMatch /var/www/html/kivitendo-erp/users>
Require all denied


…/sites-enabled/nextcloud.conf:

Alias /nextcloud “/var/www/html/nextcloud/”

<Directory /var/www/html/nextcloud/>
Options +FollowSymlinks
AllowOverride All

Dav off

SetEnv HOME /var/www/html/nextcloud
SetEnv HTTP_HOME /var/www/html/nextcloud
Satisfy Any

i have configured the ServerName option in /etcapache2/sites-enabled/000-default.conf and …/000-default-le-ssl.conf to ServerName “wed.dyndns.org”. But after reloading the new configuration there is no change of the error.

Maybe the problem with the "/.well-known/acme-challenge… configuration ??

There is no folder under /var/www/html named “/.well-known …”.

I have also a “/.well-known/”-Problem with my nextcloud configuration. It 's configured via “.htaccess” by a nextcloud file, but also announced as warning.

The apache module rewrite is activated.
The letsencrypt / certbot error describes also that “http://wed.dyndns.org/.well-known/acme-challenge/YtemJnQ3mkapBIC3mR3NIUzGq4oDWChkTbaOZydxMoY [62.54.176.98]” is not found 404.

The renewal was successful from 2016 until 16th decembre 2019 without any problems.

In the forum I found solutions for the “/.well-known/…”-problem only for the nginx-server, not for apache2.

What are the important settings in apache2 to prevent this /.well-known/acme-challenge/… problem ?
What was the change in letsencrypt-system after decembre 2019 ?

“check-your-website” output:

    A	Good: All checks /.well-known/acme-challenge/random-filename without redirects answer with the expected http status 404 - Not Found. Creating a Letsencrypt certificate via http-01 challenge should work. If it doesn't work: Check your vHost configuration (apachectl -S, httpd -S, nginx -T). Every combination of port and ServerName / ServerAlias (Apache) or Server (Nginx) must be unique. Merge duplicated entries in one vHost. If you use an IIS, extensionless files must be allowed in the /.well-known/acme-challenge subdirectory. Create a web.config in that directory. Content: <configuration><system.webServer><staticContent><mimeMap fileExtension="." mimeType="text/plain" /></staticContent></system.webServer></configuration>. If you have a redirect http ⇒ https, that's ok, Letsencrypt follows such redirects to port 80 / 443 (same or other server). There must be a certificate. But the certificate may be expired, self signed or with a not matching domain name. Checking the validation file Letsencrypt ignores such certificate errors. Trouble creating a certificate? Use https://community.letsencrypt.org/ to ask.
    8. Connections

Domain IP Port Cert. Protocol KeyExchange Strength Cipher Strength HashAlgorithm OCSP stapling
wed.dyndns.org
62.54.176.98
443
Certificate/chain invalid
Tls12
ECDH Ephermal
255
Aes128
128
Sha256
error checking OCSP stapling
ok
no http/2 via ALPN Tls.1.2
Tls.1.1
Tls.1.0
Chain (complete)
1 CN=wed.dyndns.org

2	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US

www.wed.dyndns.org
62.54.176.98
443
Certificate/chain invalid and wrong name
Tls12
ECDH Ephermal
255
Aes128
128
Sha256
error checking OCSP stapling
ok
no http/2 via ALPN Tls.1.2
Tls.1.1
Tls.1.0
Chain (complete)
1 CN=wed.dyndns.org

2	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US

wed.dyndns.org
wed.dyndns.org
8443
Certificate/chain invalid
Tls12
ECDH Ephermal
256
Aes256
256
Sha384
error checking OCSP stapling
ok
no http/2 via ALPN Tls.1.2
Tls.1.1
Tls.1.0
Chain (complete)
1 CN=wed.dyndns.org

2	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US

wed.dyndns.org
wed.dyndns.org
10000
Certificate/chain invalid and wrong name
Tls12
ECDH Ephermal
255
Aes256
256
Sha384
error checking OCSP stapling
ok
no http/2 via ALPN Tls.1.2
no Tls.1.1
no Tls.1.0
Self signed certificate
1 CN=*, O=Webmin Webserver on lt2server, emailAddress=root@lt2server

www.wed.dyndns.org
www.wed.dyndns.org
8443
Certificate/chain invalid and wrong name
Tls12
ECDH Ephermal
256
Aes256
256
Sha384
error checking OCSP stapling
ok
no http/2 via ALPN Tls.1.2
Tls.1.1
Tls.1.0
Chain (complete)
1 CN=wed.dyndns.org

2	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US

www.wed.dyndns.org
www.wed.dyndns.org
10000
Certificate/chain invalid and wrong name
Tls12
ECDH Ephermal
255
Aes256
256
Sha384
error checking OCSP stapling
ok
no http/2 via ALPN Tls.1.2
no Tls.1.1
no Tls.1.0
Self signed certificate
1 CN=*, O=Webmin Webserver on lt2server, emailAddress=root@lt2server

62.54.176.98
62.54.176.98
8443
Certificate/chain invalid and wrong name
Tls12
ECDH Ephermal
256
Aes256
256
Sha384
error checking OCSP stapling
ok
no http/2 via ALPN Tls.1.2
Tls.1.1
Tls.1.0
Chain (complete)
1 CN=wed.dyndns.org

2	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US

62.54.176.98
62.54.176.98
10000
Certificate/chain invalid and wrong name
Tls12
ECDH Ephermal
255
Aes256
256
Sha384
error checking OCSP stapling
ok
no http/2 via ALPN Tls.1.2
no Tls.1.1
no Tls.1.0
Self signed certificate
1 CN=*, O=Webmin Webserver on lt2server, emailAddress=root@lt2server

  1. Certificates
    CN=wed.dyndns.org
    15.12.2019
    14.03.2020
    9 days expired wed.dyndns.org - 1 entry

I`m not able to eliminate the renewal error.

Is it possible to remove the letsencrypt-system completely from my server for installing it completely new ? Will that procedure effect in an right configuration ?

You need to use the </> button in the editor if you want me to be able to understand that stuff. (select, then click)

Hi @kaiww

your apachectl -S shows the solution.

There is no vHost with that domain name.

Add one.

Thank You for Your help. The mistake was completely different, sorry.

In my router, there was port-forwarding for http: (80) and https: (443) to different ip-addresses.

I changed the http-forwarding to the same host as https, and now there is no more error.

I 'm sorry for producing such confusion.