Invalid response, failed authorization procedure

Help
1

H i Support,

the last certificate renew was fail for server.3x1t.org, but I don't remember changing virtualhost in the last two month.

This is the output:

Attempting to renew cert (server.3x1t.org) from /etc/letsencrypt/renewal/server.3x1t.org.conf produced an unexpected error: Failed authorization procedure. server.3x1t.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://server.3x1t.org [2a02:c207:2023:4846::1]: "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">\n<html>\n  <head>\n\n    <meta http-equiv=\"content-type\" content=\"te". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/server.3x1t.org/fullchain.pem (failure)


   Domain: server.3x1t.org
   Type:   unauthorized
   Detail: Invalid response from https://server.3x1t.org
   [2a02:c207:2023:4846::1]: "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML
   4.01 Transitional//EN\">\n<html>\n  <head>\n\n    <meta
   http-equiv=\"content-type\" content=\"te"

Looking into https://check-your-website.server-daten.de/?q=server.3x1t.org, I can see on "3. Content- and Performance-critical Checks" this error:

Fatal: All checks of /.well-known/acme-challenge/random-filename have a redirect, destination doesn't have the random filename. Creating a Letsencrypt certificate via http-01 challenge may not work. Trouble creating a certificate? [..]

but no changes I've made on virtualhost.

Here "apachectl -S"

[Wed Jan 27 20:42:40.343861 2021] [alias:warn] [pid 27911] AH00671: The ScriptAlias directive in /etc/apache2/sites-enabled/mailman.conf at line 2 will probably never match because it overlaps an earlier ScriptAlias.
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server 3x1t.org (/etc/apache2/sites-enabled/3x1t.org.conf:1)
         port 80 namevhost 3x1t.org (/etc/apache2/sites-enabled/3x1t.org.conf:1)
                 alias www.3x1t.org
         port 80 namevhost www (/etc/apache2/sites-enabled/autoconfig.3x1t.org.conf:2)
         port 80 namevhost autoconfig.3x1t.org (/etc/apache2/sites-enabled/autoconfig.3x1t.org.conf:31)
         port 80 namevhost autodiscover.3x1t.org (/etc/apache2/sites-enabled/autodiscover.3x1t.org.conf:2)
         port 80 namevhost server.3x1t.org (/etc/apache2/sites-enabled/cloud.3x1t.org.conf:2)
         port 80 namevhost converse.3x1t.org (/etc/apache2/sites-enabled/converse.3x1t.org.conf:1)
                 alias www.converse.3x1t.org
         port 80 namevhost lists.3x1t.org (/etc/apache2/sites-enabled/mailman.conf:42)
                 alias lists.3x1t.org
         port 80 namevhost server.3x1t.org (/etc/apache2/sites-enabled/server.3x1t.org.conf:1)
                 alias server.3x1t.org
*:443                  is a NameVirtualHost
         default server 3x1t.org (/etc/apache2/sites-enabled/3x1t.org.conf:33)
         port 443 namevhost 3x1t.org (/etc/apache2/sites-enabled/3x1t.org.conf:33)
                 alias www.3x1t.org
         port 443 namevhost www (/etc/apache2/sites-enabled/autoconfig.3x1t.org.conf:54)
         port 443 namevhost autoconfig.3x1t.org (/etc/apache2/sites-enabled/autoconfig.3x1t.org.conf:68)
         port 443 namevhost autodiscover.3x1t.org (/etc/apache2/sites-enabled/autodiscover.3x1t.org.conf:26)
                 alias autodiscover.3x1t.org
         port 443 namevhost cloud.3x1t.org (/etc/apache2/sites-enabled/cloud.3x1t.org.conf:7)
         port 443 namevhost collabora.3x1t.org (/etc/apache2/sites-enabled/collabora.3x1t.org.conf:1)
         port 443 namevhost converse.3x1t.org (/etc/apache2/sites-enabled/converse.3x1t.org.conf:26)
                 alias www.converse.3x1t.org
         port 443 namevhost lists.3x1t.org (/etc/apache2/sites-enabled/mailman.conf:71)
                 alias lists.3x1t.org
         port 443 namevhost server.3x1t.org (/etc/apache2/sites-enabled/server.3x1t.org.conf:29)
                 alias server.3x1t.org
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default 
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: MODSEC_2.5
Define: MODSEC_2.9
Define: ENABLE_USR_LIB_CGI_BIN
User: name="www-data" id=33
Group: name="www-data" id=33

I can't understand, could you give me your opinion?

Thanks!

1 Like
2

Hi @danjde

this

is a basic error. Two different port 80 vHosts with the same domain name, that's always wrong. Merge both in one vHost, disable the other.

And that

port 80 namevhost server.3x1t.org (/etc/apache2/sites-enabled/server.3x1t.org.conf:1)
alias server.3x1t.org

??? Why have ServerName and ServerAlias the same value?

2 Likes
3

I don't understand, inspecting both vHost all seems fine, and no "server.3x1t.org" is present into "/etc/apache2/sites-enabled/cloud.3x1t.org.conf"... :thinking:

Yes, this must be fixed!

Thanks again!

1 Like
4

Please show this entire file:

1 Like
5

certainly @rg305 sorry if I didn't do it before!

Alias /cloud "/var/www/nextcloud/public_html/"
<VirtualHost *:80>
    RewriteEngine On
    RewriteRule ^(.*)$ https://%{HTTP_HOST} [R=301,L]

# Letsencrypt
    Alias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/
    <Directory "/var/www/letsencrypt/.well-known/acme-challenge/">
        Options None
        AllowOverride None
        ForceType text/plain
       # RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
    </Directory>

</VirtualHost>

<VirtualHost *:443>

    Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
    SSLEngine on
    SSLCompression off
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLHonorCipherOrder on
    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    SSLSessionTickets off
   
### YOUR SERVER ADDRESS ###

    ServerAdmin 3x1t@3x1t.org
    ServerName cloud.3x1t.org

### SETTINGS ###

    DocumentRoot /var/www/nextcloud/public_html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    <Directory /var/www/nextcloud/public_html>
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
    Satisfy Any
    </Directory>

    <IfModule mod_dav.c>
    Dav off
    </IfModule>

    SetEnv HOME /var/www/nextcloud/public_html
    SetEnv HTTP_HOME /var/www/nextcloud/public_html

    # The following lines prevent .htaccess and .htpasswd files from being
    # viewed by Web clients.
    <Files ".ht*">
    Require all denied
    </Files>

    # Disable HTTP TRACE method.
    TraceEnable off
    # Disable HTTP TRACK method.
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^TRACK
    RewriteRule .* - [R=405,L]

    # Avoid "Sabre\DAV\Exception\BadRequest: expected filesize XXXX got XXXX"
    <IfModule mod_reqtimeout.c>
    RequestReadTimeout body=0
    </IfModule>

    <Directory "/var/www/nextcloud/public_html/data/">
    # just in case if .htaccess gets disabled
    Require all denied
    </Directory>

    Redirect 301 /.well-known/carddav https://cloud.3x1t.org/remote.php/dav
    Redirect 301 /.well-known/caldav https://cloud.3x1t.org/remote.php/dav


### LOCATION OF CERT FILES ###

    SSLCertificateFile /etc/letsencrypt/live/server.3x1t.org/fullchain.pem
#   SSLCertificateChainFile /etc/letsencrypt/live/server.3x1t.org/chain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/server.3x1t.org/privkey.pem

</VirtualHost>

### EXTRAS ###
#    SSLUseStapling On
#    SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

Thanks again!

2 Likes
6

If apachectl -S shows two definitions, you have two.

Looks like you share the wrong file or you share the file incomplete.

3 Likes
7

Hello @danjde,

You have not defined a ServerName on the first VirtualHost so it is using the default ServerName.

Checking the apachectl -S output you posted above, the default server name for virtual hosts is 3x1t.org but Apache is actually using another ServerName to be the default (server.3x1t.org). You should have configured it on apache2.conf, httpd.conf or whatever is the main conf for your installation. It could also be inside conf-enabled dir.

This command should show the files where you have defined it:

grep -ri "ServerName server.3x1t.org" /etc/apache2/*

But to solve your issue you should add ServerName cloud.3x1t.org to your /etc/apache2/sites-enabled/cloud.3x1t.org.conf file.

Cheers,
sahsanu

2 Likes
8

Also, I'm not sure this path would ever be reached:

As all traffic would be redirected to HTTPS:

3 Likes
9

...but how stupid I was!

Added into vHost the parameter, certbot has successfully completed the renewal!

Running it does not return any incorrect information. No "server.3x1t.org" in any wrong place.
Apache could take it from the FQDN, that is exactly "server.3x1t.org".. :thinking:

Bingo!!

I really want to thank you all very much, you've been really valuable for me!

3 Likes
10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.