Problem with authorization procedure

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
sudo certbot --apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

Which names would you like to activate HTTPS for?

1: ec2-54-246-254-253.eu-west-1.compute.amazonaws.com
2: directobras.com
3: directobras.pt
4: easyoffice.directobras.pt
5: www.easyoffice.directobras.pt
6: www.directobras.pt
7: www.directobras.com

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 6
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.directobras.pt
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.directobras.pt (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.directobras.pt/.well-known/acme-challenge/c35hLc-Hl5s2g9OMHlfWfosnn0lsx1K7Zj_gVvtHkgM: "

404 Not Found

Not Found

<p"

IMPORTANT NOTES:

My web server is (include version):
Apache/2.4.18

The operating system my web server runs on is (include version):

Distributor ID: Ubuntu
Description: Ubuntu 16.04.1 LTS
Release: 16.04
Codename: xenial

My hosting provider, if applicable, is:
EC2 Instance

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

Thanks in advance

www.directobras.pt resolves to IP 54.246.254.253
Is that your IP now?

Hi,

Yes it is.
Also, I created a test file inside “.well-known/acme-challenge/” and I can reach it…

what is the test file name?

The filename is test.html

please also add these files to that same folder
test.txt
and just
test

Ok, I just created it.

strange they all work…
try to renew again and show the last 30 lines from the log file:
/var/log/letsencrypt/letsencrypt.log

Connection: keep-alive
Replay-Nonce: 8cCP_GuYBRp1bMTd_g8nFMxHlwUoCiduIt0hVBFwJOE
X-Frame-Options: DENY
Cache-Control: max-age=0, no-cache, no-store
Strict-Transport-Security: max-age=604800
Expires: Tue, 08 May 2018 11:47:48 GMT
Server: nginx
Date: Tue, 08 May 2018 11:47:48 GMT
Content-Type: application/json
Pragma: no-cache

b’{\n “identifier”: {\n “type”: “dns”,\n “value”: “www.directobras.pt”\n },\n “status”: “invalid”,\n “expires”: “2018-05-15T11:47:41Z”,\n “challenges”: [\n {\n “type”: “http-01”,\n “status”: “invalid”,\n “error”: {\n “type”: “urn:acme:error:unauthorized”,\n "deta$
2018-05-08 11:47:48,735:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: www.directobras.pt
Type: unauthorized
Detail: Invalid response from http://www.directobras.pt/.well-known/acme-challenge/-5SbafZl2pOZGy6rughNopcx0O4Mq5U3fnV0zUFzerk: "

<meta name="viewport" content="width = dev"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2018-05-08 11:47:48,735:INFO:certbot.auth_handler:Cleaning up challenges
2018-05-08 11:47:48,947:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.22.2’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1266, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1031, in run
certname, lineage)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 118, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 350, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 294, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 330, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 79, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 154, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 220, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. www.directobras.pt (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.directobras.pt/.well-known/acme-challenge/-5SbafZl2pOZGy6rughNopcx0O4Mq5U3fnV0zUFzerk: "

<meta name="viewport" content="width = dev"

Are you doing any kind of geolocation blocking?

Do you see acme-challenge requests in the web logs?

I am not doing any geo blocking.

66.133.109.36 - - [08/May/2018:10:58:24 +0000] “GET /.well-known/acme-challenge/c35hLc-Hl5s2g9OMHlfWfosnn0lsx1K7Zj_gVvtHkgM HTTP/1.1” 404 532 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”

The strange thing about this issue is that I installed on the staging/test site, and it installed/woredk without any problem.
rg305, all things considered, it should be an apache site conf problem, wouldn’t you agree?

Best regards

It reaches your server, so, yes, the problem is within your server = Apache conf.

Thank you for your help. I’ll go deeper on the apache conf and try to figure it out.

nginx has “-T” command which dumps the entire config.
Maybe there is something similar for Apache - not sure.
But that would be helpful to have.

Could be apachectl -D DUMP_VHOSTS.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.