Failed authorization procedure

Hi. I access this URL from the browser.

http://app.domain.com/.well-known/acme-challenge/123456789

but when I want to generate SSL I have this error:

Failed authorization procedure. app.domain.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://app.domain.com/.well-known/acme-challenge/-bvETOzlQK_1g6iiIq7BqbpdRjnJ4VhdE7MB4UlTbdc [1.2.3.4]: "<!DOCTYPE html>\r\n\r\n<html class=\"no-js\" dir=\"rtl\" lang=\"fa-IR\">\r\n\r\n\t<head>\r\n\r\n\t\t<meta charset=\"UTF-8\">\r\n\t\t<meta name=\"viewport\" c"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: app.domain.com
   Type:   unauthorized
   Detail: Invalid response from
   http://app.domain.com/.well-known/acme-challenge/-bvETOzlQK_1g6iiIq7BqbpdRjnJ4VhdE7MB4UlTbdc
   [1.2.3.4]: "<!DOCTYPE html>\r\n\r\n<html class=\"no-js\"
   dir=\"rtl\" lang=\"fa-IR\">\r\n\r\n\t<head>\r\n\r\n\t\t<meta
   charset=\"UTF-8\">\r\n\t\t<meta name=\"viewport\" c"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Hi @DFazeli

your domain name is required.

Why should the dns check result be important if you use http validation?

A lot of basics are required.

1 Like

sure. sorry @JuergenAuer. my domian is app.shahrdaad.com :wink:

1 Like

I've moved your thread to the #Help section, as I believe that's more appropriate. Also, in that section, you would have been presented with a questionnaire, which is mandatory for us to help you properly. Please answer all of the following questions to the best of your ability:


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1 Like

Thanks for your prompt reply @JuergenAuer @Osiris
my domain: app.shahrdaad.com
I run this command: certbot certonly --dry-run --nginx -d app.shahrdaad.com
It produced this output:

Failed authorization procedure. app.shahrdaad.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://app.shahrdaad.com/.well-known/acme-challenge/Cs_EW-QrfgzHzVz7Eii6LEspMbSS-dwX5UR6ZbzlFEE [79.175.154.187]: "<!DOCTYPE html>\r\n\r\n<html class=\"no-js\" dir=\"rtl\" lang=\"fa-IR\">\r\n\r\n\t<head>\r\n\r\n\t\t<meta charset=\"UTF-8\">\r\n\t\t<meta name=\"viewport\" c"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: app.shahrdaad.com
   Type:   unauthorized
   Detail: Invalid response from
   http://app.shahrdaad.com/.well-known/acme-challenge/Cs_EW-QrfgzHzVz7Eii6LEspMbSS-dwX5UR6ZbzlFEE
   [79.175.154.187]: "<!DOCTYPE html>\r\n\r\n<html class=\"no-js\"
   dir=\"rtl\" lang=\"fa-IR\">\r\n\r\n\t<head>\r\n\r\n\t\t<meta
   charset=\"UTF-8\">\r\n\t\t<meta name=\"viewport\" c"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Certbot version: certbot 0.31.0
my web server is (Proxy): Nginx
my web server : Apache behind Nginx
The operating system my web server runs on is (include version): Ubuntu 18.04.5.
I don't use the control panel and I'm admin server.

1 Like

I guess your nginx (proxy) configuration is one not compatible with the nginx plugin from certbot 0.31. Could you share your nginx configuration?

1 Like

nginx config is:

server {
         listen 80 ;
         server_name app.shahrdaad.com ;


         location / {
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_pass http://10.10.20.20:80;
        }
            location  /.well-known {
            proxy_pass http://10.10.20.20:80;
            allow all;
           }
}

So you're also putting the ACME validation requests through to your Apache? Are you planning to terminate TLS at your nginx proxy or at the Apache server?

2 Likes

Change these location sections:

To something like:

  location ^/(?!\.well-known) {            # handle all non-challenge requests
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass http://10.10.20.20:80;
  }# location
  root /new/path/to/challenge/files; #for security - create a dedicated folder
1 Like