Renew Cert Failed - The client lacks sufficient authorization :: Invalid response

you should add --dry-run to your certbot command.

that .htaccess is half absurd.

Which one, from certbot or apache?

Tried both. Both got the same error.

Dy run.

Processing /etc/letsencrypt/renewal/collabora.oxigen.sg.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer None
Renewing an existing certificate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/collabora.oxigen.sg/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/nextcloud.oxigen.sg.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for nextcloud.oxigen.sg
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (nextcloud.oxigen.sg) from /etc/letsencrypt/renewal/nextcloud.oxigen.sg.conf produced an unexpected error: Failed authorization procedure. nextcloud.oxigen.sg (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://nextcloud.oxigen.sg/.well-known/acme-challenge/MU10_T3rzaRAcB8DciiszML8wk7zf1Ns4adNM1kGlis [116.202.30.75]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p". Skipping.
The following certs could not be renewed:
  /etc/letsencrypt/live/nextcloud.oxigen.sg/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

The following certs were successfully renewed:
  /etc/letsencrypt/live/collabora.oxigen.sg/fullchain.pem (success)

The following certs could not be renewed:
  /etc/letsencrypt/live/nextcloud.oxigen.sg/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: nextcloud.oxigen.sg
   Type:   unauthorized
   Detail: Invalid response from
   http://nextcloud.oxigen.sg/.well-known/acme-challenge/MU10_T3rzaRAcB8DciiszML8wk7zf1Ns4adNM1kGlis
   [116.202.30.75]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

try running a2dissite nextcloud && a2dissite nextcloud-le-ssl

then run again steps 6, 7. and restart apache; show me any errors.

all ran successfully. no error. should i run step 8?

no. run the command with -a webroot and --dry-run

(if you want to use -w /var/www/certbot you should add the location block to the port 80 virtualhost in nextcloud.conf)

certbot renew -a webroot -w /var/www/nextcloud -i apache --dry-run

authorisation error

this is extremely strange. go on with the steps (don’t overwrite stuff) but don’t add the AllowOverride All, instead, try AllowOverride None

Can I skip steps 9 - 15 and do only 16 onwards? Because 9 - 15 will mess with the existing nextcloud setup?

you can skip them all, and use this text for step 16:

<IfModule mod_headers.c>
 Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>

<Directory /var/www/nextcloud/>
 AllowOverride None
</Directory>

you can also skip 17, 18, 19

Still the same error.

show me the details. command you ran, error you saw.

root@nextcloud:~# certbot renew -a webroot -w /var/www/nextcloud -i apache --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/collabora.oxigen.sg.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer apache
Renewing an existing certificate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/collabora.oxigen.sg/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/nextcloud.oxigen.sg.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for nextcloud.oxigen.sg
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (nextcloud.oxigen.sg) from /etc/letsencrypt/renewal/nextcloud.oxigen.sg.conf produced an unexpected error: Failed authorization procedure. nextcloud.oxigen.sg (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://nextcloud.oxigen.sg/.well-known/acme-challenge/jCQ-M6Kc7Ia9RqsnXjCpUXiXbYOglPMMDg804IxH3hg [116.202.30.75]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p". Skipping.
The following certs could not be renewed:
  /etc/letsencrypt/live/nextcloud.oxigen.sg/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

The following certs were successfully renewed:
  /etc/letsencrypt/live/collabora.oxigen.sg/fullchain.pem (success)

The following certs could not be renewed:
  /etc/letsencrypt/live/nextcloud.oxigen.sg/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: nextcloud.oxigen.sg
   Type:   unauthorized
   Detail: Invalid response from
   http://nextcloud.oxigen.sg/.well-known/acme-challenge/jCQ-M6Kc7Ia9RqsnXjCpUXiXbYOglPMMDg804IxH3hg
   [116.202.30.75]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

I don’t know anymore, try with certbot renew --apache --dry-run

Renewed on dry run successfully!! I did an actual renewal with certbot --apache, but I have this error while on browser.

run certbot enhance --redirect and it will go away.

you need to install the cert for nextcloud, with certbot --apache or certbot install --apache (no renew)

Dry run is successful, but certbot renew --apache gets the same error. certbot install --apache installs the old cert.

root@nextcloud:~# certbot renew --apache --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/collabora.oxigen.sg.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/collabora.oxigen.sg/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/nextcloud.oxigen.sg.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/nextcloud.oxigen.sg/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/collabora.oxigen.sg/fullchain.pem (success)
  /etc/letsencrypt/live/nextcloud.oxigen.sg/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
root@nextcloud:~# certbot install --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator None, Installer apache

Which certificate would you like to install?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: collabora.oxigen.sg
2: nextcloud.oxigen.sg
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/nextcloud-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enhancement redirect was already set.

This means there is no problem, I think. It validates, so it works.

Thank you for helping out, @9peppe :grinning:
I still could not get the cert renewed. I changed a domain name, installed a new cert and buy some time or maybe the problem will not happen again…

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.