Failed authorization procedure

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
www.fufutech.cn

I ran this command:
./certbot-auto certonly --standalone -d www.fufutech.cn (or use --webroot)

It produced this output:
Domain: www.fufutech.cn
Type: unauthorized
Detail: Invalid response from
http://www.fufutech.cn/.well-known/acme-challenge/CP8hwvEICsNWMt1oGDxlh2Cp97-C0yNCe5inyWqw9hA:"<!DOCTYPE html>\n<html class="" lang=“zh-cn”>\n<head>\n<meta charset=“utf-8” />\n <meta name="renderer"content=“webkit”>\n "

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.

My web server is (include version): tomcat-7.0.67

The operating system my web server runs on is (include version): CentOS release 6.5

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Hi @chuck_llh

loading your site with a browser there is a message:

该网站暂时无法进行访问

因该网站未进行备案或涉及发布违禁信息,违反工信部、公安部相关规定而无法访问。

如需恢复网站正常访问,网站管理员需及时进行相应处理:

1、要完成网站的ICP备案,请到UCloud备案系统进行操作。

2、若涉及到公安备案,请登录全国公安机关互联网站安全管理服务平台 www.beian.gov.cn 进行操作。

如有相关疑问,管理员可咨询UCloud备案客服。

感谢您的配合!

Using Google translate

The site is temporarily unavailable for access

Because the website has not been filed or involved in the release of prohibited 
information, it is inaccessible due to violation of the relevant regulations of the 
Ministry of Industry and Information Technology and the Ministry of Public Security.

In order to restore the normal access of the website, the webmaster needs 
to handle it in time:

1. To complete the ICP filing of the website, please go to the UCloud filing 
system for operation.

2. If it involves public security filing, please log on to the national public security organ's 
Internet station security management service platform www.beian.gov.cn to operate.

If you have any questions, the administrator can consult UCloud for customer service.

Thank you for your cooperation!

you have to do something.

So Letsencrypt can't validate your domain if your webserver is blocked.

hi @JuergenAuer
I change to www.kkcoding.net which is accessible, but still fail.

the output message is:
Failed authorization procedure. www.kkcoding.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.kkcoding.net/.well-known/acme-challenge/M3bD8GyPuhJsfm4RWcP1Q9oy4CtBxPnd9zmUMQzGZ3M: “<!DOCTYPE html>\n<html class=”" lang=“zh-cn”>\n<head>\n <meta charset=“utf-8” />\n <meta name=“renderer” content=“webkit”>\n "

Domain: www.kkcoding.net
Type: unauthorized
Detail: Invalid response from
http://www.kkcoding.net/.well-known/acme-challenge/cxQvSbYye4wg-sCxW6hy2qc_j_Sc2RaybsV38C9Z57A: “<!DOCTYPE html>\n<html class=”" lang=“zh-cn”>\n<head>\n <meta charset=“utf-8” />\n <meta name=“renderer” content=“webkit”>\n "

Your server answers curious ( kkcoding.net - Make your website better - DNS, redirects, mixed content, certificates ):

Domainname Http-Status redirect Sec. G
http://www.kkcoding.net/
120.132.18.213 200 0.547 H
https://www.kkcoding.net/
120.132.18.213 -2 1.690 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 120.132.18.213:443
http://www.kkcoding.net/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
120.132.18.213 200 0.530

The https error is not relevant, if you don't have installed a certificate.

But using http-01, Certbot creates a file in YourDocumentRoot/.well-known/acme-challenge, Letsencrypt checks this file.

Checking such a file with an unknown file name a http status 404 / Not Found is expected.

Your server sends a http status 200. There is html content with JavaScript.

There is a running webserver. Is it possible to use the webroot / DocumentRoot of this webserver, if --standalone doesn't work?

Find your webroot, then create there the two subdirectories

/yourWebroot/.well-known/acme-challenge

then add there a file (file name 1234) and try to load this file via

http://www.kkcoding.net/.well-known/acme-challenge/1234

If that works, use your webroot:

./certbot-auto certonly --webroot YourWebroot -d www.kkcoding.net
1 Like

I don’t have installed a certificate yet.
This project uses NodeJs as front-end server, which returned html content with JavaScript as you can see.
So I should create “.well-known/acme-challenge” at webroot of nodeJs, and run “./certbot-auto certonly --webroot” to generate a certificate, then use it in tomcat, is it right ?

So this server handles the http - port 80 requests.

Yes, if Certbot can write in this webroot, that should work.

Don't forget to include the root path.
[-w /path/to/your/site/root]

thanks, it’s working now.

1 Like

btw, I use below command to generate pfx file for tomcat.
openssl pkcs12 -export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:xxx
And if certificates are renewed automatically, whether I need to rerun openssl command ?

Yes, you must rerun this command again.

Check

https://certbot.eff.org/docs/using.html

perhaps you can run a --deploy-hook - script:

 If you want your hook to run only after a successful renewal, use --deploy-hook in a command like this.

certbot renew --deploy-hook /path/to/deploy-hook-script

to do that.

Tomcat seems ok now.
Since we use nodeJs as front-end server, so I use privkey.pem to create certificate for nodeJs by running below two steps:

  1. openssl req -new -key privkey.pem -out csr.pem (this step ask me to fill country/state/company infomation, I just do that casually)
  2. openssl x509 -req -days 365 -in csr.pem -signkey privkey.pem -out file.crt

The certificate file.crt is created successfully, however, my website(https://www.kkcoding.net) still shows Not Secure, do you have any idea about it?
Many thanks.

I see only your http version, not your https - version.

So I don't know if the certificate is expired or if there is another problem.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.