Obtaining a certificate

matriarx · July 5, 2017, 7:02am

I can not get a certificate. Error next
Failed authorization procedure. asterisk.kaycom.ru (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://asterisk.kaycom.ru/.well-known/acme-challenge/Hf1gDsJyRngjciBtsrVPxkrpwWWWOf4qqUGlL1L0kMI [2a03:6f00:1::5c35:6276]: 500

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: asterisk.kaycom.ru
   Type:   unauthorized
   Detail: Invalid response from
   http://asterisk.kaycom.ru/.well-known/acme-challenge/Hf1gDsJyRngjciBtsrVPxkrpwWWWOf4qqUGlL1L0kMI
   [2a03:6f00:1::5c35:6276]: 500

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

What should I do next?

Osiris · July 5, 2017, 8:23am

Error 500 usually means ~~“Forbidden”~~“Internal server error”.

You should check your webserver log files for anything related to the challenge and why your webserver would return a ~~“Forbidden”~~“Internal server error” error. Perhaps your webserver refuses to serve all files beginning with a dot, so it refuses to serve anything from /.well-known/. But that would be something you can find in your webserver configuration.

danb35 · July 5, 2017, 10:22am

500 would be "Internal Server Error", not Forbidden (which would be 403)--but still the answer should be in the log files.

Osiris · July 5, 2017, 10:32am

D'oh, sorry about that, you're obviously absolutely right! Coffee didn't have time to work in yet I guess, it's was kinda early for me in my time zone

matriarx · July 5, 2017, 10:58am

Nothing appears in the logs of the web server. I have logs letsencrypt.org
indent preformatted text by 4 spaces 2017-07-05 10:26:57,959:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /var/www/asterisk/.well-known/acme-challenge 2017-07-05 10:26:57,965:DEBUG:certbot.plugins.webroot:Attempting to save validation to /var/www/asterisk/.well-known/acme-challenge/ijEkdBQICtOXN-J4lw88M1XVamjGcX_TP-9SmCJ_YpM 2017-07-05 10:26:57,966:INFO:certbot.auth_handler:Waiting for verification… 2017-07-05 10:26:57,967:DEBUG:acme.client:JWS payload: { “keyAuthorization”: “ijEkdBQICtOXN-J4lw88M1XVamjGcX_TP-9SmCJ_YpM.PelKaax95tVdFUWIrOpuFemV-3Mjuym35MFXdmQMM3o”,. “type”: “http-01”,. “resource”: “challenge” } 2017-07-05 10:26:57,973:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/challenge/FtCBQp2v0-Q2ftB5qOaA2YgnysJlvu2DwKJQzSJYIMo/1483569359: { “header”: { “alg”: “RS256”,. “jwk”: { “e”: “AQAB”,. “kty”: “RSA”,. “n”: "r00AdV4O-AO2KR8tNT1xFXouAMLl_G18ZPypbTktbRE260Fkg0LGk9X-fNXgXV4Ruygr3b7M6jDN0T_NpJrEK4TQ2MeOIa5f96g0G_KIXzBp1kNxA85SULu1_zYOBsqDkLHf8aeLGQ7AW–evJ1hXjw_iJ7XTv-JW8lEFrasgM-w7UFc7yRz4Jvfm-IgUXnlpHq8BSMFhDT_DHBJETqEZ-nYbRf98tAXs } },. “protected”: “eyJub25jZSI6ICItb0l5UUNEdzRNblVOVE1iaUdrbVBVQUp3ODM4czVYVGd3VWhuWnJlSzhrIn0”,. “payload”: “ewogICJrZXlBdXRob3JpemF0aW9uIjogImlqRWtkQlFJQ3RPWE4tSjRsdzg4TTFYVmFtakdjWF9UUC05U21DSl9ZcE0uUGVsS2FheDk1dFZkRlVXSXJPcHVGZW1WLTNNanV5bTM1TUZYZG1RTU0zbyIsIAogICJ0eXBlIjogImh0dHAtMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9”,. “signature”: "EwwvYRnjxkyZlDXOPJdKNOVRhzLSYWyV31ZBeEQgE-f2MjLJHUUZk2MGPJJypXixivKLJ9swTAGGMhWUpY50QQkKREq1nCmU6gHIenLQkAaarwCbio3rrxwdzc_yvyWNQ2ByxeLKl0GWN-1FlqvjRH-VAeyE_zECupIvjEBuDtapBcxWMPbzNT_D-4EgKV35fstjcWE56_9DJcJvgFgpv8SZs0edS } 2017-07-05 10:26:58,239:DEBUG:requests.packages.urllib3.connectionpool:“POST /acme/challenge/FtCBQp2v0-Q2ftB5qOaA2YgnysJlvu2DwKJQzSJYIMo/1483569359 HTTP/1.1” 202 336 2017-07-05 10:26:58,240:DEBUG:acme.client:Received response: HTTP 202 Server: nginx Content-Type: application/json Content-Length: 336 Boulder-Request-Id: P6b9idcYDHUABlKHe6Wq_NAomkjiyDxKwRMjTn12LHA Boulder-Requester: 18388602 Link: https://acme-v01.api.letsencrypt.org/acme/authz/FtCBQp2v0-Q2ftB5qOaA2YgnysJlvu2DwKJQzSJYIMo;rel="up" Location: https://acme-v01.api.letsencrypt.org/acme/challenge/FtCBQp2v0-Q2ftB5qOaA2YgnysJlvu2DwKJQzSJYIMo/1483569359 Replay-Nonce: rUaWtHL2My1bqEL_CfZhdrHyyNE_H6dS0FybWjvcI_A Expires: Wed, 05 Jul 2017 10:27:12 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 05 Jul 2017 10:27:12 GMT Connection: keep-alive

{
  "type": "http-01",
  "status": "pending",
  "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/FtCBQp2v0-Q2ftB5qOaA2YgnysJlvu2DwKJQzSJYIMo/1483569359",
  "token": "ijEkdBQICtOXN-J4lw88M1XVamjGcX_TP-9SmCJ_YpM",
  "keyAuthorization": "ijEkdBQICtOXN-J4lw88M1XVamjGcX_TP-9SmCJ_YpM.PelKaax95tVdFUWIrOpuFemV-3Mjuym35MFXdmQMM3o"
}
        2017-07-05 10:26:58,240:DEBUG:acme.client:Storing nonce: rUaWtHL2My1bqEL_CfZhdrHyyNE_H6dS0FybWjvcI_A
2017-07-05 10:27:01,244:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/FtCBQp2v0-Q2ftB5qOaA2YgnysJlvu2DwKJQzSJYIMo.
2017-07-05 10:27:01,531:DEBUG:requests.packages.urllib3.connectionpool:"GET /acme/authz/FtCBQp2v0-Q2ftB5qOaA2YgnysJlvu2DwKJQzSJYIMo HTTP/1.1" 200 1814
2017-07-05 10:27:01,532:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1814
Boulder-Request-Id: -GWCs9ocel-bjWXgMDQBgbuWas-Y2TcOBz1GfytXunQ
Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
Replay-Nonce: HDOyfsd0Y888nQFxMmlIaqASimsMx5xVEz28OviCv6A
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 05 Jul 2017 10:27:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 05 Jul 2017 10:27:16 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "asterisk.kaycom.ru"
  },
  "status": "invalid",
  "expires": "2017-07-12T10:26:48Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/FtCBQp2v0-Q2ftB5qOaA2YgnysJlvu2DwKJQzSJYIMo/1483569358",
      "token": "1h-7vROGtA0ThszVlGEDdM5UAVW3p3BM3TwHFx6aOg4"
    },
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:acme:error:unauthorized",
        "detail": "Invalid response from http://asterisk.kaycom.ru/.well-known/acme-challenge/ijEkdBQICtOXN-J4lw88M1XVamjGcX_TP-9SmCJ_YpM [2a03:6f00:1::5c35:6276]: 500",
        "status": 403
      },
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/FtCBQp2v0-Q2ftB5qOaA2YgnysJlvu2DwKJQzSJYIMo/1483569359",
      "token": "ijEkdBQICtOXN-J4lw88M1XVamjGcX_TP-9SmCJ_YpM",
      "keyAuthorization": "ijEkdBQICtOXN-J4lw88M1XVamjGcX_TP-9SmCJ_YpM.PelKaax95tVdFUWIrOpuFemV-3Mjuym35MFXdmQMM3o",
      "validationRecord": [
        {
          "url": "http://asterisk.kaycom.ru/.well-known/acme-challenge/ijEkdBQICtOXN-J4lw88M1XVamjGcX_TP-9SmCJ_YpM",
          "hostname": "asterisk.kaycom.ru",
          "port": "80",
          "addressesResolved": [
            "84.53.239.114",
            "2a03:6f00:1::5c35:6276"
          ],
          "addressUsed": "2a03:6f00:1::5c35:6276",
          "addressesTried": []
        }
      ]
    },
    {
      "type": "tls-sni-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/FtCBQp2v0-Q2ftB5qOaA2YgnysJlvu2DwKJQzSJYIMo/1483569360",
      "token": "4s8p1OrPMRL9yzqoyzzDAK0Xh98rT1rFr-tu96tT77Q"
    }
  ],
  "combinations": [
    [
         0
    ],
    [
      2
    ],
    [
      1
    ]
  ]
}
2017-07-05 10:27:01,534:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: asterisk.kaycom.ru
Type:   unauthorized
Detail: Invalid response from http://asterisk.kaycom.ru/.well-known/acme-challenge/ijEkdBQICtOXN-J4lw88M1XVamjGcX_TP-9SmCJ_YpM [2a03:6f00:1::5c35:6276]: 500

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
2017-07-05 10:27:01,534:INFO:certbot.auth_handler:Cleaning up challenges
2017-07-05 10:27:01,534:DEBUG:certbot.plugins.webroot:Removing /var/www/asterisk/.well-known/acme-challenge/ijEkdBQICtOXN-J4lw88M1XVamjGcX_TP-9SmCJ_YpM
2017-07-05 10:27:01,535:DEBUG:certbot.plugins.webroot:All challenges cleaned up, removing /var/www/asterisk/.well-known/acme-challenge
2017-07-05 10:27:01,536:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.10.2', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 849, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 626, in obtain_cert
    action, _ = _auth_from_available(le_client, config, domains, certname, lineage)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 107, in _auth_from_available
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 291, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 262, in obtain_certificate
    self.config.allow_subset_of_names)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 77, in get_authorizations
    self._respond(resp, best_effort)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 134, in _respond
    self._poll_challenges(chall_update, best_effort)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 198, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. asterisk.kaycom.ru (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://asterisk.kaycom.ru/.well-known/acme-challenge/ijEkdB

Osiris · July 5, 2017, 11:17am

Well, your complete site is down, even http://asterisk.kaycom.ru/ returns a 500 error on my desktop.

Let’s Encrypt and myself have IPv6. Do you? Do you realise your site has an AAAA record pointing to an IPv6 IP address? Is it the same server as the IPv4 IP address? Is the IPv6 webserver properly configured?

The IPv4 site works properly, it’s just the IPv6 site is broken.

matriarx · July 5, 2017, 12:01pm

I disabled ipv6. Error new appeared

Failed authorization procedure. asterisk.kaycom.ru (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://asterisk.kaycom.ru/.well-known/acme-challenge/1KEYwUTERZVX4ikuPYs-IV7qk8CT-fLYrR_yud8TSGE: "<html>

404 Not Found

"

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: asterisk.kaycom.ru
Type: unauthorized
Detail: Invalid response from
http://asterisk.kaycom.ru/.well-known/acme-challenge/1KEYwUTERZVX4ikuPYs-IV7qk8CT-fLYrR_yud8TSGE:
"
404 Not Found
404 Not Found

"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.

danb35 · July 7, 2017, 11:52am

This is a completely different problem, and probably means you've specified the wrong web root.

system · August 6, 2017, 11:53am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Internal Server Error (500) when creating certificates Help	4	2242	April 6, 2017
Urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http Help	8	10975	October 31, 2018
Invalid response from /.well-known/acme-challenge Help	9	13177	November 27, 2018
Cert renew returned 500, repeat attempt successful Help	11	514	October 13, 2022
404 response error acme.errors.ClientError: <Response [404]> Help	6	591	January 19, 2024

Obtaining a certificate

404 Not Found

404 Not Found

Related topics