Failed authorization procedure


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cdkauffmannnextcloud.duckdns.org

I ran this command:

It produced this output: Failed authorization procedure. cdkauffmannnextcloud.duckdns.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://cdkauffmannnextcloud.duckdns.org/.well-known/acme-challenge/mk9-hb0R45dYjm6WrgLXrxVVvWSA2WPBFDkhz5usEJE: “<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD>\n<BODY BGCOLOR=”#cc9999"><H4>404 Not Found</H4>\nFile not found.\n<HR>\n<ADDRESS><A "

ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

My web server is (include version): Unraid 6.6.6

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): I think so

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#2

How did you try getting the cert?

Also, please show the vhost config file (or web server config).


#3

how do I get the vhost config file?


#4

The error message reveals the likely cause.

Visiting cdkauffmannnextcloud.duckdns.org appears to be routed to your modem/router’s web administration, rather than the web server on your computer/server.

You may need to make some changes to your port forwarding or your modem/router’s web admin port in order to achieve the effect you want.

(Edit: I’ve updated Let’s Debug to try detect this issue).


#5

Hi @cdkauffmann

checked your domain via https://check-your-website.server-daten.de/?q=cdkauffmannnextcloud.duckdns.org


Domainname Http-Status redirect Sec. G
http://cdkauffmannnextcloud.duckdns.org/
206.146.67.4 401 0.377 M
Unauthorized
http://www.cdkauffmannnextcloud.duckdns.org/
206.146.67.4 401 0.257 M
Unauthorized
https://cdkauffmannnextcloud.duckdns.org/
206.146.67.4 -14 10.023 T
Timeout - The operation has timed out
https://www.cdkauffmannnextcloud.duckdns.org/
206.146.67.4 -14 10.023 T
Timeout - The operation has timed out
http://cdkauffmannnextcloud.duckdns.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
206.146.67.4 404 0.260 A
Not Found
http://www.cdkauffmannnextcloud.duckdns.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
206.146.67.4 404 0.256 A
Not Found

The / sends 401, but the important file in /.well-known/acme-challenge sends a 404.

Your header:

Server: micro_httpd

How did you create your certificate request? This is a small http server. But your ACME-client must be able to create a file under /.well-known/acme-challenge.


#6

I had this issue resolved it by updating the directory of the website within the file /etc/letsencrypt/renewal/yourwebname.conf - specifically under the section [[webroot_map]] - make sure this directory is the the same for your .conf file within /etc/apache2/sites-available for the website you are renewing for.

The reason this wasn’t correct for me initially on the renewal was because I moved my websites directory and forgot about it. When it came up for renewal it didn’t go through. I then realised the problem, updated the [[webroot map]] and hey bingo the renewal went through. After updating the conf files remember to restart apache.

This is what you see on this file - and at the bottom is what I needed to change. It was different from the websites directory that I was using in my .conf file for the websites directory. They needed to be mapped correctly in order for the renewal to go through. (restart after changing and try renewing again)

/etc/letsencrypt/renewal/yourwebname.conf

renew_before_expiry = 30 days

version = 0.10.2
archive_dir = /etc/letsencrypt/archive/ecoviewater.com
cert = /etc/letsencrypt/live/ecoviewater.com/cert.pem
privkey = /etc/letsencrypt/live/ecoviewater.com/privkey.pem
chain = /etc/letsencrypt/live/ecoviewater.com/chain.pem
fullchain = /etc/letsencrypt/live/ecoviewater.com/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = webroot
installer = apache
account = aaXXXXXXXXXXXXXX
[[webroot_map]]
ecoviewater.com = /var/www/ecoviewater/public_html
www.ecoviewater.com = /var/www/ecoviewater/public_html


#7

here is the log for letsencrypt. what do I need to change to get this to work?

GID/UID

usermod: no changes

User uid: 99
User gid: 100

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing…
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing…
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing…
Variables set:
PUID=99
PGID=100
TZ=America/Chicago
URL=cdkauffmann.com
SUBDOMAINS=server,nextcloud,sonarr
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
EMAIL=cdkauffmann23@gmail.com
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d server.cdkauffmann.com -d nextcloud.cdkauffmann.com -d sonarr.cdkauffmann.com
E-mail address entered: cdkauffmann23@gmail.com
http validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for nextcloud.cdkauffmann.com
http-01 challenge for server.cdkauffmann.com
http-01 challenge for sonarr.cdkauffmann.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. nextcloud.cdkauffmann.com (http-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for nextcloud.cdkauffmann.com, sonarr.cdkauffmann.com (http-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for sonarr.cdkauffmann.com, server.cdkauffmann.com (http-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for server.cdkauffmann.com

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: nextcloud.cdkauffmann.com
Type: None
Detail: DNS problem: NXDOMAIN looking up A for
nextcloud.cdkauffmann.com

Domain: sonarr.cdkauffmann.com
Type: None
Detail: DNS problem: NXDOMAIN looking up A for
sonarr.cdkauffmann.com

Domain: server.cdkauffmann.com
Type: None
Detail: DNS problem: NXDOMAIN looking up A for
server.cdkauffmann.com
**ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container**


#8

Do you control that domain? It’s registered, but are you the registrant, or do you otherwise control it?

To use HTTP validation, you need to add DNS records for those hostnames at the domain’s DNS provider, GoDaddy. (A and/or AAAA records, or CNAME records pointing at something else, like your DuckDNS hostname.)


#9

I registered the domain name on GoDaddy. i’m not sure I follow what you are saying about need to add records for the those hostnames


#10

What other entries do I need to add?


#11

Oh! They exist, but names aren’t quite right. I’m sorry I didn’t check for that. :sweat:

GoDaddy implicitly adds “.cdkauffmann.com” to the end, so creating a record called e.g. “nextcloud.cdkauffmann.com” results in “nextcloud.cdkauffmann.com.cdkauffmann.com”.

(Different DNS services expect people to enter information in different ways, and often they don’t explain it.)

So you need to rename them from e.g. “nextcloud.cdkauffmann.com” to just “nextcloud”.

You already have a “www” record, pointing indirectly at GoDaddy’s domain parking service, so you have to delete that “www” record before renaming “www.cdkauffmann.com” to “www”.


#12

this is what I get now

Failed authorization procedure. sonarr.cdkauffmann.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://sonarr.cdkauffmann.com/.well-known/acme-challenge/GU0_z2BhjrHHcAIG21jmo3w43svebtB8PCtKflENZ54: “<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD>\n<BODY BGCOLOR=”#cc9999"><H4>404 Not Found</H4>\nFile not found.\n<HR>\n<ADDRESS><A “, server.cdkauffmann.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://server.cdkauffmann.com/.well-known/acme-challenge/CiTkV8gkcUXEnxEZ3L40DXdLgbTcUlKu7vMubGY2488: “<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD>\n<BODY BGCOLOR=”#cc9999”><H4>404 Not Found</H4>\nFile not found.\n<HR>\n<ADDRESS><A “, nextcloud.cdkauffmann.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://nextcloud.cdkauffmann.com/.well-known/acme-challenge/WZ-WlT8lbCv5mJxxdpE4EeyGinq4OcQmBm7ziIbYwSA: “<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD>\n<BODY BGCOLOR=”#cc9999”><H4>404 Not Found</H4>\nFile not found.\n<HR>\n<ADDRESS><A "

  • The following errors were reported by the server:

Domain: sonarr.cdkauffmann.com
Type: unauthorized
Detail: Invalid response from
http://sonarr.cdkauffmann.com/.well-known/acme-challenge/GU0_z2BhjrHHcAIG21jmo3w43svebtB8PCtKflENZ54:
“<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD>\n<BODY
BGCOLOR=”#cc9999"><H4>404 Not Found</H4>\nFile not
found.\n<HR>\n<ADDRESS><A "

Domain: server.cdkauffmann.com
Type: unauthorized
Detail: Invalid response from
http://server.cdkauffmann.com/.well-known/acme-challenge/CiTkV8gkcUXEnxEZ3L40DXdLgbTcUlKu7vMubGY2488:
“<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD>\n<BODY
BGCOLOR=”#cc9999"><H4>404 Not Found</H4>\nFile not
found.\n<HR>\n<ADDRESS><A "

Domain: nextcloud.cdkauffmann.com
Type: unauthorized
Detail: Invalid response from
http://nextcloud.cdkauffmann.com/.well-known/acme-challenge/WZ-WlT8lbCv5mJxxdpE4EeyGinq4OcQmBm7ziIbYwSA:
“<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD>\n<BODY
BGCOLOR=”#cc9999"><H4>404 Not Found</H4>\nFile not
found.\n<HR>\n<ADDRESS><A "

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container


#13

did I adjust the entries correctly?


#14

Did you APPLY those settings?
(they look good in your picture)

But the world still sees:

nslookup -q=ns cdkauffmann.com 1.0.0.1
cdkauffmann.com nameserver = ns18.domaincontrol.com
cdkauffmann.com nameserver = ns17.domaincontrol.com

nslookup nextcloud.cdkauffmann.com ns17.domaincontrol.com
Server: UnKnown
Address: 97.74.108.9
*** UnKnown can’t find nextcloud.cdkauffmann.com: Non-existent domain

nslookup nextcloud.cdkauffmann.com ns18.domaincontrol.com
Server: UnKnown
Address: 173.201.76.9
*** UnKnown can’t find nextcloud.cdkauffmann.com: Non-existent domain


#15

Global DNS look correct now.
Any luck with the cert(s)?


#16

this is what I am getting now


GID/UID

User uid: 99
User gid: 100

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing…
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing…
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing…
Variables set:
PUID=99
PGID=100
TZ=America/Chicago
URL=cdkauffmann.com
SUBDOMAINS=server,nextcloud,sonarr
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
EMAIL=cdkauffmann23@gmail.com
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d server.cdkauffmann.com -d nextcloud.cdkauffmann.com -d sonarr.cdkauffmann.com
E-mail address entered: cdkauffmann23@gmail.com
http validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for nextcloud.cdkauffmann.com
http-01 challenge for server.cdkauffmann.com
http-01 challenge for sonarr.cdkauffmann.com
Waiting for verification…
Cleaning up challenges
Cleaning up challenges
IMPORTANT NOTES:
Failed authorization procedure. nextcloud.cdkauffmann.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://nextcloud.cdkauffmann.com/.well-known/acme-challenge/xmw72ikwyV7gmSb2Rj8jy9HwlXAoS7vmqsLErIhF20M: "<!-- Server: P3PWPARKSTAT05 --><!DOCTYPE html><body style=“padding:0; margin:0;”><html><body><iframe src=“http://mcc.godaddy.com”, server.cdkauffmann.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://server.cdkauffmann.com/.well-known/acme-challenge/p0Z86TU0J3YdFLn1C064PIgqKwIHSmUi8DXLjfuHZts: "<!-- Server: P3PWPARKSTAT02 --><!DOCTYPE html><body style=“padding:0; margin:0;”><html><body><iframe src=“http://parked-content.”, sonarr.cdkauffmann.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://sonarr.cdkauffmann.com/.well-known/acme-challenge/6GvCojvIsB40RSQ0hVx-PD1-5mU0rNhsM_FHpj0B8eA: "<!-- Server: P3PWPARKSTAT01 --><!DOCTYPE html><body style=“padding:0; margin:0;”><html><body><iframe src=“http://parked-content.”

  • The following errors were reported by the server:

Domain: nextcloud.cdkauffmann.com
Type: unauthorized
Detail: Invalid response from
http://nextcloud.cdkauffmann.com/.well-known/acme-challenge/xmw72ikwyV7gmSb2Rj8jy9HwlXAoS7vmqsLErIhF20M:
"<!-- Server: P3PWPARKSTAT05 --><!DOCTYPE html><body
style=“padding:0; margin:0;”><html><body><iframe
src=“http://mcc.godaddy.com

Domain: server.cdkauffmann.com
Type: unauthorized
Detail: Invalid response from
http://server.cdkauffmann.com/.well-known/acme-challenge/p0Z86TU0J3YdFLn1C064PIgqKwIHSmUi8DXLjfuHZts:
"<!-- Server: P3PWPARKSTAT02 --><!DOCTYPE html><body
style=“padding:0; margin:0;”><html><body><iframe
src=“http://parked-content.”

Domain: sonarr.cdkauffmann.com
Type: unauthorized
Detail: Invalid response from
http://sonarr.cdkauffmann.com/.well-known/acme-challenge/6GvCojvIsB40RSQ0hVx-PD1-5mU0rNhsM_FHpj0B8eA:
"<!-- Server: P3PWPARKSTAT01 --><!DOCTYPE html><body
style=“padding:0; margin:0;”><html><body><iframe
src=“http://parked-content.”

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container


#17

All of your domains have their DNS pointed to GoDaddy’s domain parking page … get rid of the very first record that’s shown in the screenshot you posted earlier.


#18

hmm…

right now, only the WWW returns any IP.
The rest are “empty”/“null”.
You might want to lower those 14400s to something much smaller - until you get this figured out.


#19

o fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

Cleaning up challenges
Failed authorization procedure. sonarr.cdkauffmann.com (http-01): urn:ietf:params:acme:error:unknownHost :: The server could not resolve a domain name :: No valid IP addresses found for sonarr.cdkauffmann.com, nextcloud.cdkauffmann.com (http-01): urn:ietf:params:acme:error:unknownHost :: The server could not resolve a domain name :: No valid IP addresses found for nextcloud.cdkauffmann.com, server.cdkauffmann.com (http-01): urn:ietf:params:acme:error:unknownHost :: The server could not resolve a domain name :: No valid IP addresses found for server.cdkauffmann.com

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: sonarr.cdkauffmann.com
Type: unknownHost
Detail: No valid IP addresses found for sonarr.cdkauffmann.com

Domain: nextcloud.cdkauffmann.com
Type: unknownHost
Detail: No valid IP addresses found for nextcloud.cdkauffmann.com

Domain: server.cdkauffmann.com
Type: unknownHost
Detail: No valid IP addresses found for server.cdkauffmann.com

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container


#20

Do I need to add more lines on GoDaddy to point those subdomains to my server?