Letsencrypt ssl urn:acme:error:unauthorized :error


#1

Google Compute Engine Instance - Debian (8),Apache (2.4.23)
WP Multisite - Bitnami WP Multisite Stack

Set up SSL using Lets Encrypt for the main domain no issues and tested with SSL Labs
Subdomains are mapped to additional domains and working with http

When trying to set up SSL for the mapped subdomains I continue to get the following message no matter what I have tried:

Failed authorization procedure. yycre.ca (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://yycre.ca/.well-known/acme-challenge/nf0sFSLvNttPGBmOkxgcnvY0-t_PrLjdZQkR-rSPBrM1

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: domain.com
Type: unauthorized
Detail: Invalid response from
http://yycre.ca/.well-known/acme-challenge/nf0sFSLvNttPGBmOkxgcnvY0-t_PrLjdZQkR-rSPBrM1:

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.

Have tried using both as per Bitnami install instructions (https://docs.bitnami.com/google/components/apache/#how-to-generate-and-install-a-certificate-for-your-domain-using-the-lets-encrypt-client)
./letsencrypt-auto certonly --webroot -w /opt/bitnami/apps/APPNAME/htdocs -d DOMAIN
and
./letsencrypt-auto certonly --webroot -w /opt/bitnami/apache2/htdocs -d DOMAIN


Can't renew certificate (client lacks sufficient authorization)
#2

Try creating a test file with random content in your webroot under .well-known/acme-challenge (/opt/bitnami/apps/APPNAME/htdocs, I assume - you’ll probably need to create the acme-challenge subdirectory, as the client deletes it after execution) and see if your web server serves that content if you browse to http://yycre.ca/.well-known/acme-challenge/testfile.

If that doesn’t work, you’re either using the wrong path, or you have some kind of redirect interfering with things (perhaps in a .htaccess file) - in that case, you’d want to add an exception for the .well-known/acme-challenge path.


#3

Created the subdirectories and uloaded a test file into it. Can’t browse http://yycre.ca/.well-known/acme-challenge/testfile
Tried every combination of permissions, checked the .htaccess file and not able to browse the test file…

Started over and installed cerbot into the /opt folder and ran it from there based on this article.

Was able to create the certificates for the sub domain this way. Set up a virtual host for the mapped subdomains and with a virtual host setup it is partially working with a B grade on SSL Labs - ‘This server’s certificate chain is incomplete. Grade capped to B’

Following the instructions from Bitnami
https://docs.bitnami.com/google/components/apache/#how-to-generate-and-install-a-certificate-for-your-domain-using-the-lets-encrypt-client

Certificates created then copied:

sudo cp /etc/letsencrypt/live/DOMAIN/cert.pem /opt/bitnami/apache2/conf/server.crt$
sudo cp /etc/letsencrypt/live/DOMAIN/privkey.pem /opt/bitnami/apache2/conf/server.key

I am sure that there is another portion I am missing…

Virtual Host is as follows:

<VirtualHost *:80>
ServerName yycre.ca
ServerAlias www.yycre.ca
DocumentRoot “/opt/bitnami/apps/wordpress/htdocs”

Include "/opt/bitnami/apps/wordpress/conf/httpd-app.conf"

<VirtualHost *:443>
ServerName yycre.ca
ServerAlias www.yycre.ca
DocumentRoot "/opt/bitnami/apps/wordpress/htdocs"
SSLEngine on
SSLCertificateFile "/opt/bitnami/apache2/conf/server2.crt"
SSLCertificateKeyFile “/opt/bitnami/apache2/conf/server2.key”

Include "/opt/bitnami/apps/wordpress/conf/httpd-app.conf"

#4

You’ll need fullchaim.pem instead of cert.pem as the file for SSLCertificateFile. The former includes the intermediate (chain) certificate.

If you’re using an older version of apache, you’ll need SSLCertificateFile pointing to cert.pem and SSLCertificateChainFile pointing to chain.pem (not fullchain.pem) instead. You can use Mozilla’s SSL Configuration Generator and enter your exact apache version to get the correct directives.

I’d also recommend pointing the directives straight to the files in /etc/letsencrypt/live rather than copying them. That way, you won’t need to copy them each time you renew your certificate (though you’ll still need a graceful reload of apache so that the new certificate and key is read from disk).


#5

That fixed it. Thanks for the assistance!


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.