Renew Cert Failed - The client lacks sufficient authorization :: Invalid response

The location block I suggested you to add… You should have put it in the port 80 virtualhost.

I was wrong, you should have used the Alias directive instead of DocumentRoot: https://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias

<Location "/.well-known/acme-challenge">
    Alias "/var/www/certbot"
</Location>

Changed to alias for virtualhost 80. still 404 error.

Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for nextcloud.oxigen.sg
Using the webroot path /var/www/certbot for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. nextcloud.oxigen.sg (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://nextcloud.oxigen.sg/.well-known/acme-challenge/vOlqA4qZqF4gT34liwk1HIsTHJNJqXGIRULqN2lXWMA [116.202.30.75]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: nextcloud.oxigen.sg
   Type:   unauthorized
   Detail: Invalid response from
   http://nextcloud.oxigen.sg/.well-known/acme-challenge/vOlqA4qZqF4gT34liwk1HIsTHJNJqXGIRULqN2lXWMA
   [116.202.30.75]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

404 is kinda fine, it’s those goddamn assholes that decided it was a proper error code to send for unauthorized access that make me mad.

try putting a file in /var/www/certbot/ and check if you can see it on

http://nextcloud.oxigen.sg/.well-known/acme-challenge/
or
http://nextcloud.oxigen.sg/.well-known/acme-challenge/.well-known/acme-challenge/

Added test.html to /var/www/certbot
The 2 links goes to nextcloud.
Should the test file be in /var/www/certbot/.well-known/acme-challenge/?

Maybe this will help. I installed nextcloud using this. https://nerdonthestreet.com/wiki?find=Install+Nextcloud+17+on+Debian+10

Then I installed collabora using these.


collabora.oxigen.sg auto renews LE perfectly

did you add the location block? (and reload apache?)

because it’s using another virtualhost and nothing is interfering

revert step 16 and retry, maybe.

root@nextcloud:~# ls -al /var/www/certbot/
total 12
drwxr-xr-x 2 www-data www-data 4096 Apr  7 17:27 .
drwxr-xr-x 5 root     root     4096 Apr  7 16:39 ..
-rw-r--r-- 1 www-data www-data   11 Apr  7 17:13 test.html

Yes, reloaded apache
The links still goes to nextcloud.

Reverted step 16. Restarted apache. Still same error

you should add --dry-run to your certbot command.

that .htaccess is half absurd.

Which one, from certbot or apache?

Tried both. Both got the same error.

Dy run.

Processing /etc/letsencrypt/renewal/collabora.oxigen.sg.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer None
Renewing an existing certificate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/collabora.oxigen.sg/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/nextcloud.oxigen.sg.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for nextcloud.oxigen.sg
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (nextcloud.oxigen.sg) from /etc/letsencrypt/renewal/nextcloud.oxigen.sg.conf produced an unexpected error: Failed authorization procedure. nextcloud.oxigen.sg (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://nextcloud.oxigen.sg/.well-known/acme-challenge/MU10_T3rzaRAcB8DciiszML8wk7zf1Ns4adNM1kGlis [116.202.30.75]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p". Skipping.
The following certs could not be renewed:
  /etc/letsencrypt/live/nextcloud.oxigen.sg/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

The following certs were successfully renewed:
  /etc/letsencrypt/live/collabora.oxigen.sg/fullchain.pem (success)

The following certs could not be renewed:
  /etc/letsencrypt/live/nextcloud.oxigen.sg/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: nextcloud.oxigen.sg
   Type:   unauthorized
   Detail: Invalid response from
   http://nextcloud.oxigen.sg/.well-known/acme-challenge/MU10_T3rzaRAcB8DciiszML8wk7zf1Ns4adNM1kGlis
   [116.202.30.75]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

try running a2dissite nextcloud && a2dissite nextcloud-le-ssl

then run again steps 6, 7. and restart apache; show me any errors.

all ran successfully. no error. should i run step 8?

no. run the command with -a webroot and --dry-run

(if you want to use -w /var/www/certbot you should add the location block to the port 80 virtualhost in nextcloud.conf)

certbot renew -a webroot -w /var/www/nextcloud -i apache --dry-run

authorisation error

this is extremely strange. go on with the steps (don’t overwrite stuff) but don’t add the AllowOverride All, instead, try AllowOverride None

Can I skip steps 9 - 15 and do only 16 onwards? Because 9 - 15 will mess with the existing nextcloud setup?

you can skip them all, and use this text for step 16:

<IfModule mod_headers.c>
 Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>

<Directory /var/www/nextcloud/>
 AllowOverride None
</Directory>

you can also skip 17, 18, 19

Still the same error.

show me the details. command you ran, error you saw.

root@nextcloud:~# certbot renew -a webroot -w /var/www/nextcloud -i apache --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/collabora.oxigen.sg.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer apache
Renewing an existing certificate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/collabora.oxigen.sg/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/nextcloud.oxigen.sg.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for nextcloud.oxigen.sg
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (nextcloud.oxigen.sg) from /etc/letsencrypt/renewal/nextcloud.oxigen.sg.conf produced an unexpected error: Failed authorization procedure. nextcloud.oxigen.sg (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://nextcloud.oxigen.sg/.well-known/acme-challenge/jCQ-M6Kc7Ia9RqsnXjCpUXiXbYOglPMMDg804IxH3hg [116.202.30.75]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p". Skipping.
The following certs could not be renewed:
  /etc/letsencrypt/live/nextcloud.oxigen.sg/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

The following certs were successfully renewed:
  /etc/letsencrypt/live/collabora.oxigen.sg/fullchain.pem (success)

The following certs could not be renewed:
  /etc/letsencrypt/live/nextcloud.oxigen.sg/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: nextcloud.oxigen.sg
   Type:   unauthorized
   Detail: Invalid response from
   http://nextcloud.oxigen.sg/.well-known/acme-challenge/jCQ-M6Kc7Ia9RqsnXjCpUXiXbYOglPMMDg804IxH3hg
   [116.202.30.75]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

I don’t know anymore, try with certbot renew --apache --dry-run