Invalid response


#1

Hi everybody,

for about a year know I am running LE and certbot automatically. But all of a sudden it stopped automatically renewing my certificate.

certbot version: 0.28.0
OS: Ubuntu Server 14.04
Webserver: Apache 2.4.7
Domain: flugsim.org

I ran “sudo certbot certonly --apache --dry-run” with produced the following:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated)  (Enter 'c' to cancel): flugsim.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for flugsim.org
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. flugsim.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://flugsim.org/.well-known/acme-challenge/tuZpzbDLbsxmMeqqiWV8ilKKYfv8hFbWBkb3KHryeMQ: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>403 Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: flugsim.org
   Type:   unauthorized
   Detail: Invalid response from
   http://flugsim.org/.well-known/acme-challenge/tuZpzbDLbsxmMeqqiWV8ilKKYfv8hFbWBkb3KHryeMQ:
   "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>403
   Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

Apache’s error.log gave me a hint:

[Sun Feb 10 18:23:37.718059 2019] [access_compat:error] [pid 12209] [client 52.29.173.72:39860] AH01797: client denied by server configuration: /var/lib/letsencrypt/http_challenges/tuZpzbDLbsxmMeqqiWV8ilKKYfv8hFbWBkb3KHryeMQ

Indeed /var/lib/letsencrypt belonged to root and I changed it to root:www-data recursively without success.

Interestingly certbot never created a .well-known directory inside /var/www. So I would expect a 404 and no 403.

Does anybody have any ideas what to try next?

BTW, how can I upload log files?

Florian


#2

Hi @FlorianM

if you use --apache, Certbot uses a location to manage /.well-known/acme-challenge.

But there are not enough rights. So add something like

<Directory /var/lib/letsencrypt/http_challenges>
        Require all granted
</Directory>
<Location /.well-known/acme-challenge>
        Require all granted
</Location>

to allow that.

If that doesn’t work, perhaps switch to --webroot.


#3

Can you post “sudo apachectl -t -D DUMP_VHOSTS” and the relevant virtual host?

What mod_acces_compat settings would likely be affecting this?

Certbot should be able to work around most things, but it’s not perfect. Maybe you can modify the Apache configuration so Certbot will understand it, or Certbot has a bug that should be fixed.

There should be a button now.


#4

Thanks a lot for your help. --apache is still not working butt --webroot does. I thought I check it yesterday with no success but anyway, I’m up and running! Thanks!