(http-01): urn:acme:error:unauthorized

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
snapto.co.uk

I ran this command:
scl enable python27 “./certbot-auto certonly --force-renewal --rsa-key-size 4096 --email hostmaster@snapto.co.uk --agree-tos -w /home/snapto/public_html/ -d snapto.co.uk -d www.snapto.co.uk -d mail.snapto.co.uk -d server.snapto.co.uk --authenticator webroot”

It produced this output:
Failed authorization procedure. server.snapto.co.uk (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://server.snapto.co.uk/.well-known/acme-challenge/TOEUbg0KAPf9UxFipyw8PbGIJHAuHA29ffBTNOgylQU:

My web server is (include version):
Apache 2.2.15

The operating system my web server runs on is (include version):
CentOS 6.9

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Virtualmin 6.02

This just started yesterday, it has been working fine for well over a year but just started getting the error. It is only the server.snapto.co.uk which fails the others are fine even though they all point to the same place. Renewing other domains work fine.

2

Do ALL four domain names use the same webroot path?

If the mail and server subdomain have their own, separate webroot paths, you should enter extra -w /path/to/other/webroot before those domain names.

3

Yes all the same path which is correct. It is the default virtual server for the entire server and server.snapto.co.uk is the FQDN for the server.

As I said this has been working fine and there is nothing we I have changed to make it different.

4

All four hostnames give the same 404 response for the acme-challenge path, e.g.;

$ curl -X GET -I http://server.snapto.co.uk/.well-known/acme-challenge/
HTTP/1.1 404 Not Found    
Date: Tue, 16 Jan 2018 01:03:26 GMT                 
Server: Apache            
X-Frame-Options: SAMEORIGIN                         
Accept-Ranges: bytes      
Vary: Accept-Encoding     
X-XSS-Protection: 1; mode=block                     
X-UA-Compatible: IE=edge  
X-Content-Type-Options: nosniff                     
Content-Length: 1156      
Content-Type: text/html; charset=utf-8

Can you confirm that you can create a test file at /home/snapto/public_html/.well-known/acme-challenge/test and reach it in a browser, on all of the hostnames?

5

404 response is correct it is like that for all domains and yes I already tested reaching a test file which it does. I also ran a dry-run of Certbot for the other 3 domains and it was fine, plus other domains on the server renewed fine when this error first appeared.

6

I just checked the details of the cert via the browser padlock and it says for all snapto domains it is marked as trusted for for a completely different domain which is on the server yet the details of the cert appear to correct.

  1. Any ideas as to how this can happen
  2. How to resolve such as if I revoke any of the certs for snapto and / or the other domain etc etc

The cert for snapto is crucial as this is used for the mail server and by a lot of users.

7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.