Failed authorization procedure

Hi,

I’ve been attempting to get new certificates for this domain (whose original ones expired in january 12th 2020) on a completely new host and new os version (totally clean thus :laughing: ). Despite a thourough check of similar subjects on the forum I did not manage to solve my problem and will update the title as soon as I shall understand what is going on.

The file (catched with a small bash script)
“/var/www/html/.well-known/acme-challenge/Fdi1xpSuoZXr0nTVlT08d5QuzWg1we_9q8oWggL6qvU”
is successfully created during the process and contains:
“Fdi1xpSuoZXr0nTVlT08d5QuzWg1we_9q8oWggL6qvU.hv39oMM_cC4VbCunYeyVvwa1KAVO51Vb7d9vKJBCcBM”

When I create manually this file (and the directory structure), I am able to access it (and download it) from another computer using Chrome or Firefox on a local network.

Although it doesn’t seem to me that there is any redirection, the letsdebug check shows one from http to https, and the same shows up at “check-your-website.server-daten.de” where furthermore it says:
“All checks /.well-known/acme-challenge/random-filename without redirects answer with the expected http status 404 - Not Found. Creating a Letsencrypt certificate via http-01 challenge should work. If it doesn’t work: Check your vHost configuration (apachectl -S, httpd -S, nginx -T). Every combination of port and ServerName / ServerAlias (Apache) or Server (Nginx) must be unique. Merge duplicated entries in one vHost. If you use an IIS, extensionless files must be allowed in the /.well-known/acme-challenge subdirectory. Create a web.config in that directory. Content: <system.webServer></system.webServer>. If you have a redirect http ⇒ https, that’s ok, Letsencrypt follows such redirects to port 80 / 443 (same or other server). There must be a certificate. But the certificate may be expired, self signed or with a not matching domain name. Checking the validation file Letsencrypt ignores such certificate errors. Trouble creating a certificate? Use https://community.letsencrypt.org/ to ask.”

It is not clear to me what I could check more to understand why I cannot generate the certificates for this domain. Could you please have any hint or idea?

Thanks for your time,

Pat


My domain is: acidalia.fr

I ran this command: sudo certbot certonly --dry-run -vvv --debug --rsa-key-size 4096 --webroot --agree-tos --no-eff-email --email xxxxx -w /var/www/html -d acidalia.fr

It produced this output (hope it’s readable otherwise tell me how to improve readability):


Root logging level set at -10
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator webroot and installer None
Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f8bd6498400>
Prep: True
Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f8bd6498400> and installer None
Plugins selected: Authenticator webroot, Installer None
Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/12874038', new_authzr_uri=None, terms_of_service=None), 0f2c00155cb6b72af0a4185e87ea593f, Meta(creation_dt=datetime.datetime(2020, 3, 23, 16, 18, 58, tzinfo=<UTC>), creation_host='Olympus'))>
Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
https://acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 724
Received response:
HTTP 200
Server: nginx
Date: Sat, 28 Mar 2020 15:55:55 GMT
Content-Type: application/json
Content-Length: 724
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "YGn-yx8l_BA": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
  "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
Obtaining a new certificate
Requesting fresh nonce
Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
Received response:
HTTP 200
Server: nginx
Date: Sat, 28 Mar 2020 15:55:57 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002dJ7v18Op1S6OJd5-HmAcEVhsh60eq3NefPYrmGVv37U
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


Storing nonce: 0002dJ7v18Op1S6OJd5-HmAcEVhsh60eq3NefPYrmGVv37U
JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "acidalia.fr"\n    }\n  ]\n}'
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMjg3NDAzOCIsICJub25jZSI6ICIwMDAyZEo3djE4T3AxUzZPSmQ1LUhtQWNFVmhzaDYwZXEzTmVmUFlybUdWdjM3VSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
  "signature": "WnTa4isNG1TcKcAILQLFNeboOcmp4PqamtKt5Cz_jgnEv7-MfIKofGDgJu-YgtV6o8VsY7o01sBxIpmEz5jh0BPpD4u_ZAEuLA0Okr4YPuqGJXyjQzIm3RoZqr5Ifk_N87MOBcma_oWVmYSELfr5MDqTpxHVuzJXg65MJcKXicV3n566Iou0KQxB7j1HeGsC9Djh-FxI9dGt8esTYtnmcQwxYUHM0jAU1ewDF4UYtl5cxI294wN-y_zVG10k2i_K_BduJvh2tv2tdhErWgB3Dm82Ii5ok-riX_xtUQxlGKU5rdocI1I0cj6PtXvqL4Xr5PvAassAxqq3Aqwg7W2LCgjdmD8wccA02s05G9GyVJP47DFcXkqDejojy-h2lBvddIgLlfZuQRtjEK6-S16gtt6GF84nQ_xxeYkErI_ZL0QdLY5sRGmMhKi0-NY9514FtrmeaojPtGJz8i3DRsNQIVi-_H_kZG12POO2aDj7jSP1zI3YBN8l1NFnu3XHZ-N6mNT5XZwNzwnOzJS4KakLz0_QCPoEGy02SOrE_BwNYI0j7qxRSOXNn4c6XqJ6LKQpl6GSeqcOdgqb66lp4tfWa8PjJmUpdSxji3ru0Vyh1JABgOLRc0ipUULlDKcxPAh7eNRiUTSKx5-DCFbqlhvMrqFKqHIwalwQzzWSkJoXaqY",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImFjaWRhbGlhLmZyIgogICAgfQogIF0KfQ"
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 353
Received response:
HTTP 201
Server: nginx
Date: Sat, 28 Mar 2020 15:55:57 GMT
Content-Type: application/json
Content-Length: 353
Connection: keep-alive
Boulder-Requester: 12874038
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/12874038/81635840
Replay-Nonce: 0001ZXFlBH6oUcyHCs2epbFaZgSvH48ycB9BA7PytrFPYB4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2020-04-04T15:55:57.854329852Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "acidalia.fr"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/46010134"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/12874038/81635840"
}
Storing nonce: 0001ZXFlBH6oUcyHCs2epbFaZgSvH48ycB9BA7PytrFPYB4
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/46010134:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMjg3NDAzOCIsICJub25jZSI6ICIwMDAxWlhGbEJINm9VY3lIQ3MyZXBiRmFaZ1N2SDQ4eWNCOUJBN1B5dHJGUFlCNCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My80NjAxMDEzNCJ9",
  "signature": "PoXKfO5JXtu9yg5dKmzUMo0jX5hoxphTux0XdSSvlOg4ZOLJBzdtWUl7eKMv_bHSrUk_Yjoh8kZ8qD9OdCOyKK0ECOWNxra5Cna6utfpEjxWX8JQBSZyZ2XAUPJvfWO4Wqd0MRdc9Mo7Zuf5tv8tdGCrhVEthQJJo-UwMde9fyJpRADZk-YwbfnDb2-IdBG4jzzb_GaYS04IAtbqCM-H4pYqjVuZUlAlQke85v1oy-arGEYKukHRwHm_2k-BuiIcPi0O6gHrNbI4zR1og00dCOZaAHgDPzClz4DyJkDWP-f360JB6FjMVOrLzWx9Th4dsTTPijXCY9AWYH0kIUkMF4AQAdWd36dqDnkh0Hr6uY61DPVsvqzNbaFolCheO-03bDWStLlUh5weUV96vMJ7pnSGnFpL0h_j3cgDqYZuLu-uMgbhwAx-__WAugLsFzSXdgcGku0sScF5ySrEYTiX_kDJhM5lDXGcKzWlc2XLGgYlWf94v6iYjJNDP5c2Ov-tjax7_iOWc3SMb0iR2rSh5UjHeTkF5ssIotj26DYrFWDVHAXqNsRKkavz5RS50p37gImpJEGXQinbshqC6ZlciAJ6qjfzS25s2CgpMzQuBViWX3QiyQqXnofCM3MtJMizfLn83YJH0hkB9Oi85PVGv4oI4rCRjDNeh0A3dazVNgU",
  "payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/46010134 HTTP/1.1" 200 807
Received response:
HTTP 200
Server: nginx
Date: Sat, 28 Mar 2020 15:55:58 GMT
Content-Type: application/json
Content-Length: 807
Connection: keep-alive
Boulder-Requester: 12874038
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0001J1y_CaXD61yanNzM6O5k1653JGQwYhCH-waq1zCGr9g
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "acidalia.fr"
  },
  "status": "pending",
  "expires": "2020-04-04T15:55:57Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/46010134/YSlrOQ",
      "token": "Fdi1xpSuoZXr0nTVlT08d5QuzWg1we_9q8oWggL6qvU"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/46010134/SfGrzQ",
      "token": "Fdi1xpSuoZXr0nTVlT08d5QuzWg1we_9q8oWggL6qvU"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/46010134/5l4vDg",
      "token": "Fdi1xpSuoZXr0nTVlT08d5QuzWg1we_9q8oWggL6qvU"
    }
  ]
}
Storing nonce: 0001J1y_CaXD61yanNzM6O5k1653JGQwYhCH-waq1zCGr9g
Performing the following challenges:
http-01 challenge for acidalia.fr
Using the webroot path /var/www/html for all unmatched domains.
Creating root challenges validation dir at /var/www/html/.well-known/acme-challenge
Attempting to save validation to /var/www/html/.well-known/acme-challenge/Fdi1xpSuoZXr0nTVlT08d5QuzWg1we_9q8oWggL6qvU
Waiting for verification...
JWS payload:
b'{\n  "resource": "challenge",\n  "type": "http-01"\n}'
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/46010134/YSlrOQ:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMjg3NDAzOCIsICJub25jZSI6ICIwMDAxSjF5X0NhWEQ2MXlhbk56TTZPNWsxNjUzSkdRd1loQ0gtd2FxMXpDR3I5ZyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My80NjAxMDEzNC9ZU2xyT1EifQ",
  "signature": "a_qsmXu_EkCCW9-P2mUy4ze30JBa4G3b2qbwQYRmjFmRZo5bpJHUhafRUeFbm9_TJGsZFitqhhUQA153upg9HIsfCXcwrI_96tVethmPB176MObCFlQJjzWgD0iLUKI-LYT5gWoktHQBM2P08bRdu9hkRXG-cIb9vvkTEyXOHtDFAce1mW9Zuz5e8JaEgXdYOt4CNl6_yGRRejCWOCNqLQK4Ko8_7b5htaqgSxIiazirb0_6yKlBxxDGSCuCAl_lfZkwE_wFEjgPs_qDsq38QBK8GA6o5Sv4VJh6c3ccorHIe0rSMAbbyD7la9AYh4EysrZb7lkrPay_7_WIcuV-rIzUmKwHot_0KwHXuoti7f68zjo0p4j0-xTlVP6OyKDXiO6RfaN1nepC-smgdwsOLWB9K15hvJ_PgbONt4GrXlEArSohDuRHGMcvfa2S6UP0-atlvl1U8fgZKnosd_hLYi40rCDyy7UlLlJZEQEIvPahv_ESbuP_dBaniVLeUUAsYNIQ21kkPxF0Ey6iaEo7fbx3mn040ASMCt-4ddipgmCDtaLrTyo7HUk2ClHCiZDVKMFOdcRo0GuSZXMZp-U0AawcJVIiJQAoBb2-DzVjuZRwctQp8N7yfsHcXmL-f6mWr1CestHtmjmr9wJ67nfGZYC1Wp1lKY6iu3n5GvY2hWQ",
  "payload": "ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJ0eXBlIjogImh0dHAtMDEiCn0"
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/46010134/YSlrOQ HTTP/1.1" 200 191
Received response:
HTTP 200
Server: nginx
Date: Sat, 28 Mar 2020 15:55:58 GMT
Content-Type: application/json
Content-Length: 191
Connection: keep-alive
Boulder-Requester: 12874038
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/46010134>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/46010134/YSlrOQ
Replay-Nonce: 0002oLfyE1AYMUjKVB3NdbmwB9BwwSDOsFlSyKK8H1e0yNk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/46010134/YSlrOQ",
  "token": "Fdi1xpSuoZXr0nTVlT08d5QuzWg1we_9q8oWggL6qvU"
}
Storing nonce: 0002oLfyE1AYMUjKVB3NdbmwB9BwwSDOsFlSyKK8H1e0yNk
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/46010134:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMjg3NDAzOCIsICJub25jZSI6ICIwMDAyb0xmeUUxQVlNVWpLVkIzTmRibXdCOUJ3d1NET3NGbFN5S0s4SDFlMHlOayIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My80NjAxMDEzNCJ9",
  "signature": "hRHQMbobXJrpnbTCJ8AUfJq0MN6NUVgh59LutGXOUSamEzE8K95ubgvC5pJruJJP2mpr0XoaI2Rc6zVt6xwS5WIO3DGBM_bmwGPpLZk3m7nu64SXFj1NThsHkBWqEJUqHl8aeiKfqB84tqysp0baVXOzk7q-fiOIicJ-Xiy1lAJc4RxSeNWbbiz_alLSK0g0yGI7IHzRRNVSvJi37PLWkOI5aKt6ghpCGboEAM3Cj9kYuYT7Nt_f4ljQ76iJozVS9QUbOWQT4gImrQ7RE7nGSkRg6oM0jXbafMMX84KxQPVzJ1asLQpjwU9CyAPI5n9Td1kHRr1A7RB9izuiuKugfPtSjNmC_Do-JzprD247SJQ9btbU838IeKgjJCU4Vu-zdGYxC6rbTJ0vYyIfq4h3NGQGKdRTC2iyl6PZCRQaPFM7SvgH8kSEik7gR-7ReIgEyVkAjJMbkKNgog1YGMnjsolbg8M2R2cEk1WKBkwI2eBIWLmR4owpz6cUk3-NiXfprGE_Gpa6t8eL1qZEsAtMLir9ttRRtn0310EPsD-q6D3vbT79MAVKonTDAroiBAUoF3Lo9B3PXFO7uDSdRlcKNmYjUkLWEgfCg52VQTsTKW-BQPZrq2OgUZnKBb-kHlIGjEkbnazKHVACEoPX_MmQ_zKb9UABHjrSKJdWj36qpow",
  "payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/46010134 HTTP/1.1" 200 807
Received response:
HTTP 200
Server: nginx
Date: Sat, 28 Mar 2020 15:56:01 GMT
Content-Type: application/json
Content-Length: 807
Connection: keep-alive
Boulder-Requester: 12874038
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0001hQrJCrICx0Y34aW6eWQUEP-YSIZfL8H9oBCgeHlw9GY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "acidalia.fr"
  },
  "status": "pending",
  "expires": "2020-04-04T15:55:57Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/46010134/YSlrOQ",
      "token": "Fdi1xpSuoZXr0nTVlT08d5QuzWg1we_9q8oWggL6qvU"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/46010134/SfGrzQ",
      "token": "Fdi1xpSuoZXr0nTVlT08d5QuzWg1we_9q8oWggL6qvU"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/46010134/5l4vDg",
      "token": "Fdi1xpSuoZXr0nTVlT08d5QuzWg1we_9q8oWggL6qvU"
    }
  ]
}
Storing nonce: 0001hQrJCrICx0Y34aW6eWQUEP-YSIZfL8H9oBCgeHlw9GY
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/46010134:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMjg3NDAzOCIsICJub25jZSI6ICIwMDAxaFFySkNySUN4MFkzNGFXNmVXUVVFUC1ZU0laZkw4SDlvQkNnZUhsdzlHWSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My80NjAxMDEzNCJ9",
  "signature": "TWCXs3N0DyxOur0EgLm1KZvqxmfFFCILM47O0x2aYJJNG0QDkIcur39X6PfaoZwBqoPjEaT7BYv6a07mxRY_Y8GuSECbuaz4QCqTYTwCr9GnCa47TUmTH9j_xdU1yCkh2xGONnlcqDywmxZQ2SRz31VAEM75Ndn8T1iD_BwwDc8oTS3mE-85gUEutxoYECExuM_WIaE6hVWex4jhIHXVx0yoilnWr3THkeSN18YKT5EZbaxX-ax23vqhGoeFdK7pObjqb9tvC2XNFYWm26MTIOvaIlHiV7PIZmb0L62WypSrol5oZJfHc5hK-Fzbzp3YFAyluGxQXmrQiHIbgGmFchAqh-oqQyPhhwCfW1VtCFDvLr1-kyqV-KKh7UplKeuXxUMzRkDqoqM0PZMlZOWeMvyXOsCeJ3e7FzBtfCDRT-OETNuEfce6kFSmPccKEGDIS_sQcm4BRGPbMU-Xe5ymmQDSiPWhk1vKgqrdn4wWJMCwEdG0t9vf_Q42k0oPp1f-2jMghr8dyTKVndzl9mcfhAReM7xCoqbBhhbtb7_REp3W1xSU0grAKYma6IrxZYzOm0YASBF28QRwC-__E-4BwHryzCifKicTH290qpzBSU8EFvVrXR2axALiQgnUHCr4hkzFBS-sVGZWOFsYM--thzcTwwYXbxgs4OL9iexlq5Q",
  "payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/46010134 HTTP/1.1" 200 1555
Received response:
HTTP 200
Server: nginx
Date: Sat, 28 Mar 2020 15:56:04 GMT
Content-Type: application/json
Content-Length: 1555
Connection: keep-alive
Boulder-Requester: 12874038
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002FVbR52QHI2pZfixOkpL_WbzWBbEclphL2I4fxUMm06U
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "acidalia.fr"
  },
  "status": "invalid",
  "expires": "2020-04-04T15:55:57Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Invalid response from https://acidalia.fr/.well-known/acme-challenge/Fdi1xpSuoZXr0nTVlT08d5QuzWg1we_9q8oWggL6qvU [88.120.30.159]: \"\u003chtml\u003e\\r\\n\u003chead\u003e\u003ctitle\u003e404 Not Found\u003c/title\u003e\u003c/head\u003e\\r\\n\u003cbody bgcolor=\\\"white\\\"\u003e\\r\\n\u003ccenter\u003e\u003ch1\u003e404 Not Found\u003c/h1\u003e\u003c/center\u003e\\r\\n\u003chr\u003e\u003ccenter\u003e\"",
        "status": 403
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/46010134/YSlrOQ",
      "token": "Fdi1xpSuoZXr0nTVlT08d5QuzWg1we_9q8oWggL6qvU",
      "validationRecord": [
        {
          "url": "http://acidalia.fr/.well-known/acme-challenge/Fdi1xpSuoZXr0nTVlT08d5QuzWg1we_9q8oWggL6qvU",
          "hostname": "acidalia.fr",
          "port": "80",
          "addressesResolved": [
            "88.120.30.159"
          ],
          "addressUsed": "88.120.30.159"
        },
        {
          "url": "https://acidalia.fr/.well-known/acme-challenge/Fdi1xpSuoZXr0nTVlT08d5QuzWg1we_9q8oWggL6qvU",
          "hostname": "acidalia.fr",
          "port": "443",
          "addressesResolved": [
            "88.120.30.159"
          ],
          "addressUsed": "88.120.30.159"
        }
      ]
    }
  ]
}
Storing nonce: 0002FVbR52QHI2pZfixOkpL_WbzWBbEclphL2I4fxUMm06U
Reporting to user: The following errors were reported by the server:

Domain: acidalia.fr
Type:   unauthorized
Detail: Invalid response from https://acidalia.fr/.well-known/acme-challenge/Fdi1xpSuoZXr0nTVlT08d5QuzWg1we_9q8oWggL6qvU [88.120.30.159]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. acidalia.fr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://acidalia.fr/.well-known/acme-challenge/Fdi1xpSuoZXr0nTVlT08d5QuzWg1we_9q8oWggL6qvU [88.120.30.159]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"

Calling registered functions
Cleaning up challenges
Removing /var/www/html/.well-known/acme-challenge/Fdi1xpSuoZXr0nTVlT08d5QuzWg1we_9q8oWggL6qvU
All challenges cleaned up
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1250, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 410, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. acidalia.fr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://acidalia.fr/.well-known/acme-challenge/Fdi1xpSuoZXr0nTVlT08d5QuzWg1we_9q8oWggL6qvU [88.120.30.159]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"
Please see the logfiles in /var/log/letsencrypt for more details.

IMPORTANT NOTES:
- The following errors were reported by the server:

  Domain: acidalia.fr
  Type:   unauthorized
  Detail: Invalid response from
  https://acidalia.fr/.well-known/acme-challenge/Fdi1xpSuoZXr0nTVlT08d5QuzWg1we_9q8oWggL6qvU
  [88.120.30.159]: "<html>\r\n<head><title>404 Not
  Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404
  Not Found</h1></center>\r\n<hr><center>"

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

My web server is (include version): NGINX v 1.14.0 (Ubuntu) and my VHost definition:

server {
  listen 80 default_server;
  #listen [::]:80 default_server;
  root /var/www/html;
  #index index.html index.htm index.nginx-debian.html;
  index index.nginx-debian.html;

  server_name _;

  location / {
    # First attempt to serve request as file, then
    # as directory, then fall back to displaying a 404.
    try_files $uri $uri/ =404;
  }
    include /etc/nginx/snippets/certbot.conf;
}

server {	
  listen 443 ssl default_server;
  server_name _;
  #
  # Note: You should disable gzip for SSL traffic.
  # See: https://bugs.debian.org/773332
  #
  # Read up on ssl_ciphers to ensure a secure configuration.
  # See: https://bugs.debian.org/765782
  #
  # Self signed certs generated by the ssl-cert package
  # Don't use them in a production server!
  #
  #include snippets/snakeoil.conf;

  root /var/www/html;

  # Add index.php to the list if you are using PHP
  #index index.html index.htm;
  index index-sec.nginx.html;


  location / {
    # First attempt to serve request as file, then
    # as directory, then fall back to displaying a 404.
    try_files $uri $uri/ =404;
  }
    include /etc/nginx/snippets/certbot.conf;
}

The operating system my web server runs on is (include version): Kubuntu v 18.04

My hosting provider, if applicable, is: None

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Certbot v 0.31.0

Let’s start with a sanity check - is fox.ovh on the same nginx server as acidalia.fr?

I also edited your post for improved readability.

Here’s one clue as to what could be going wrong:

When I make a request to your server, I see an entirely different nginx server version:

$ curl -I acidalia.fr
HTTP/1.1 301 Moved Permanently
Server: nginx/1.6.2

Thanks for the improved readability… :slightly_smiling_face:
No fox.ovh is not on the same server as acidalia.fr (by the way, what is fox.ovh?)

fox.ovh is the default SSL certificate that is being served by the IP address that acidalia.fr points to:

$ openssl s_client -connect 88.120.30.159:443 -showcerts 2>/dev/null | openssl x509 -noout -subject
subject=CN = fox.ovh

Since you do not recognize it, I would suggest checking that acidalia.fr is actually pointing to the correct IP:

$ dig +noall +answer acidalia.fr
acidalia.fr.            3112    IN      A       88.120.30.159

That the nginx version is different to the one you report is further evidence to suggest the IP is wrong.

88.120.30.159 is my freebox ip address: it is indeed the correct one

I found another old link olympus.hd.free.fr pointing at the same IP. Should I remove it?

Not that I don’t believe you, but could you humor me and try run this from the Kubuntu server where nginx is running?

curl ipinfo.io

Hi @pat06600

there is a redirect http -> https. But if https has the wrong certificate:

  • Your certbot runs on the wrong machine
  • Your webroot is wrong
  • your https isn’t configured, so the wrong vHost answers -> that can’t work
  • so remove your redirect

A working port 80 vHost with the correct server_name -> better, not a server_name _;.

There it is:
{
“ip”: “88.120.30.159”,
“hostname”: “cvl92-5_migr-88-120-30-159.fbx.proxad.net”,
“city”: “Antibes”,
“region”: “Provence-Alpes-Côte d’Azur”,
“country”: “FR”,
“loc”: “43.5624,7.1278”,
“org”: “AS12322 Free SAS”,
“postal”: “06160”,
“timezone”: “Europe/Paris”,
“readme”: “https://ipinfo.io/missingauth

1 Like

It looks like I got a reverse dns for 88.120.30.159 pointing at cvl92-5_migr-88-120-30-159.fbx.proxad.net where an nginx 1.6.2 server is running, explaining (probably) the mess I experience in trying to get my certificates. I think I should first solve this problem. Then I will report back to you…

Hi Juergen and _az

I solved the problem of missmatched reverse DNS (the cause was a recent new setting from my ISP “Free”). I switched over to a new so-called full-stack IP, that gave me back total control on it (and also a new IP by the way). I just had to care that my DN pointed to that IP and that my reverse DNS pointed back to the DN. Then everything went smooth and I got my certificates in a straightforward process :slightly_smiling_face: :slightly_smiling_face:
Thank you very much for your help, everything’s working fine now. It could be maybe judicious to modify the title of this thread by something like “Failed authorization procedure due to DNS and reverse DNS missmatch”?

Cheers,

Pat

The second part isn’t the problem.

one domain name -> one ip address.

But with SNI, a lot of domain names can use the same ip address.

So ip address -> domain name - only one domain name is possible. That’s relevant if it is a mail server.

But it’s not relevant creating a certificate.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.