Failed authorization when run /usr/bin/certbot renew --quiet

ahmedvolks · 2019-01-17 12:35:46 UTC

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
falaq.thetranslationgate.com
I ran this command:
/usr/bin/certbot renew --quiet
It produced this output:
Attempting to renew cert (falaq.thetranslationgate.com) from /etc/letsencrypt/renewal/falaq.thetranslationgate.com.conf produced an unexpected error: Failed authorization procedure. falaq.thetranslationgate.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://falaq.thetranslationgate.com/.well-known/acme-challenge/qa1nOvaZb2NFpYsm7kGi1RCYKmCsjPZpRRUXME3nABg: "<!DOCTYPE html>\r\n<html lang=“en”>\r\n<head>\r\n <meta charset=“utf-8”>\r\n <meta name=“viewport” content=“width=device-width, in”. Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/falaq.thetranslationgate.com/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s)
My web server is (include version):
Apache version 2.4.18
The operating system my web server runs on is (include version):
Ubuntu Linux 16.04.5
My hosting provider, if applicable, is:
Amazon VPS
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Webmin version version 1.900 using cron job for renew.

JuergenAuer · 2019-01-17 12:40:00 UTC

Hi @ahmedvolks

if you use http-01 - validation, certbot creates a file under /.well-known/acme-challenge and Letsencrypt checks this file.

But your website has a wrong redirect ( https://check-your-website.server-daten.de/?q=falaq.thetranslationgate.com ).

Domainname	Http-Status	redirect	Sec.	G
• http://falaq.thetranslationgate.com/
52.27.42.27	302	https://falaq.thetranslationgate.com/	0.360	A

• https://falaq.thetranslationgate.com/
52.27.42.27	200		3.127	B

• http://falaq.thetranslationgate.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
52.27.42.27	302	https://falaq.thetranslationgate.com/	0.360	A

/.well-known/acme-challenge doesn’t send the file (or - if the file doesn’t exist - a http status 404), instead there is a wrong redirect.

So it’s impossible to find the correct file.

Remove this redirect if it is /.well-known/acme-challenge.

ahmedvolks · 2019-01-17 12:59:31 UTC

Thank you JuergenAuer for your fast reply, But I’m not like you. Please let me know how to remove this redirect as I do not have a .welknown folder

root@falaq:/home/ubuntu# cd /var/www/html/
root@falaq:/var/www/html# ll

-rwxrwxrwx 1 root root 395 Dec 26 11:01 .htaccess*
-rw-r–r-- 1 root root 1647 Aug 30 09:03 letsencrypt-ca.pem
-rw-r–r-- 1 root root 2533 Aug 30 09:03 letsencrypt-cert.pem
-rw-r–r-- 1 root root 3243 Aug 30 09:03 letsencrypt-key.pem
-rw-r–r-- 1 user users 655 Dec 19 14:37 .profile

Can I use webmin to remove this redirect if it is easy in my case?
I also writing the .htaccess content:
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://falaq.thetranslationgate.com/

I hope this help.

JuergenAuer · 2019-01-17 13:30:58 UTC

Your redirect goes always to /, this is the problem.

Use something like

RewriteRule (.*) https://%{HTTP_HOST}/$1 [R=301,L]

instead, so http + /.well-known/… is redirected to https + /.well-known/…

JuergenAuer · 2019-01-17 14:03:36 UTC

There

was the correct solution, now you have again the wrong redirect.

Your

http://falaq.thetranslationgate.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de

must redirect to

https://falaq.thetranslationgate.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de

this produces a http status 404, but this is correct (because the file doesn’t exist).

But if Certbot creates a file in this subdirectory, then Letsencrypt can find this file (Letsencrypt follows https redirects).

ahmedvolks · 2019-01-17 14:09:24 UTC

Thank you very much and I appreciate this fast response, I made as below, I think is is finally correct, is it?

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://falaq.thetranslationgate.com/$1 [R=301,L]

JuergenAuer · 2019-01-17 14:20:34 UTC

Now check if you can create a new certificate.

If not, you must find your webroot. Then you can use this.

Something like

certbot run -a webroot -i apache -w yourWebRoot -d falaq.thetranslationgate.com

ahmedvolks · 2019-01-17 14:39:13 UTC

I ran this command as below:
certbot run -a webroot -i apache -w /var/www/html/ -d falaq.thetranslationgate.com

Then:
1- choose 2: Renew & replace the cert (limit ~5 per 7 days)
2- chose 2: Redirect - Make all requests redirect to secure …etc.

Now I tested it at the below link and it gave me A degree
https://www.ssllabs.com/ssltest/analyze.html?d=falaq.thetranslationgate.com

I’m realy happy that you helped me and waiting you if you come to Egypt to welcome you. but just give me a sign

JuergenAuer · 2019-01-17 15:00:23 UTC

Yep, now your certificate is new:

CN=falaq.thetranslationgate.com
	17.01.2019
	17.04.2019
	falaq.thetranslationgate.com - 1 entry

So the 404 of the unknown file in /.well-known/acme-challenge is good, not a problem.

system · 2019-02-16 15:00:30 UTC

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.