Failed authorization procedure


#1

I try to renew the certificate (which was running fine)

My domain is: www.shoutbox.com

I ran this command: /certbot-auto renew --cert-name www.shoutbox.com --dry-run

It produced this output:

Attempting to renew cert (www.shoutbox.com) from /etc/letsencrypt/renewal/www.shoutbox.com.conf produced an unexpected error: Failed authorization procedure. www.shoutbox.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.shoutbox.com/.well-known/acme-challenge/kUSIIN8Xj6oe973akve29nBJgrfvCIwoNAx3LSW-4i8: “\n\n404 Not Found\n\n

Not Found

\n<p”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.shoutbox.com/fullchain.pem (failure)

My web server is apache2.4.10 on Debian

The folder .well-known/acme-challenge is accessible (I put chmod 777 on it)

http://www.shoutbox.com/.well-known/acme-challenge/ssdz60UkVwPpt3AuNj3OtCrlGmRPum8jnQrzuJ20VAY

The dig command returns:

dig www.shoutbox.com

; <<>> DiG 9.9.5-9+deb8u15-Debian <<>> www.shoutbox.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3293
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.shoutbox.com.              IN      A

;; ANSWER SECTION:
www.shoutbox.com.       86375   IN      A       94.23.253.96

;; AUTHORITY SECTION:
shoutbox.com.           170273  IN      NS      ns10.webmasters.com.
shoutbox.com.           170273  IN      NS      ns9.webmasters.com.

;; ADDITIONAL SECTION:
ns9.webmasters.com.     170273  IN      A       208.64.137.61
ns10.webmasters.com.    170273  IN      A       208.64.137.71

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jan 11 10:54:05 CET 2019
;; MSG SIZE  rcvd: 141

Then I redirerected the 404 error to a 200 page: and I got this time:

Attempting to renew cert (www.shoutbox.com) from /etc/letsencrypt/renewal/www.shoutbox.com.conf produced an unexpected error: Failed authorization procedure. www.shoutbox.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge [2MEmxUZamPi3zFMX1cM0VNZtZIQgofy63KSBbH1ABvI.Nls34FQR-HvxOaMoBtgGaUbkvTwHi60viaB3y2-2gxM] != . Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.shoutbox.com/fullchain.pem (failure)


#2

Hi @yarek

checking your config (via https://check-your-website.server-daten.de/?q=shoutbox.com ):

Domainname Http-Status redirect Sec. G
http://shoutbox.com/
94.23.253.96 200 0.067 H
http://www.shoutbox.com/
94.23.253.96 200 0.067 H
https://shoutbox.com/
94.23.253.96 200 1.664 N
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
https://www.shoutbox.com/
94.23.253.96 200 1.423 N
Certificate error: RemoteCertificateChainErrors
http://shoutbox.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
94.23.253.96 302 https://www.shoutbox.com/404.php 0.060 E
http://www.shoutbox.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
94.23.253.96 302 https://www.shoutbox.com/404.php 0.060 A
https://www.shoutbox.com/404.php 200 5.277 N
Certificate error: RemoteCertificateChainErrors

Don’t redirect, if a file is missing. And the result is http status 200 instead of 404, this is always bad.

I don’t see your test file. But if you have your correct webroot, then use it:

certbot-auto run -a webroot -i apache -w PathToYourWebroot --cert-name www.shoutbox.com --dry-run

#3

That worked : thanks 1000x !

What did I wrong ?
(I also tried before without any redirection and it failed).
I usually run /certbot-auto and that works in all cases (except that domain !)

regards


#4

If --apache is used as authenticator, Certbot creates redirects.

But it happens that this doesn’t work.

But every running webserver has a webroot, so the webroot authenticator should always work.

PS: Your config isn’t complete. Your https://shoutbox.com/ doesn’t have the correct certificate, because your certificate

CN=www.shoutbox.com
	11.01.2019
	11.04.2019
	www.shoutbox.com - 1 entry

has only one domain name.

So create one certificate with two domain names, something like

certbot-auto run -a webroot -i apache -w PathToYourWebroot --cert-name www.shoutbox.com -d www.shoutbox.com -d shoutbox.com

so Certbot adds the second domain name.


closed #5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.