Failing create certificate (403 Unauthorized) with standalone on ubuntu

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bestellsystem.pfadfinder-wien22.at

I ran this command: certbot certonly -v --standalone -d bestellsystem.pfadfinder-wien22.at ; date

It produced this output:

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

2024-09-07 16:21:43,094:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2024-09-07 16:21:43,094:DEBUG:certbot._internal.error_handler:Calling registered functions
2024-09-07 16:21:43,094:INFO:certbot._internal.auth_handler:Cleaning up challenges
2024-09-07 16:21:43,094:DEBUG:certbot._internal.plugins.standalone:Stopping server at :::80...
2024-09-07 16:22:12,269:DEBUG:acme.standalone:::ffff:23.178.112.109 - - Request timed out: TimeoutError('timed out')
2024-09-07 16:22:12,272:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 33, in
sys.exit(load_entry_point('certbot==2.9.0', 'console_scripts', 'certbot')())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1894, in main
return config.func(config, plugins)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1600, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 143, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 517, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 428, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2024-09-07 16:22:12,275:ERROR:certbot._internal.log:Some challenges have failed.

My web server is (include version): used standalone from certbot

The operating system my web server runs on is (include version): Ubuntu 6.8.0-41-generic #41-Ubuntu SMP PREEMPT_DYNAMIC

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.9.0

Welcome @ubuUser0023 but you removed the more important part of the output. There should have been an explanation of the error before the "Hint"

That same missing message would also be in the full log but the bottom part of that log is not helpful.

In any case, my guess is your port 80 is not properly routed to the server you ran Certbot on. Or, port 80 is being blocked by some sort of firewall.

The --standalone method is difficult to debug because you need to keep Certbot running to test connection from the public internet.

A way to test this easier is to use these command options

certbot certonly --standalone --dry-run --debug-challenges -v -d (domain)

This command will show you the challenge URL to try from the public internet and the proper response. After showing you this it will say "Press Enter to Continue". DO NOT PRESS ENTER.

Leave it paused like that and use a different device to test connection. You can use a mobile phone with wifi disabled so use your carrier's network.

You do not have to use the full URL. Just try http://(yourdomain)

If the connection works this shorter URL should see a response like below. I think you will get a timeout error. If so, modify your comms setup and repeat this test until it works.

ACME client standalone challenge solver
3 Likes

Thanks for the Answer,

here is the output :

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: bestellsystem.pfadfinder-wien22.at
Type: unauthorized
Detail: 91.113.250.236: Invalid response from http://bestellsystem.pfadfinder-wien22.at/.well-known/acme-challenge/aYv1AzBKs9IGE6ifq9LjkJHr4hakSDp5JLFm9S-rNB8: 403

I mean.. I have tested the port when set the iptables rule to forward from 80 to the service port (disabled when using certbot) the service is accessible on the domain.

I have done the dry-run (as suggested) with following results :

certbot certonly --standalone --dry-run --debug-challenges -v -d bestellsystem.pfadfinder-wien22.at
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Account registered.
Simulating a certificate request for bestellsystem.pfadfinder-wien22.at
Performing the following challenges:
http-01 challenge for bestellsystem.pfadfinder-wien22.at


Challenges loaded. Press continue to submit to CA.

The following URLs should be accessible from the internet and return the value
mentioned:

URL:
http://bestellsystem.pfadfinder-wien22.at/.well-known/acme-challenge/-t62-l73XHe-sOn80gbMymd-lRw9ut_tdGEuePY0POc
Expected value:
-t62-l73XHe-sOn80gbMymd-lRw9ut_tdGEuePY0POc.6pzcMUyH8zaZj8MIMAsTHkpMlZqOrm6apzV4hI7IXMw


Press Enter to Continue

--> I have checked the website, the url above returns the following string :
-t62-l73XHe-sOn80gbMymd-lRw9ut_tdGEuePY0POc.6pzcMUyH8zaZj8MIMAsTHkpMlZqOrm6apzV4hI7IXMw
(which is quite the same..)

afterward I hit enter, so the test run...
Waiting for verification...
Challenge failed for domain bestellsystem.pfadfinder-wien22.at
http-01 challenge for bestellsystem.pfadfinder-wien22.at

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: bestellsystem.pfadfinder-wien22.at
Type: unauthorized
Detail: 91.113.250.236: Invalid response from http://bestellsystem.pfadfinder-wien22.at/.well-known/acme-challenge/-t62-l73XHe-sOn80gbMymd-lRw9ut_tdGEuePY0POc: 403

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

It is rahter confusing what expect this certbot service anyway.. as the webiste (when trying manually, works as expected..) don't really know what can be unauthorized... maybe a trailing or leading space / newline ?

Thanks in advice

2 Likes

Did you check that from the public internet or from your local network? Because the request is coming from Let's Encrypt authentication servers from various parts of the world.

You could use a mobile phone with wifi disabled to use your carrier's public network.

Can you start a fresh Certbot --standalone test, leave it running and let us know. I'll monitor this thread and I can also check from other locations.

I am not sure. I only ever see "Connection refused" when trying your domain but maybe because nothing is listening on port 80 (Certbot --standalone)? Not sure.

3 Likes

never mind, sry, the problem seems to be a geo-setting of the server..

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.