Letsencrypt renewal failed due to authentication error

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: renouveauspirituel.com

I ran this command: sudo certbot --apache
and this one too : sudo certbot renew --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?


1: renouveauspirituel.com
2: www.renouveauspirituel.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): E
** Error - Invalid selection **

Which names would you like to activate HTTPS for?


1: renouveauspirituel.com
2: www.renouveauspirituel.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for renouveauspirituel.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. renouveauspirituel.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 167.86.124.8: Invalid response from http://renouveauspirituel.com/.well-known/acme-challenge/LI1mNHXfPgIQOlV00fELcblCh0dqEOVToFOW92h9seU: 403

IMPORTANT NOTES:

My web server is (include version): WordPress 6.0

The operating system my web server runs on is (include version):
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.27.0

Hi @viter7960, and welcome to the LE community forum :slight_smile:

Please show the outputs of:
apachectl -t -D DUMP_VHOSTS
certbot certificates

6 Likes

Hi,

Thanks for your help.
I was able to renew the certificates manually but a kind of workaround and it works.

I went to /etc/apache2/sites-enabled and there was two files there :
renouveauspirituel.com.conf renouveauspirituel.com-le-ssl.conf

Then I renamed "renouveauspirituel.com-le-ssl.conf" to "renouveauspirituel.com-le-ssl.conf.bak"

And then when I run the command "sudo certbot renew" it worked.
And then I renamed back the file "renouveauspirituel.com-le-ssl.conf.bak" to "renouveauspirituel.com-le-ssl.conf" and then everythink worked fine.

But then I supposed that as long as I don't solve the problem correctly I will have to proceed that way every time so even though it is working now, I would still like to solve the problem.

So here are the outputs.
For apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443 renouveauspirituel.com (/etc/apache2/sites-enabled/renouveauspirituel.com-le-ssl.conf:2)
*:80 is a NameVirtualHost
default server renouveauspirituel.com (/etc/apache2/sites-enabled/renouveauspirituel.com-le-ssl.conf:19)
port 80 namevhost renouveauspirituel.com (/etc/apache2/sites-enabled/renouveauspirituel.com-le-ssl.conf:19)
alias www.renouveauspirituel.com
port 80 namevhost renouveauspirituel.com (/etc/apache2/sites-enabled/renouveauspirituel.com.conf:1)
alias www.renouveauspirituel.com

For certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: renouveauspirituel.com
Domains: renouveauspirituel.com
Expiry Date: 2022-10-07 03:15:44+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/renouveauspirituel.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/renouveauspirituel.com/privkey.pem


Thanks !

It's kinda weird to have a port 80 (HTTP) virtualhost in the ~-le-ssl.conf file. Certbot generates the ~-le-ssl.conf file from the regular configuration file and puts the HTTPS (port 443) virtualhost in it, leaving the original HTTP virtualhost in the regular configuration file. It only changes that vhost to add a redirect. But Certbot does not add HTTP vhosts to the -le-ssl.conf file.

4 Likes

Some versions of certbot copy the port 80 vhost into the -le-ssl configuration file. It's a longstanding bug with which I've dealt many times. The best solution is usually to cleanup the correct port 80 vhost configuration file to remove duplicate definitions, remove the port 443 vhost configuration file, and reinstall the existing certificate.

6 Likes

Hm, did not know/remember that. Probably related to:

Running Certbot from the time of the ancient Egyptians.

5 Likes

So, there is a name:port overlap between those two files.
I would compare both HTTP server blocks and then remove one of them.

6 Likes

Ok. Thanks for your reply. So if I manually remove the overlapping port 80 section from the -le-ssl.conf file, this would solve the problem and allow the further automatic certificate renewals ?

This version is the one that came with Ubuntu v18 server version. So do I have to upgrade it ? And if so, can you show me how to achieve that ? Thanks.

Don't have to upgrade but as noted that version is very old. EFF offers certbot in a snap package to avoid problems with all the various distros having their own certbot packages.

See below for install for snap version which will stay up-to-date

3 Likes

There might be other problems, so I can't say that this one alone will resolve ALL the problems.

2 Likes