Produced an unexpected error: Failed authorization procedure

https://pastebin.com/zZUWDsP3

that files look ok
only port 80 stuff

I need the file:
/etc/apache2/sites-available/default-ssl.conf

https://pastebin.com/xdVFLTfT

I would change:
<VirtualHost _default_:443>
to
<VirtualHost *:443>

And I'm not sure you need this line anymore:
SSLCertificateChainFile /etc/letsencrypt/live/exxoshost.co.uk/chain.pem

Also show (not sure if we've seen that one yet):

000-default.conf

https://pastebin.com/dVsvx2aS

I’ve updated to *:443 as well.

It is enabled:
IncludeOptional sites-enabled/*.conf
But it contains no servername nor serveralias.
That needs fixing...
Not sure what Apache will do without it (and that may change over time too).
Better to put anything in there.

Its all bodged into the apache conf file instead.

I honestly don’t think anything is much wrong, like I say, it has been working for 18 months and I just renew it when needed… though is it moans about achme something, I never seen that anywhere, I created a test folder, as some other guide mentions, that seemed fine, but I assume something in cerbot has updated causing my setup to break.

You've said that now 4 times - I do understand that

Please place a test text file at:
/var/www/html/.well-known/acme-challenge/1234

You can do so with these simple steps:
mkdir /var/www/html/.well-known
mkdir /var/www/html/.well-known/acme-challenge
echo "just a test file" > /var/www/html/.well-known/acme-challenge/1234

If that file can be reached from the Internet, then the renewals should work.
If not then we may need to use --webroot option.

I did that already, that works fine.

wget http://exxoshost.co.uk/.well-known/acme-challenge/1234
Fails - not working fine.
It redirects to https://exxoshost.co.uk/new404.htm <<< not same URL path
And then returns 560 bytes of “nicely formatted 404 error message”.

I was following another guide before I posted here, its called test not 1234.

http://exxoshost.co.uk/.well-known/acme-challenge/test

I still don’t see where it does the 302 redirection.
Nonetheless, try a renewal now:
sudo certbot-auto renew

Assuming you’ve restarted Apache.


Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/exxoshost.co.uk.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.exxoshost.co.uk
http-01 challenge for exxoshost.co.uk
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (exxoshost.co.uk) from /etc/letsencrypt/renewal/exxoshost.co.uk.conf produced an unexpected error: Failed authorization procedure. exxoshost.co.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://exxoshost.co.uk/.well-known/acme-challenge/OC2RR8DLv2YztjmaUx5YPMDv86iQfuXhAk6O1jVvNks: "\r\n\r\n404\r\n\r\n\r\n\r\n<body b". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/exxoshost.co.uk/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/exxoshost.co.uk/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: exxoshost.co.uk
   Type:   unauthorized
   Detail: Invalid response from
   http://exxoshost.co.uk/.well-known/acme-challenge/OC2RR8DLv2YztjmaUx5YPMDv86iQfuXhAk6O1jVvNks:
   "\r\n\r\n404\r\n\r\n\r\n\r\n<body b"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.


If you have not restarted Apache, do so and retry renewing.

If you already have, then we need to try --webroot option:
sudo certbot-auto renew --webroot -w /var/www/html

If that works, then I think certbot-auto is no longer able to properly determine where to place the authentication handling block and it fails to match.

I have restarted it…

oh WTF its worked with that webroot option…


certbot-auto renew --webroot -w /var/www/html
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/exxoshost.co.uk.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.exxoshost.co.uk
http-01 challenge for exxoshost.co.uk
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/exxoshost.co.uk/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/exxoshost.co.uk/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


You're welcome!

I don’t get what the actual problem is though ?

I still don’t see where the redirection happens…
Please show:
grep -Eri 'temporary|permanent|redirect|rewrite' /etc/apache2

I think certbot-auto is being confused with the <virtualhost> inside an <if module>
But I haven’t been able to prove that yet.

grep -Eri 'temporary|permanent|redirect|rewrite' /etc/apache2
/etc/apache2/mods-available/rewrite.load:LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so
/etc/apache2/mods-available/setenvif.conf:      # The following directive disables redirects on non-GET requests for
/etc/apache2/mods-available/setenvif.conf:      # redirects for folders with DAV methods.
/etc/apache2/mods-available/setenvif.conf:      BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
/etc/apache2/mods-available/setenvif.conf:      BrowserMatch "MS FrontPage" redirect-carefully
/etc/apache2/mods-available/setenvif.conf:      BrowserMatch "^WebDrive" redirect-carefully
/etc/apache2/mods-available/setenvif.conf:      BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
/etc/apache2/mods-available/setenvif.conf:      BrowserMatch "^gnome-vfs/1.0" redirect-carefully
/etc/apache2/mods-available/setenvif.conf:      BrowserMatch "^gvfs/1" redirect-carefully
/etc/apache2/mods-available/setenvif.conf:      BrowserMatch "^XML Spy" redirect-carefully
/etc/apache2/mods-available/setenvif.conf:      BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
/etc/apache2/mods-available/setenvif.conf:      BrowserMatch " Konqueror/4" redirect-carefully
/etc/apache2/apache2.conf:            redirect / http://107.191.111.64:80
/etc/apache2/apache2.conf:Redirect / http://www.exxoshost.co.uk/atari/last/store.htm
/etc/apache2/apache2.conf:#            Redirect / "http://www.exxoshost.co.uk/atari/last/store.htm#mouse"
/etc/apache2/apache2.conf:#            Redirect / "http://www.exxoshost.co.uk/atari/last/store.htm#psu"
/etc/apache2/apache2.conf:#            Redirect / "http://www.exxoshost.co.uk/atari/last/store.htm#TOS"
/etc/apache2/apache2.conf:#  Redirect permanent /forum https://www.exxoshost.co.uk/forum
/etc/apache2/envvars:# temporary state file location. This might be changed to /run in Wheezy+1
/etc/apache2/sites-available/000-default.conf:  # redirection URLs. In the context of virtual hosts, the ServerName
/etc/apache2/sites-available/default-ssl.conf:#Redirect permanent /forum https://www.exxoshost.co.uk/forum
/etc/apache2/conf-available/localized-error-pages.conf:# 2) local redirects
/etc/apache2/conf-available/localized-error-pages.conf:# 3) external redirects
/etc/apache2/conf-available/localized-error-pages.conf:# We use Alias to redirect any /error/HTTP_.html.var response to


That’s no help…
Do you use .htaccess files?