Renew Cert Failed - The client lacks sufficient authorization :: Invalid response

Removed as instructed. Restarted Apache2 then certbot --apache. Same error.

Failed authorization procedure. nextcloud.oxigen.sg (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://nextcloud.oxigen.sg/.well-known/acme-challenge/onkdDEyw5zlA-qIQeEdwQOiixSzw7XKwZW1Phs9id0Q [116.202.30.75]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: nextcloud.oxigen.sg
   Type:   unauthorized
   Detail: Invalid response from
   http://nextcloud.oxigen.sg/.well-known/acme-challenge/onkdDEyw5zlA-qIQeEdwQOiixSzw7XKwZW1Phs9id0Q
   [116.202.30.75]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Is nextcloud resetting it?

You might need to use webroot with another directory.
create a /var/www/certbot directory, then

Add this to your relevant virtualhosts:

<Location "/.well-known/acme-challenge">
  DocumentRoot /var/www/certbot
</Location>

and use this command:

certbot -a webroot -w /var/www/certbot -i apache

Sorry, did not get an email notification on your latest reply.

Error after the above.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

AH00526: Syntax error on line 16 of /etc/apache2/sites-enabled/nextcloud-le-ssl.conf:
DocumentRoot not allowed in <Location> context

The apache plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError("Error while running apache2ctl configtest.\nAction 'configtest' failed.\nThe Apache error log may have more information.\n\nAH00526: Syntax error on line 16 of /etc/apache2/sites-enabled/nextcloud-le-ssl.conf:\nDocumentRoot not allowed in <Location> context\n")

Below shows where I inserted the location tags

<IfModule mod_ssl.c>
<VirtualHost *:443>
        # The ServerName directive sets the request scheme, hostname and port t$
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        ServerName nextcloud.oxigen.sg

        ServerAdmin chris.chan@runbox.com
        DocumentRoot /var/www/nextcloud

        <Location "/.well-known/acme-challenge">
          DocumentRoot /var/www/certbot
        </Location>

        <IfModule mod_headers.c>
                Header always set Strict-Transport-Security "max-age=15552000; $
        </IfModule>

        <Directory /var/www/nextcloud/>
                AllowOverride All
        </Directory>


        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf


SSLCertificateFile /etc/letsencrypt/live/nextcloud.oxigen.sg/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/nextcloud.oxigen.sg/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

The location block I suggested you to add… You should have put it in the port 80 virtualhost.

I was wrong, you should have used the Alias directive instead of DocumentRoot: https://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias

<Location "/.well-known/acme-challenge">
    Alias "/var/www/certbot"
</Location>

Changed to alias for virtualhost 80. still 404 error.

Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for nextcloud.oxigen.sg
Using the webroot path /var/www/certbot for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. nextcloud.oxigen.sg (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://nextcloud.oxigen.sg/.well-known/acme-challenge/vOlqA4qZqF4gT34liwk1HIsTHJNJqXGIRULqN2lXWMA [116.202.30.75]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: nextcloud.oxigen.sg
   Type:   unauthorized
   Detail: Invalid response from
   http://nextcloud.oxigen.sg/.well-known/acme-challenge/vOlqA4qZqF4gT34liwk1HIsTHJNJqXGIRULqN2lXWMA
   [116.202.30.75]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

404 is kinda fine, it’s those goddamn assholes that decided it was a proper error code to send for unauthorized access that make me mad.

try putting a file in /var/www/certbot/ and check if you can see it on

http://nextcloud.oxigen.sg/.well-known/acme-challenge/
or
http://nextcloud.oxigen.sg/.well-known/acme-challenge/.well-known/acme-challenge/

Added test.html to /var/www/certbot
The 2 links goes to nextcloud.
Should the test file be in /var/www/certbot/.well-known/acme-challenge/?

Maybe this will help. I installed nextcloud using this. https://nerdonthestreet.com/wiki?find=Install+Nextcloud+17+on+Debian+10

Then I installed collabora using these.


collabora.oxigen.sg auto renews LE perfectly

did you add the location block? (and reload apache?)

because it’s using another virtualhost and nothing is interfering

revert step 16 and retry, maybe.

root@nextcloud:~# ls -al /var/www/certbot/
total 12
drwxr-xr-x 2 www-data www-data 4096 Apr  7 17:27 .
drwxr-xr-x 5 root     root     4096 Apr  7 16:39 ..
-rw-r--r-- 1 www-data www-data   11 Apr  7 17:13 test.html

Yes, reloaded apache
The links still goes to nextcloud.

Reverted step 16. Restarted apache. Still same error

you should add --dry-run to your certbot command.

that .htaccess is half absurd.

Which one, from certbot or apache?

Tried both. Both got the same error.

Dy run.

Processing /etc/letsencrypt/renewal/collabora.oxigen.sg.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer None
Renewing an existing certificate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/collabora.oxigen.sg/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/nextcloud.oxigen.sg.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for nextcloud.oxigen.sg
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (nextcloud.oxigen.sg) from /etc/letsencrypt/renewal/nextcloud.oxigen.sg.conf produced an unexpected error: Failed authorization procedure. nextcloud.oxigen.sg (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://nextcloud.oxigen.sg/.well-known/acme-challenge/MU10_T3rzaRAcB8DciiszML8wk7zf1Ns4adNM1kGlis [116.202.30.75]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p". Skipping.
The following certs could not be renewed:
  /etc/letsencrypt/live/nextcloud.oxigen.sg/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

The following certs were successfully renewed:
  /etc/letsencrypt/live/collabora.oxigen.sg/fullchain.pem (success)

The following certs could not be renewed:
  /etc/letsencrypt/live/nextcloud.oxigen.sg/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: nextcloud.oxigen.sg
   Type:   unauthorized
   Detail: Invalid response from
   http://nextcloud.oxigen.sg/.well-known/acme-challenge/MU10_T3rzaRAcB8DciiszML8wk7zf1Ns4adNM1kGlis
   [116.202.30.75]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

try running a2dissite nextcloud && a2dissite nextcloud-le-ssl

then run again steps 6, 7. and restart apache; show me any errors.

all ran successfully. no error. should i run step 8?

no. run the command with -a webroot and --dry-run

(if you want to use -w /var/www/certbot you should add the location block to the port 80 virtualhost in nextcloud.conf)

certbot renew -a webroot -w /var/www/nextcloud -i apache --dry-run

authorisation error

this is extremely strange. go on with the steps (don’t overwrite stuff) but don’t add the AllowOverride All, instead, try AllowOverride None

Can I skip steps 9 - 15 and do only 16 onwards? Because 9 - 15 will mess with the existing nextcloud setup?

you can skip them all, and use this text for step 16:

<IfModule mod_headers.c>
 Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>

<Directory /var/www/nextcloud/>
 AllowOverride None
</Directory>

you can also skip 17, 18, 19

Still the same error.