Issue with acme challenging

Help
1

I have an issue on a prod server and I would like to reproduce on a my server.
For that I'm tryng to install LE but without success sue to the trivial error:
Failed authorization procedure. mysite.tld (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mysite.tld/.well-known/acme-challenge/BecJYmXSlk8EsZqSnyXYQZyFDydeC8TRto9EZUQTPbg: "

My domain is:
mysite.tld
If you ever need the real name, please let me know your IP.
As this is a personnal server, the FW reject quite all (not LE servers of course :slight_smile: )

I ran this command:

./letsencrypt-auto --test-cert --apache certonly -d mysite.tld

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mysite.tld
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. mysite.tld (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mysite.tld/.well-known/acme-challenge/BecJYmXSlk8EsZqSnyXYQZyFDydeC8TRto9EZUQTPbg: "

404 Not Found

Not Found

<p"

IMPORTANT NOTES:

My web server is (include version):
apache 2.4.10

The operating system my web server runs on is (include version):
Debian 8.11 (jessie)

My hosting provider, if applicable, is:
Personnal server

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

Localy I can reach the acme-challenge directory. Apache is able to open a test page under [http|https]://mysite.tld/.well-known/acme-challenge/index.html

I also checked these points:

ls -ali /www/.well-known/

total 24
49859 drwxr-xr-x 3 www-data www-data 4096 août 15 13:41 .
2 drwxrwxr-x 40 www-data www-data 16384 mai 21 09:16 ..
49860 drwxr-xr-x 2 www-data www-data 4096 août 15 13:47 acme-challenge

ls -ali /www/.well-known/acme-challenge/

total 20
49860 drwxr-xr-x 2 www-data www-data 4096 août 15 13:47 .
49859 drwxr-xr-x 3 www-data www-data 4096 août 15 13:41 ..

ps -ef|grep apache2

root 25261 1 0 14:04 ? 00:00:01 /usr/sbin/apache2 -k start
www-data 30271 25261 0 15:32 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 30272 25261 0 15:32 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 30273 25261 0 15:32 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 30274 25261 0 15:32 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 30275 25261 0 15:32 ? 00:00:00 /usr/sbin/apache2 -k start

netstat -plant|grep apache

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 25261/apache2
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 25261/apache2

dig TXT mysite.tld

; <<>> DiG 9.9.5-9+deb8u15-Debian <<>> TXT mysite.tld
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4064
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;mysite.tld. IN TXT

;; ANSWER SECTION:
mysite.tld. 3599 IN TXT "1|mysite.tld"
mysite.tld. 3599 IN TXT "1|www.mysite.tld"
mysite.tld. 3599 IN TXT "v=spf1 include:mx.ovh.com ~all"

;; Query time: 82 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Aug 15 16:38:40 CEST 2018
;; MSG SIZE rcvd: 139

Iptables are OK, my log shows:
Aug 15 15:32:41 mysys kernel: [23133.923717] LETSENC ACCEPT: IN=eth0 OUT= MAC=64:00:6a:4e:61:2b:00:24:d4:bf:0f:98:08:00 SRC=66.133.109.36 DST=192.168.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=38 ID=6654 DF PROTO=TCP SPT=35198 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0

My Apache config is mainly:

/etc/apache2/apache2.conf
Directory /
AllowOverride None
Require all granted
/Directory

Directory /var/www/
AllowOverride None
Require all granted
/Directory

Directory /www/
AllowOverride None
Require all granted
/Directory

/etc/apache2/sites-available/mysite.conf
Alias /challenge /www/.well-known
Location /www/.well-known
RequireAny
Require all denied
Require local
Require ip 66.133.96.0/19
/RequireAny
/Location

2

Hi,

Let’s Encrypt use quite different validation server, and if one of the validation server fails, LE would report as a error failure.

Thank you

3

This is not a supported configuration - Let's Encrypt has expressed several times that they can use multiple IP addresses for validation that are not published and can change at any time. If you insist on restricting access to this server by IP address, you should look into DNS validation instead of HTTP.

4

Thanks Stevenzu and Jared
Well I understand but I can see which LE server is coming with my FW logs and as you can see in my post I let the whole LE servers field open for 66.133.96.0/19.
So I suppose this would’nt be a problem?

5

Hi,

That won't be all of LE servers, as LE Validations are coming from Akamai (to make validations dynamic)..

It would be a problem if you missed any servers (which would make the challenge fail...)

Thank you

6

Possibly, but in the end, what’s happening is that your web server is responding to the validation request with a 404. Are you able to place a test file in that location and check it yourself?

Another possibility that we see fairly often is that you may have an AAAA record that points to a different server than your A record.

7

Ok,
I’m going to check the AAAA DNS record then give a try with less FW restrictions.
I’ll post the results.
Thanks again Stevenzhu and Jared for your kind help :slight_smile:

8

I think this is a slight misconception: the Let's Encrypt API is hosted by Akamai, but IP addresses used for validations could come from many other sources. I don't believe Akamai allows customers to use its own IP addresses to make outbound connections, even in the case of partners like Let's Encrypt.

But indeed, the IP addresses are meant to be variable and unpredictable.

9

Well,
for my server there is no AAAA record. As I don't use ipv6, I believe this is not needed in my case.
I removed all filters on ports 80 and 443 from my iptables rules and I can see many connections to my port 80 (and accepted) while the challenge verification is going.
But infortunately I'm still having the same issue.

Failed authorization procedure. mysite.tld (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mysite.tld/.well-known/acme-challenge/kWFVm_Lx7qZMmjRSUHHuPMHKwekzYTVRYuTqzI0LhIA: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"

10

Are you able to place a file in the .well-known/acme-challenge directory and load it in your browser from outside your network?

11

Yes, I just did it it from my prod server (located outside) with:
wget mysite.tld/.well-known/acme-challenge/index.html
and got the file

requête HTTP transmise, en attente de la réponse… 200 OK
Taille : 4952 (4,8K) [text/html]
Sauvegarde en : « index.html »

12

Hi @PhLinuX

check a file like 123456789 without extension. Sometimes, the missing extension is the problem.

Or Certbot doesn't find your webroot. So the validation file is in the wrong directory.

13

I renamed the file like a challenge file: mG0c_xjYHN6X2vIGAXK7qTERpPJo4_xXdeDpfxR-5-U
and dir a wget. It also works.
wget phlinux.ovh/.well-known/acme-challenge/mG0c_xjYHN6X2vIGAXK7qTERpPJo4_xXdeDpfxR-5-U

requête HTTP transmise, en attente de la réponse… 200 OK
Taille : 4952 (4,8K)
Sauvegarde en : « mG0c_xjYHN6X2vIGAXK7qTERpPJo4_xXdeDpfxR-5-U »

14

JuergenAuer said:

... Or Certbot doesn’t find your webroot. So the validation file is in the wrong directory.

I don't use certbot but lestencrypt-auto so I suppose it uses certbot somewhere.
How can I check if certbot uses the right directory?

15

This is just another (old) name for Certbot. :grin:

Can you please post the contents of /var/log/letsencrypt/letsencrypt.log? (Surround it with three backticks/grave accents (```) before and after to post it as pre-formatted text. That makes it way easier to read.)

16

Hi @PhLinuX,

I didn't check all the posts in this thread but...

That Alias is not correct, won't match the http-01 challenge requested by LE. You should use something like this:

Alias /.well-known /www/.well-known

Also, if you want accurate help, you should post your real domain name and the entire apache conf for your domain.

Good luck,
sahsanu

17

Thanks Jared,
Here it is :wink:

2018-08-15 18:35:55,455:DEBUG:certbot.main:certbot version: 0.26.1
2018-08-15 18:35:55,455:DEBUG:certbot.main:Arguments: ['--test-cert', '--apache', '-d', 'phlinux.ovh']
2018-08-15 18:35:55,455:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-08-15 18:35:55,463:DEBUG:certbot.log:Root logging level set at 20
2018-08-15 18:35:55,464:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-08-15 18:35:55,464:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2018-08-15 18:35:55,540:DEBUG:certbot_apache.configurator:Apache version is 2.4.10
2018-08-15 18:35:55,880:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7f45e1164e90>
Prep: True
2018-08-15 18:35:55,881:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7f45e1164e90>
Prep: True
2018-08-15 18:35:55,881:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_apache.override_debian.DebianConfigurator object at 0x7f45e1164e90> and installer <certbot_apache.override_debian.DebianConfigurator object at 0x7f45e1164e90>
2018-08-15 18:35:55,881:INFO:certbot.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2018-08-15 18:35:55,883:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None), uri=u'https://acme-staging-v02.api.letsencrypt.org/acme/acct/6641890', new_authzr_uri=None, terms_of_service=None), ed482ad44e317bfd36bb64bfef5c1d3c, Meta(creation_host=u'phlsys.phlinux.ovh', creation_dt=datetime.datetime(2018, 8, 13, 11, 39, 10, tzinfo=<UTC>)))>
2018-08-15 18:35:55,884:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
2018-08-15 18:35:55,901:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
2018-08-15 18:35:56,392:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 724
2018-08-15 18:35:56,392:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 724
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 15 Aug 2018 16:35:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 15 Aug 2018 16:35:56 GMT
Connection: keep-alive

{
  "2jMEGBI1xb4": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
  "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
2018-08-15 18:35:56,393:INFO:certbot.main:Obtaining a new certificate
2018-08-15 18:35:56,502:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0022_key-certbot.pem
2018-08-15 18:35:56,503:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0022_csr-certbot.pem
2018-08-15 18:35:56,504:DEBUG:acme.client:Requesting fresh nonce
2018-08-15 18:35:56,504:DEBUG:acme.client:Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order.
2018-08-15 18:35:56,760:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-order HTTP/1.1" 405 0
2018-08-15 18:35:56,761:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 103
Allow: POST
Replay-Nonce: AHgpPCa_yYLItxxTU1JYLDaFm-pj9ia8SgRTVSGSGok
Expires: Wed, 15 Aug 2018 16:35:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 15 Aug 2018 16:35:56 GMT
Connection: keep-alive


2018-08-15 18:35:56,761:DEBUG:acme.client:Storing nonce: AHgpPCa_yYLItxxTU1JYLDaFm-pj9ia8SgRTVSGSGok
2018-08-15 18:35:56,761:DEBUG:acme.client:JWS payload:
{
  "status": "pending", 
  "identifiers": [
    {
      "type": "dns", 
      "value": "phlinux.ovh"
    }
  ], 
  "resource": "new-order"
}
2018-08-15 18:35:56,762:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJub25jZSI6ICJBSGdwUENhX3lZTEl0eHhUVTFKWUxEYUZtLXBqOWlhOFNnUlRWU0dTR29rIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzY2NDE4OTAiLCAiYWxnIjogIlJTMjU2In0", 
  "payload": "ewogICJzdGF0dXMiOiAicGVuZGluZyIsIAogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwgCiAgICAgICJ2YWx1ZSI6ICJwaGxpbnV4Lm92aCIKICAgIH0KICBdLCAKICAicmVzb3VyY2UiOiAibmV3LW9yZGVyIgp9", 
  "signature": "EWHzLiEjXZkZr_8cVNhjvRtXuIoB3iXGV1XA3W8XrFWH3KQTcnfHEtfHoUKTmYWFOiZujMb4Bjvc3PTsyZLFp21r-wW2Q-llwEznrOwlAPQnPVvvVFS7O9bpTKLD_mW7Qwb3pDEiLhJVAoG6hDMq1VpclO-7w8igeMW7lJpIQQTfm7VhSPuIXATUPcd_s2PweOdHQNKyEYhSySn5eXLdtFhbdiZ9d-D6Mzd0iw-bLRUrn1qi5YTmI8iklLFp3tjf9u3frLypzTpngcwOXeorMdBUWZQBmcJ6HAsAqpfjTdDCbTQY3uRJhtW8a8cmdMKTQtodxqSvQL4Jgour7l9BpA"
}
2018-08-15 18:35:57,031:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 383
2018-08-15 18:35:57,032:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 383
Boulder-Requester: 6641890
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/6641890/5930500
Replay-Nonce: YP7xl_k_0GOrJVoWEiSob1MmKxzrpHsPGBU47juw1-c
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 15 Aug 2018 16:35:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 15 Aug 2018 16:35:57 GMT
Connection: keep-alive

{
  "status": "pending",
  "expires": "2018-08-22T16:35:56.879980679Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "phlinux.ovh"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz/cDBPztilTrQuuHor_gn-ohMdMyJTtDa70SKOIk5e4l8"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/6641890/5930500"
}
2018-08-15 18:35:57,032:DEBUG:acme.client:Storing nonce: YP7xl_k_0GOrJVoWEiSob1MmKxzrpHsPGBU47juw1-c
2018-08-15 18:35:57,032:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/cDBPztilTrQuuHor_gn-ohMdMyJTtDa70SKOIk5e4l8.
2018-08-15 18:35:57,269:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /acme/authz/cDBPztilTrQuuHor_gn-ohMdMyJTtDa70SKOIk5e4l8 HTTP/1.1" 200 924
2018-08-15 18:35:57,270:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 924
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 15 Aug 2018 16:35:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 15 Aug 2018 16:35:57 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "phlinux.ovh"
  },
  "status": "pending",
  "expires": "2018-08-22T16:35:56Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/cDBPztilTrQuuHor_gn-ohMdMyJTtDa70SKOIk5e4l8/159992491",
      "token": "kWFVm_Lx7qZMmjRSUHHuPMHKwekzYTVRYuTqzI0LhIA"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/cDBPztilTrQuuHor_gn-ohMdMyJTtDa70SKOIk5e4l8/159992492",
      "token": "rpI6wfDP0ArHzSWsNxr-arOxfRC_ESOIKswiz_1D2yU"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/cDBPztilTrQuuHor_gn-ohMdMyJTtDa70SKOIk5e4l8/159992493",
      "token": "a5DG9B6X1I7HzvQeINBw2v2UZLfKo77Apqrj50QB1WA"
    }
  ]
}
2018-08-15 18:35:57,270:INFO:certbot.auth_handler:Performing the following challenges:
2018-08-15 18:35:57,270:INFO:certbot.auth_handler:http-01 challenge for phlinux.ovh
2018-08-15 18:35:57,317:DEBUG:certbot_apache.http_01:Adding a temporary challenge validation Include for name: phlinux.ovh in: /etc/apache2/sites-enabled/phlinux-80.conf
2018-08-15 18:35:57,317:DEBUG:certbot_apache.http_01:writing a pre config file with text:
         RewriteEngine on
        RewriteRule ^/\.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ /var/lib/letsencrypt/http_challenges/$1 [END]
    
2018-08-15 18:35:57,317:DEBUG:certbot_apache.http_01:writing a post config file with text:
         <Directory /var/lib/letsencrypt/http_challenges>
            Require all granted
        </Directory>
        <Location /.well-known/acme-challenge>
            Require all granted
        </Location>
    
2018-08-15 18:35:57,328:DEBUG:certbot.reverter:Creating backup of /etc/apache2/sites-enabled/phlinux-80.conf
2018-08-15 18:36:00,464:INFO:certbot.auth_handler:Waiting for verification...
2018-08-15 18:36:00,465:DEBUG:acme.client:JWS payload:
{
  "keyAuthorization": "kWFVm_Lx7qZMmjRSUHHuPMHKwekzYTVRYuTqzI0LhIA.eP1oLvqVTUCVgzcffrXIU0mUEV3QVd8d0Brul7COg9c", 
  "type": "http-01", 
  "resource": "challenge"
}
2018-08-15 18:36:00,466:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/challenge/cDBPztilTrQuuHor_gn-ohMdMyJTtDa70SKOIk5e4l8/159992491:
{
  "protected": "eyJub25jZSI6ICJZUDd4bF9rXzBHT3JKVm9XRWlTb2IxTW1LeHpycEhzUEdCVTQ3anV3MS1jIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsZW5nZS9jREJQenRpbFRyUXV1SG9yX2duLW9oTWRNeUpUdERhNzBTS09JazVlNGw4LzE1OTk5MjQ5MSIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzY2NDE4OTAiLCAiYWxnIjogIlJTMjU2In0", 
  "payload": "ewogICJrZXlBdXRob3JpemF0aW9uIjogImtXRlZtX0x4N3FaTW1qUlNVSEh1UE1IS3dla3pZVFZSWXVUcXpJMExoSUEuZVAxb0x2cVZUVUNWZ3pjZmZyWElVMG1VRVYzUVZkOGQwQnJ1bDdDT2c5YyIsIAogICJ0eXBlIjogImh0dHAtMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9", 
  "signature": "k123NuqSPEKfIVpL-v8VlGYtqmu9ZfrDoBXhrvH0r3in9aYejWdANEgXsPCcveF4GRXc4N41oXv95Jx0m8zWP0_7O83TDVaqiXQSSR4M9hvQ6-UJbMoIll9LrU2qhHrshG6NnItm-7B3cn3LoCGOWLQBXelPpXRxexI9gcfdUZPqv0alVbiQNCL1Qevbjj25vs2kgcs1XQpWGEBkEFlcLRpYcxlMzmDcBtqk4ar2TPm8Xlm05mLzSRY54SjeJHG9vVxABxj47zMKqX-QNISyHVBA4-DPFj8zHtS4OteXQe4BsK4SRasl2wEqh2duSHSVVanJKHpEywNm8-VKAtq7vg"
}
2018-08-15 18:36:00,723:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/challenge/cDBPztilTrQuuHor_gn-ohMdMyJTtDa70SKOIk5e4l8/159992491 HTTP/1.1" 200 230
2018-08-15 18:36:00,724:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 230
Boulder-Requester: 6641890
Link: <https://acme-staging-v02.api.letsencrypt.org/acme/authz/cDBPztilTrQuuHor_gn-ohMdMyJTtDa70SKOIk5e4l8>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/challenge/cDBPztilTrQuuHor_gn-ohMdMyJTtDa70SKOIk5e4l8/159992491
Replay-Nonce: -p6mxve7ov1jQXKrzIMPXOOF6gx_4_7Y6srxGQlAY74
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 15 Aug 2018 16:36:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 15 Aug 2018 16:36:00 GMT
Connection: keep-alive

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/cDBPztilTrQuuHor_gn-ohMdMyJTtDa70SKOIk5e4l8/159992491",
  "token": "kWFVm_Lx7qZMmjRSUHHuPMHKwekzYTVRYuTqzI0LhIA"
}
2018-08-15 18:36:00,724:DEBUG:acme.client:Storing nonce: -p6mxve7ov1jQXKrzIMPXOOF6gx_4_7Y6srxGQlAY74
2018-08-15 18:36:03,727:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/cDBPztilTrQuuHor_gn-ohMdMyJTtDa70SKOIk5e4l8.
2018-08-15 18:36:03,965:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /acme/authz/cDBPztilTrQuuHor_gn-ohMdMyJTtDa70SKOIk5e4l8 HTTP/1.1" 200 1743
2018-08-15 18:36:03,966:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1743
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 15 Aug 2018 16:36:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 15 Aug 2018 16:36:03 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "phlinux.ovh"
  },
  "status": "invalid",
  "expires": "2018-08-22T16:35:56Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Invalid response from http://phlinux.ovh/.well-known/acme-challenge/kWFVm_Lx7qZMmjRSUHHuPMHKwekzYTVRYuTqzI0LhIA: \"\u003c!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\"\u003e\n\u003chtml\u003e\u003chead\u003e\n\u003ctitle\u003e404 Not Found\u003c/title\u003e\n\u003c/head\u003e\u003cbody\u003e\n\u003ch1\u003eNot Found\u003c/h1\u003e\n\u003cp\"",
        "status": 403
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/cDBPztilTrQuuHor_gn-ohMdMyJTtDa70SKOIk5e4l8/159992491",
      "token": "kWFVm_Lx7qZMmjRSUHHuPMHKwekzYTVRYuTqzI0LhIA",
      "validationRecord": [
        {
          "url": "http://phlinux.ovh/.well-known/acme-challenge/kWFVm_Lx7qZMmjRSUHHuPMHKwekzYTVRYuTqzI0LhIA",
          "hostname": "phlinux.ovh",
          "port": "80",
          "addressesResolved": [
            "88.178.211.92"
          ],
          "addressUsed": "88.178.211.92"
        }
      ]
    },
    {
      "type": "dns-01",
      "status": "invalid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/cDBPztilTrQuuHor_gn-ohMdMyJTtDa70SKOIk5e4l8/159992492",
      "token": "rpI6wfDP0ArHzSWsNxr-arOxfRC_ESOIKswiz_1D2yU"
    },
    {
      "type": "tls-alpn-01",
      "status": "invalid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/cDBPztilTrQuuHor_gn-ohMdMyJTtDa70SKOIk5e4l8/159992493",
      "token": "a5DG9B6X1I7HzvQeINBw2v2UZLfKo77Apqrj50QB1WA"
    }
  ]
}
2018-08-15 18:36:03,966:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: phlinux.ovh
Type:   unauthorized
Detail: Invalid response from http://phlinux.ovh/.well-known/acme-challenge/kWFVm_Lx7qZMmjRSUHHuPMHKwekzYTVRYuTqzI0LhIA: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2018-08-15 18:36:03,967:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 155, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 226, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. phlinux.ovh (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://phlinux.ovh/.well-known/acme-challenge/kWFVm_Lx7qZMmjRSUHHuPMHKwekzYTVRYuTqzI0LhIA: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p"

2018-08-15 18:36:03,967:DEBUG:certbot.error_handler:Calling registered functions
2018-08-15 18:36:03,967:INFO:certbot.auth_handler:Cleaning up challenges
2018-08-15 18:36:04,178:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 1364, in main
    return config.func(config, plugins)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 1254, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 120, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py", line 391, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py", line 334, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py", line 370, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 155, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 226, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. phlinux.ovh (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://phlinux.ovh/.well-known/acme-challenge/kWFVm_Lx7qZMmjRSUHHuPMHKwekzYTVRYuTqzI0LhIA: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p"
18

Hi Sahsanu,
thanks four attention.
Yes, you’re right, this alias is not ok and never worked of course.
I just forgot to remove it. it’s done now.
Well I’m sorry for my paranoia. I can mail you my real domain if you want.
I just would like it to be kept “confidential”.

19

Looking more attentively I can see that /var/lib/letsencrypt/http_challenges is used but nothing in it.
Could certbot uses this to make the challenge?

20

There is a rewrite rule created, so /.well-known/acme-challenge/filename is redirected to /var/lib/letsencrypt/http_challenges/filename

Looks like Certbot saves the file there. Are there other rewrite rules which may block that?

Edit: Create there a file and test, if you can load it per http://phlinux.ovh/.well-known/acme-challenge/123456788