Failed authorization procedure

Server
1

hi

i have some issue to get my certificates renewed.

My command is sudo certbot renew --dry-run -v --webroot -w /var/www/cloud/

Attempting to renew cert (example.com) from /etc/letsencrypt/renewal/example.com.conf produced an unexpected error: Failed authorization procedure. example.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://example.com/.well-known/acme-challenge/An0cr_4l6Kxl2_f606TPzyxTgJ5eZxNoiYgIP7v_ri4 [194.191.224.100]: "\n\n404 Not Found\n\n

Not Found

\n<p". Skipping.

I verified that port 80 and 443 are open on my firewall and router.

The issue seams to be related to redirection.
If I open http://example.com/cloud/.well-known/acme-challenge/test
i do get a positive respond

If I open http://example.com/.well-known/acme-challenge/test
i do get 404 error

My apache2 config and .htaccess are attached.

htaccess.txt (3.9 KB)
example.com.conf.txt (2.1 KB)

thx for helping

2

What’s the rest of Certbot’s output?

What do Apache’s logs show?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

3

Hi @kreutpet

sounds that /var/www is your webroot, not /var/www/cloud.

1 Like
4

in cerbot i give webroot as parameter.
logs also show that challenge is created in the right folder : /var/www/cloud/.well-known/acme-challenge/An0cr_4l6Kxl2_f606TPzyxTgJ5eZxNoiYgIP7v_ri4

the GET is done on
http://kreutzer.asuscomm.com/.well-known/acme-challenge/An0cr_4l6Kxl2_f606TPzyxTgJ5eZxNoiYgIP7v_ri4

My domain is:
kreutzer.asuscomm.com

I ran this command:
see original mail
sudo certbot renew --dry-run -v --webroot -w /var/www/cloud/

It produced this output:
output.txt (2 Bytes)

My web server is (include version):
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2018-10-10T18:59:25

The operating system my web server runs on is (include version):
Distributor ID: Ubuntu
Description: Ubuntu 18.04.2 LTS
Release: 18.04
Codename: bionic

My hosting provider, if applicable, is:
my own server at home

I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
cli

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.23.0

5

i recognized that I still have old version installed
after upgrade i see
certbot 0.31.0
here the updated output
output.txt (20.7 KB)

6

I don't see a direct error.

But webroot should always work.

If webroot doesn't work:

  • You have different vHosts with different webroots, another vHost is used
  • the webroot (Apache: DocumentRoot) is wrong or not defined
  • there are additional locations
  • there are incompatible redirects
  • an application / firewall / proxy server answers

But there are no wrong redirects visible ( https://check-your-website.server-daten.de/?q=kreutzer.asuscomm.com ):

Domainname Http-Status redirect Sec. G
http://kreutzer.asuscomm.com/
194.191.224.100 302 http://kreutzer.asuscomm.com/login 0.120 D
http://kreutzer.asuscomm.com/login 500 0.120 S
Internal Server Error
https://kreutzer.asuscomm.com/
194.191.224.100 302 https://kreutzer.asuscomm.com/login 0.723 A
https://kreutzer.asuscomm.com/login 500 0.367 S
Internal Server Error
http://kreutzer.asuscomm.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
194.191.224.100 404 0.077 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

Checking /.well-known/acme-challenge/unknown-file there is the expected http status 404 - Not Found.

Create a test file in your DocumentRoot (file name 1234) and check, if you can load that in your browser.

The same with a file in DocumentRoot/.well-known/acme-challenge.

7

strange is that the challenge file is created in the right location.
/var/www/cloud/.well-known/acme-challenge/An0cr_4l6Kxl2_f606TPzyxTgJ5eZxNoiYgIP7v_ri4

I can also see a manually created file in
http://kreutzer.asuscomm.com/cloud/.well-known/acme-challenge

but this get is always redirected to https

is see my nexcloud page only in https://kreutzer.asuscomm.com/cloud/.
and not in http://kreutzer.asuscomm.com.

can i configure the apache2 in a way that my nextcloud is also reachable on https://kreutzer.asuscomm.com ? i always have to add /cloud to the URL
I have tryed make an alia but this also did not solfe the letsencrypt certificate renew

thx

8

As written: That's the wrong directory.

Letsencrypt checks /.well-known/, not /cloud/.well-known.

Remove /cloud/.

And remove that redirect to the login page.

9

You can’t choose an own directory.

You have to use the standard address

http://yourdomain/.well-known/acme-challenge/challenge-file

So Certbot must know where to create the file.

10

yes cerbot creates the file in the right directory.
but when it validates it is no looking into the right location .
Thats why i was thinking that it must be on my side that the validation is redirected, but i cannot see any configuration that redirects it

11

That's wrong. You use the wrong directory, so Certbot creates the file in the wrong place.

The location is defined (RFC 8555 - RFC 8555 - Automatic Certificate Management Environment (ACME) ).

You can't choose your own location.

12

ok, now reconfigure so that the web page does not need /cloud in the url.
I checked again the

According above the http://kreutzer.asuscomm.com/ is redirected to http://kreutzer.asuscomm.com/login

i also created a file /var/www/cloud/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
and according above web page get a
http://kreutzer.asuscomm.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
“Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.”

so i a still lost .
what configuration in the .conf of apache or .htaccess prevent me to get access for the http challange file?
htaccess.txt (2.8 KB)
kreutzer.asuscomm.com.conf.txt (7.8 KB)

13

Checking your config:

DocumentRoot /var/www/cloud

is your DocumentRoot, so create the two subdirectories

/var/www/cloud/.well-known/acme-challenge

there a file 1234 with content, then test, if that file is visible.

14

i already created
/var/www/cloud/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de and used you link to verify.

i cannot see the file and get above error
http://kreutzer.asuscomm.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de

Not Found
The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
thx for your patient

15

Then you must have other definitions, so your vHost isn't used.

Are there symlinks in /sites-enabled?

What says

apachectl configtest
apachectl -S

And you have a long .htaccess. Perhaps remove / comment some parts to check that.

16

sudo apachectl -S
AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/conf-enabled/virtual.conf:4
VirtualHost configuration:
*:80 kreutzer.asuscomm.com (/etc/apache2/sites-enabled/kreutzer.asuscomm.com.conf:1)
*:443 kreutzer.asuscomm.com (/etc/apache2/sites-enabled/kreutzer.asuscomm.com.conf:25)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: MODPERL2
User: name="www-data" id=33
Group: name="www-data" id=33

very strange that Main DocumentRoot: "/var/www/html"
i do have a sites-available/000-default.conf which contain this configuration but it is not enabled

17

To test: Create the two subdirectories there. And a test file.

18

ls -l /var/www/html/.well-known/acme-challenge/
insgesamt 8
-rwxr-xr-x 1 www-data www-data 6 Apr 5 22:21 check-your-website-dot-server-daten-dot-de
-rwxr-xr-x 1 www-data www-data 6 Apr 5 22:21 test

but renew command is not sucessful.
still i think is cannot be as cerbot shows:
Attempting to save validation to /var/www/cloud/.well-known/acme-challenge/jbt0wb9dRSkYy7KdVlRtgEt420RA9tbVKBNY2EpzFRg

here the output output.txt (20.7 KB)

19

Remove your complete .htaccess.

Looks like there are some definitions (blocking, wrong redirect or something else).

webroot should always work if there is a running webserver.

20

the only way to get certificate is to stop apache and to use standalone
sudo letsencrypt certonly --standalone --domain kreutzer.asuscomm.com

i will try renew next time with pre and post hooks to start / stop apache.
hope that helps