Renew failed: Failed authorization procedure urn:acme:error:unauthorized


#2

Hi @tneo,

There seems to be a discrepancy between the configuration of https://mail.kegge.ca/ in IPv4 and IPv6. This discrepancy could be causing the error that you’ve seen. Can you take a look at your configuration and make sure that all of the virtual hosts are configured equivalently for IPv4 and IPv6?


#3

Hi @schoen ,

What kind of discrepancy are you referring to? DNS entries are identical for the www and the mail domain. My Vhosts are very simple, just a redirect from :80 to :443 and the correct root folder.


#4

If I curl -4 https://mail.kegge.ca/ and curl -6 https://mail.kegge.ca/, I get two different kinds of certificate error, indicating that different certificates were provided in this case.


#5

Hmm. Google was doing difficult with my mail. So I configured the IPv6 in the DNS later (after the initial issue of the certificate). I did renew the main domain certificate. All went well. How can I fix the issue, so I get a correct certificate again?


#6

@schoen
Do you have a suggestion how I can fix this issue? Can I simply remove the existing certificates and install them anew for the domain?


#7

Well, I’m not positive about the underlying reason for the problem.

The error about “Incorrect validation certificate for tls-sni-01 challenge” refers to a challenge method that is being phased out.

This is not the reason that your validation has failed (if it were, you would see a different error message; the continued use of TLS-SNI-01 is permitted for renewals of names which previously had Let’s Encrypt certificates), but it might be a good incentive to switch over to the HTTP-01 validation method, either by upgrading Certbot to 0.21 or later, or by using -a webroot -i apache instead of --apache (or -a standalone -i apache if you don’t have Apache listening on port 80 now). This validation method is very different and should not run into the same problems that you’re experiencing now.


#8

certbot does not think I’m friendly still when I use the -a webroot -i apache

Waiting for verification…
Cleaning up challenges
Failed authorization procedure. mail.kegge.ca (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mail.kegge.ca/.well-known/acme-challenge/UBUxAnrn7s_CsaJNLdVYqcrbX_0tWvDjB2itX4kXbT4: "

<html lang="en" dir="ltr" prefix="content: http://purl.org/rss/1.0/modules/content/ dc: http://purl.org/dc/term"

IMPORTANT NOTES:

When I check my webroot the .well-known directory is created, but the additional acme-challenge directory is not.


#9

Can you create a file manually at this location and access it via the web server?


#10

Yes that is not an issue. I can become root to add that file, just need to know correct owner to assign I suppose.


#11

So, could you try making a file at http://mail.kegge.ca/.well-known/acme-challenge/test.txt for verification?

Which webroot directory did you specify to Certbot, and how did you specify it?


#12

The plain HTTP will not get you the file, the HTTPS works.


#13

It looks like you have a rewrite problem where you’re missing a trailing slash (you rewrite “http://mail.kegge.ca/” to “https://mail.kegge.ca” without the trailing slash). This results in forming the invalid URL https://mail.kegge.ca.well-known/acme-challenge/test.txt.

A lot of people have had this problem before; it should be OK (or at least better in this regard) if you can add the trailing slash to the definition of the rewrite.


#14

Also, it has to work over HTTP in order to use this authentication method with the CA. :slight_smile: (A redirect is OK, including a redirect to HTTPS, but the initial connection is always made over HTTP.)


#15

Trailing slash is added, so the http goes through now. Though the renewal is not :frowning:


#16

Well, that looks like progress! Do you still see the same error message as before? How are you specifying the webroot directory to Certbot?


#17

Same error still indeed:

Domain: mail.kegge.ca
Type: unauthorized
Detail: Invalid response from
http://mail.kegge.ca/.well-known/acme-challenge/egO38tewTKOMpI6Ul72bIm7f0Oj0WaYhVpb5PZD2XvU:
"

<html lang="en" dir="ltr" prefix="content: http://purl.org/rss/1.0/modules/content/ dc: http://purl.org/dc/term"

I tried with and without a trailing slash in the webroot, but the result is the same. I do use SELinux if that matters, but the directory is owned by Apache and has the rw permission there. I have run the restorecon command to re-affirm that permission scheme: drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 acme-challenge


#18

Can you see a particular error in your web server error logs associated with the CA’s attempt to connect?

Are you sure that the webroot directory is right? (It should be pointed at the directory that contains .well-known/acme-challenge, not at .well-known/acme-challenge itself.)


#19

I do not see any errors that may of help. I use the webroot as I have configured in my configuration file for roundcube. And now I’ve reached my incorrect authorization limit attempts.

Is it possible to delete the current certificates and install the certificates again with the webroot command?


#20

Sorry about that. The failed authorization rate limit will reset after one hour (so perhaps imminently).

If you can post the exact directories in question (what you provided as the webroot and where you put the test.txt), maybe I can see if I can see anything wrong.

Yes, although that doesn’t affect rate limits in any way. You can use certbot delete for this.


#21

webroot: /var/www/sites/roundcube
test: /var/www/sites/roundcube/.well-known/acme-challenge/test.txt

I deleted the certificates but that does not help. And now I can’t sent e-mail anymore…

What is the issue here. Is the acme-challenge dir not correct, why is the comment referring to DNS settings, while initially the check is OK and retrieves a certificate.

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.kegge.ca
Input the webroot for mail.kegge.ca: (Enter ‘c’ to cancel): /var/www/sites/roundcube
Waiting for verification…
Cleaning up challenges
Unable to clean up challenge directory /var/www/sites/roundcube/.well-known/acme-challenge
Failed authorization procedure. mail.kegge.ca (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mail.kegge.ca/.well-known/acme-challenge/opfkpTx-rIn4OD-zbJ2Yu21PEcSRj9ZfGizjqhqLSdc: "

<html lang="en" dir="ltr" prefix="content: http://purl.org/rss/1.0/modules/content/ dc: http://purl.org/dc/term"

IMPORTANT NOTES:

Clean-up fails, that may be permission, what needs to be owner and correct permission than?