Failed authorization procedure


#1

Hello everyone !

I have difficulties to renew existing certificates. The websites I host have almost no changes for days, and the Apache configuration is completly frozen (except for the letsencrypt-auto tool that could have done something here and there)

My domain is: svnperso.cyberrail.org and svn.cyberrail.org for those which doesn’t renew anymore. api.cyberrail.org, emmanuel.coirier.fr and others witch are working. All resolve to the same host, via cname.

I ran this command: ./letsencrypt-auto

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: emmanuel.coirier.fr
2: fds.coirier.fr
3: api.cyberrail.org
4: ecf.cyberrail.org
5: ecftest.cyberrail.org
6: storage.cyberrail.org
7: svn.cyberrail.org
8: svnperso.cyberrail.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for api.cyberrail.org
http-01 challenge for ecf.cyberrail.org
http-01 challenge for ecftest.cyberrail.org
http-01 challenge for emmanuel.coirier.fr
http-01 challenge for fds.coirier.fr
http-01 challenge for storage.cyberrail.org
http-01 challenge for svn.cyberrail.org
http-01 challenge for svnperso.cyberrail.org
Waiting for verification...
Cleaning up challenges

Failed authorization procedure. svnperso.cyberrail.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://svnperso.cyberrail.org/.well-known/acme-challenge/xeNUSmgT96Ab_L0RX4vgfhuayJvHbj1aPDuuryFR67c: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>401 Authorization Required</title>\n</head><body>\n<h1>Auth", svn.cyberrail.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://svn.cyberrail.org/.well-known/acme-challenge/u5vui2qP9LAzYbZxP5iXVqW4Ty1RehCnNn2oRFx93cw: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: svnperso.cyberrail.org
   Type:   unauthorized
   Detail: Invalid response from
   http://svnperso.cyberrail.org/.well-known/acme-challenge/xeNUSmgT96Ab_L0RX4vgfhuayJvHbj1aPDuuryFR67c:

       "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
       2.0//EN\">\n<html><head>\n<title>401 Authorization
       Required</title>\n</head><body>\n<h1>Auth"

   Domain: svn.cyberrail.org
   Type:   unauthorized
   Detail: Invalid response from
   http://svn.cyberrail.org/.well-known/acme-challenge/u5vui2qP9LAzYbZxP5iXVqW4Ty1RehCnNn2oRFx93cw:

       "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
       2.0//EN\">\n<html><head>\n<title>404 Not
       Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): Apache 2.2.22

The operating system my web server runs on is (include version): Debian 7.8 (quite old, I know)

My hosting provider, if applicable, is: Rackspace, with tiny virtual machine

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): almost never

These two vhosts uses DAV svn to serve svn hosted code. As such, there is no www root (and never has been). But since I got those certificates previously, it previously worked… So I’m clueless.

DAV svn
SVNPath /var/svn/perso

Emmanuel


#2

Hi,

Could you please try ./letsencrypt-auto renew ?

Thank you


#3

Hi @manuco

you have two different errors. There

is a 401 Authorization Required. You must allow Letsencrypt to load such a file. So check your server configuration. Your server should answer with a 404 - not found.

Your second

http://svn.cyberrail.org/.well-known/acme-challenge/u5vui2qP9LAzYbZxP5iXVqW4Ty1RehCnNn2oRFx93cw

has another error - 404, not found.

But checked with https://check-your-website.server-daten.de/?q=svn.cyberrail.org - there is a redirect to https. This shouldn’t be a problem. But if you have different webroots or different configurations, it may produce this problem.

So use the test system (add --test-cert) and check every domain with one command:

certbot certonly --test-cert -d svn.cyberrail.org --apache

same with your other domain.


#4

Thank you both for your replies. But sadly none is working :

# ./letsencrypt-auto renew
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/emmanuel.coirier.fr/fullchain.pem expires on 2019-02-11 (skipped)
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/api.cyberrail.org/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: svnperso.cyberrail.org
   Type:   unauthorized
   Detail: Invalid response from
   http://svnperso.cyberrail.org/.well-known/acme-challenge/cPgIZIECcmWePWRSr6cE34uBn2SF9tsti6lPbDh6Bas:
   "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>401 Authorization
   Required</title>\n</head><body>\n<h1>Auth"

   Domain: svn.cyberrail.org
   Type:   unauthorized
   Detail: Invalid response from
   http://svn.cyberrail.org/.well-known/acme-challenge/5mNriaBwKLGdOUNaDwgozl6R6bVPE5QR0KeXsIsazx8:
   "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

emmanuel.coirier.fr has been renewed succesfully by using ./letsencrypt-auto certonly --test-cert -d emmanuel.coirier.fr --apache but for other, it fails with the same error (401 or 404 responses instead of challenges). It works for domains with DocumentRoot. But some vhosts don’t have any DocumentRoot.

As you told me, there seems to be a mix between the current configuration of the vhosts and the configuration applied for the challenges. Let see domain by domain :

  • svn.cyberrail.org : this domain is publicly available, but the vhost has no DocumentRoot: it use the DAV svn directive served on Location /

  • svnperso.cyberrail.org : same as previous, but moreover this domain is password protected, and I don’t plan to remove the authentication. As stated on this page : https://letsencrypt.org/about/ the renewal should be automatic. So manually removing the authentication to renew certificates is against one of the principles of letsencrypt. Furthermore, I use letsencrypt with this configuration for more than two years, and it worked well, so I think that the problem could come from certbot that is less universal than before.

For each domain, the content is the same, http or https. No different webroots of different configurations (letting aside the TLS stuffs). The redirections have been done by the first launch of the tool, I didn’t touch anything.

So, is it possible that the automated mechanism (letsencrypt-auto) doesn’t support anymore this kind of setup ?


#5

You should create a Location /.well-known/acme-challenge/ in each port 80 vhost that will require ACME authentication [Which should not require authentication] to properly handle such requests.
Once added, you can try placing a sample test.txt file within that folder/location and verify that is can be accessed from the Internet [without authentication].
http://svn.cyberrail.org/.well-known/acme-challenge/test.txt
http://svnperso.cyberrail.org/.well-known/acme-challenge/test.txt
After successful testing, you can retry the cert renewals.


#6

Then you can use the webroot authenticator.

certbot --webroot -w YourWebroot -d domainlist -i YourServer(perhaps Apache or nginx)

split authentication and installation.


#7

Thanks for your answers, but, as I can see, I must now change my svn urls in order to let certbot doing its job. Job that it doesn’t explain very well.

After many tries, I thought I was right, but I receive this message :
There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/

Seriously ???


#8

This is an one-hour - limit.

There is a Failed Validation limit of 5 failures per account, per hostname, per hour.

So wait max.one hour.


#9

Phew! I’ll see that tomorrow… But it’s better than nothing