Problem with authorization procedure


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
sudo certbot --apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

Which names would you like to activate HTTPS for?

1: ec2-54-246-254-253.eu-west-1.compute.amazonaws.com
2: directobras.com
3: directobras.pt
4: easyoffice.directobras.pt
5: www.easyoffice.directobras.pt
6: www.directobras.pt
7: www.directobras.com

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 6
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.directobras.pt
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.directobras.pt (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.directobras.pt/.well-known/acme-challenge/c35hLc-Hl5s2g9OMHlfWfosnn0lsx1K7Zj_gVvtHkgM: "

404 Not Found

Not Found

<p"

IMPORTANT NOTES:

My web server is (include version):
Apache/2.4.18

The operating system my web server runs on is (include version):

Distributor ID: Ubuntu
Description: Ubuntu 16.04.1 LTS
Release: 16.04
Codename: xenial

My hosting provider, if applicable, is:
EC2 Instance

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

Thanks in advance


#2

www.directobras.pt resolves to IP 54.246.254.253
Is that your IP now?


#3

Hi,

Yes it is.
Also, I created a test file inside “.well-known/acme-challenge/” and I can reach it…


#4

what is the test file name?


#5

The filename is test.html


#6

please also add these files to that same folder
test.txt
and just
test


#7

Ok, I just created it.


#8

strange they all work…
try to renew again and show the last 30 lines from the log file:
/var/log/letsencrypt/letsencrypt.log


#9

Connection: keep-alive
Replay-Nonce: 8cCP_GuYBRp1bMTd_g8nFMxHlwUoCiduIt0hVBFwJOE
X-Frame-Options: DENY
Cache-Control: max-age=0, no-cache, no-store
Strict-Transport-Security: max-age=604800
Expires: Tue, 08 May 2018 11:47:48 GMT
Server: nginx
Date: Tue, 08 May 2018 11:47:48 GMT
Content-Type: application/json
Pragma: no-cache

b’{\n “identifier”: {\n “type”: “dns”,\n “value”: “www.directobras.pt”\n },\n “status”: “invalid”,\n “expires”: “2018-05-15T11:47:41Z”,\n “challenges”: [\n {\n “type”: “http-01”,\n “status”: “invalid”,\n “error”: {\n “type”: “urn:acme:error:unauthorized”,\n "deta$
2018-05-08 11:47:48,735:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: www.directobras.pt
Type: unauthorized
Detail: Invalid response from http://www.directobras.pt/.well-known/acme-challenge/-5SbafZl2pOZGy6rughNopcx0O4Mq5U3fnV0zUFzerk: "

<meta name="viewport" content="width = dev"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2018-05-08 11:47:48,735:INFO:certbot.auth_handler:Cleaning up challenges
2018-05-08 11:47:48,947:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.22.2’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1266, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1031, in run
certname, lineage)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 118, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 350, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 294, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 330, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 79, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 154, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 220, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. www.directobras.pt (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.directobras.pt/.well-known/acme-challenge/-5SbafZl2pOZGy6rughNopcx0O4Mq5U3fnV0zUFzerk: "

<meta name="viewport" content="width = dev"

#10

Are you doing any kind of geolocation blocking?

Do you see acme-challenge requests in the web logs?


#11

I am not doing any geo blocking.

66.133.109.36 - - [08/May/2018:10:58:24 +0000] “GET /.well-known/acme-challenge/c35hLc-Hl5s2g9OMHlfWfosnn0lsx1K7Zj_gVvtHkgM HTTP/1.1” 404 532 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”

The strange thing about this issue is that I installed on the staging/test site, and it installed/woredk without any problem.
rg305, all things considered, it should be an apache site conf problem, wouldn’t you agree?

Best regards


#12

It reaches your server, so, yes, the problem is within your server = Apache conf.


#13

Thank you for your help. I’ll go deeper on the apache conf and try to figure it out.


#14

nginx has “-T” command which dumps the entire config.
Maybe there is something similar for Apache - not sure.
But that would be helpful to have.


#15

Could be apachectl -D DUMP_VHOSTS.


#16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.