Invalid response from acme-challenge during renewal dry run


#1

Hi! I am not sure what the problem is with this renewal attempt.

“client lacks sufficient authorization”
“Invalid response from…ACME-challenge related to the” domain name

The Mac mini is in use as a mail server using a dynamic DNS service provided by noip.com. It also uses a mail service from noip; I am able to get mail remotely from the mini using my mobile devices (including iPhones and iPads). Note that my registrar is not noip.com.

My domain is: secretislandlaboratories.com
I ran this command: sudo certbot renew --dry-run
It produced this output:

Attempting to renew cert (secretislandlaboratories.com) from /etc/letsencrypt/renewal/secretislandlaboratories.com.conf produced an unexpected error: Failed authorization procedure. secretislandlaboratories.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://secretislandlaboratories.com/.well-known/acme-challenge/[long name]: "

404 Not Found

Not Found

<p". Skipping.

My web server is (include version): a 2014 Mac mini running macOS Sierra and Server

The operating system my web server runs on is (include version): macOS 10.12.6, macOS Server 5.3.1

My hosting provider, if applicable, is: —

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Thanks!
Mike


#2

Hi,

It seems that your website are not serving correct contents. (Although there are no contents)

I’m not sure what you should do at this time, but maybe try standalone mode (if you are not going to run websites) or create a vHost for Mac server.

Thank you


#3

What is standalone mode, and what is a vHost?

Tnx,

Mike


#4

Hi,

standalone mode is setting up a temperory web server & not depend on your current server config.

vHost is a short name of Virtual Host…

I’ve found a guide for you… (However since i’m not using MacOS, i don’t know if that one works…)
https://www.macstrategy.com/article.php?211

Thank you


#5

I created the script according to the macstrategy article at the indicated link above, and ran it. It failed.

After staring daggers at the gazouta for a while, decided it was objecting to being asked to renew www.secretislandlaboratories.com, and removed that bit from the certbot command. Running the script then produced the following, which doesn’t actually tell me if it has been installed properly, so I’ll have to explore to see what’s what.

Will I have to cron two scripts, one for each, to keep 'em from tripping up?

Tnx!

-m

cedar:letsencrypt boss$ ./renewcert.sh
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for secretislandlaboratories.com
Using the webroot path /Library/Server/Web/Data/Sites/secretislandlaboratories.com for all unmatched domains.
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/secretislandlaboratories.com-0001/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/secretislandlaboratories.com-0001/privkey.pem
    Your cert will expire on 2018-10-16. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

1 identity imported.
2 certificates imported.


#6

I ran into a complication that required some thought. Apparently some automated part of the process had detected that there already was a folder /etc/letsencrypt/live/secretislandlaboratories.com and created /etc/letsencrypt/live/secretislandlaboratories.com-0001. The script from macstrategy was aimed at secretislandlaboratories.com, and performed the latter steps on the older files in that folder. Once I figured this out (I was seeing only the expiring cert showing up in macOS Server Certificates) I hacked a shorter script from the original that just did the last three steps but with the newer -0001 folder content and let 'er rip. The new cert showed up once I quit and restarted the Server app.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.