Produced an unexpected error: Failed authorization procedure


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:guiadotransporte.com.br

I ran this command:./certbot-auto renew --preferred-challenges http --debug-challenges --dry-run

It produced this output:Attempting to renew cert (guiadotransporte.com.br) from /etc/letsencrypt/renewal/guiadotransporte.com.br.conf produced an unexpected error: Failed authorization procedure. www.guiadotransporte.com.br (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.guiadotransporte.com.br/.well-known/acme-challenge/dYjZGvy6IJs-fFSOullz6G5HkhH0nKich7hA7EcATxg: "<html xmlns=“https”, guiadotransporte.com.br (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://guiadotransporte.com.br/.well-known/acme-challenge/qtLEJFvQSFub7xz8vcxxp3eM3rqTNXsD9IpgyHSkaW8: "<html xmlns=“https”. Skipping.

My web server is (include version):ubuntu 14:04

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:aws

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no, i use putty

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.30.2

I tried to give a renewal, and this error appeared.

I tried to install again, but it still made an error.

anybody help me please!


#2

Hi @ArthurCalazans

your certificate is already expired ( https://check-your-website.server-daten.de/?q=guiadotransporte.com.br ):

CN=guiadotransporte.com.br
	03.11.2018
	01.02.2019
expired	guiadotransporte.com.br, www.guiadotransporte.com.br - 2 entries

Your main configuration is a little bit inconcistent:

Domainname Http-Status redirect Sec. G
http://guiadotransporte.com.br/
54.207.106.156 301 https://guiadotransporte.com.br/ 0.466 A
http://www.guiadotransporte.com.br/
54.207.106.156 200 0.730 H
https://guiadotransporte.com.br/
54.207.106.156 200 7.743 N
Certificate error: RemoteCertificateChainErrors
https://www.guiadotransporte.com.br/
54.207.106.156 200 7.913 N
Certificate error: RemoteCertificateChainErrors
http://guiadotransporte.com.br/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
54.207.106.156 301 https://guiadotransporte.com.br/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.477 A
http://www.guiadotransporte.com.br/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
54.207.106.156 404 0.494 A
Not Found
https://guiadotransporte.com.br/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 6.933 N
Not Found
Certificate error: RemoteCertificateChainErrors

When you use http-01 validation, Certbot creates a file under /.well-known/acme-challenge, Letsencrypt checks this file and follows redirects.

Your non-www is redirected to https, your www version not. But the content is the same.

So try to find your DocumentRoot (in your apache config file)

<VirtualHost *:80>
    DocumentRoot "/www/example1"
    ServerName www.example.com

    # Other directives here
</VirtualHost>

That after “DocumentRoot”.

Then use it

certbot run -a webroot -w yourDocumentRoot -d guiadotransporte.com.br -d www.guiadotransporte.com.br --dry-run

If that works with the test system, create a new certificate with

certbot run -a webroot -w yourDocumentRoot -i apache -d guiadotransporte.com.br -d www.guiadotransporte.com.br

#3

this was the output

–dry-run currently only works with the ‘certonly’ or ‘renew’ subcommands (‘run’)


#4

Then change “run” to “certonly”.


#5

Now, this was the output!

Failed authorization procedure. guiadotransporte.com.br (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://guiadotransporte.com.br/.well-known/acme-challenge/NGUpC_6JImMOhKb9aQV_75T5OiNtxTdFjWzRyVSIBs0: "<html xmlns=“https”, www.guiadotransporte.com.br (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.guiadotransporte.com.br/.well-known/acme-challenge/ISVW2kq2GBf0PrRftS9wkpJ0JYeX6icd6xyr_upHf5s: "<html xmlns=“https”


#6

Please share your complete command. If this doesn’t work, you have

  • additional definitions / redirects
  • your webroot you have found is wrong

So create the two subfolders in your webroot

yourwebroot/.well-known/acme-challenge

then add a file (file name 1234) and try to load this file via

http://guiadotransporte.com.br/.well-known/acme-challenge/1234

to see if your webroot is correct.


#7

./certbot-auto certonly -a webroot -w /var/www/guia-do-transporte -d guiadotransporte.com.br -d www.guiadotransporte.com.br --dry-run
That was the command!


#8

I created the folders in my webroot /var/www/guia-do-transporte/.well-known/acme-challenge/1234
and as I use laravel, he will not let me in.


#9

You need only two folders - /.well-known/acme-challenge, 1234 is the name of the file you should create, not a third folder.

I don’t know how laravel manages that or why laravel blocks this folder.


#10

I just created 2 folders, and 1 file with name 1234, inside the file has a text.
The laravel does not let you access, only just what you have inside the public.


#11

it works with routes, whatever is not in the path of routes, can not be accessed.


#12

IMPORTANT NOTES:


#13

my sincere prescriptions.

I realized that my webroot is in / var / www / transport-guide / public, and I was putting / var / www / transport-guide.

Many thanks for the support! you are awesome!


#14

Happy to read that it works.

With the correct webroot, the webroot authenticator should always work.


#15

A post was split to a new topic: Problem creating new certificate with http-01 validation