I’m getting a renew failure of my certificate.
My server is configured correctly because I can verify access to acme-challange folder with this curl command:
curl http://reportbase.com/.well-known/acme-challenge/a.jpg

Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for reportbase.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/reportbase.com.conf produced an unexpected error: Failed authorization procedure. reportbase.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://reportbase.com/.well-known/acme-challenge/64HvQ55fQUoChlIFPMyeJ2DemhuM2mjntB2_Xy4ccJ8: "

404 Not Found

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/reportbase.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: reportbase.com
  Type: unauthorized
  Detail: Invalid response from
  http://reportbase.com/.well-known/acme-challenge/64HvQ55fQUoChlIFPMyeJ2DemhuM2mjntB2_Xy4ccJ8:

wget http://reportbase.com/.well-known/acme-challenge/a.jpg
–2017-07-15 17:46:01-- http://reportbase.com/.well-known/acme-challenge/a.jpg
Resolving reportbase.com (reportbase.com)… 206.196.115.56
Connecting to reportbase.com (reportbase.com)|206.196.115.56|:80… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: https://reportbase.com/.well-known/acme-challenge/a.jpg [following]
–2017-07-15 17:46:01-- https://reportbase.com/.well-known/acme-challenge/a.jpg
Connecting to reportbase.com (reportbase.com)|206.196.115.56|:443… connected.
ERROR: cannot verify reportbase.com’s certificate, issued by ‘CN=Let’s Encrypt Authority X3,O=Let’s Encrypt,C=US’:
Issued certificate has expired.
To connect to reportbase.com insecurely, use `–no-check-certificate’.

For simple/straight http challenges, you should probably exclude /.well-known/ from the HTTPS redirection.

Not sure what you mean by excluding ./well-known.

I can get the acme-challenge folder from the brower like this.
http://reportbase.com/.well-known/acme-challenge/a.jpg

Here is my nginix config:

server
{
listen 80;
listen [::]:80;
server_name reportbase.com;
return 301 https://$host$request_uri;
}

server
{
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/reportbase.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/reportbase.com/privkey.pem;
server_name reportbase.com;

root /srv/http/reportbase.com;

location /icons/
{
root /srv/http;
}

location /js/
{
root /srv/http;
}

location /.well-known/acme-challenge
{
allow all;
root /srv/http;
default_type “text/plain”;
try_files $uri =404;
}

location /
{
proxy_pass http://reportbase.com:3999;
}
}

Here is my error message:

Attempting to renew cert from /etc/letsencrypt/renewal/reportbase.com.conf
produced an unexpected error: Failed authorization procedure. reportbase.com
(http-01): urn:acme:error:unauthorized :: The client lacks sufficient
authorization :: Invalid response from
http://reportbase.com/.well-known/acme-challenge/oyr9QAeppy5mPWIRkuQK0odcmU3SzRAjw_8wI_y3S44
:

Thanks so much.

Can you tell us what plugin you are using (Apache, nginx, manual, standalone, etc)?

nginx Standalone. Vanilla nginx setup.

hi @reportbase

I can see you are doing a redirection from HTTP to HTTPS

The only issue I can see with that is that your certificate expired I can view your image with a browser if I ignore SSL errors.

I am not sure how boulder deals with expired certs (if it ignores them or if the connection fails) but it should follow the 301 redirects

I would suggest turning of the HTTP to HTTPS redirection of temporarily and see if the challenge passes and then turn it back on

Andrei

Does that mean you are using the standalone plugin (–save) with nginx? Can you send us the exact command line you ran originally?

What command?

I run it with systemd like this:
systemctl restart nginx

Thats all I do to start nginix. I don’t know what standalone is.

Turning off http to https rederiect did not fix it either.

No, I mean what is your Certbot command? Since this is a renewal, it’s possible you don’t remember; if so, share /etc/letsencrypt/HOSTNAME/renewal.conf

1 # renew_before_expiry = 30 days
2 version = 0.13.0
3 archive_dir = /etc/letsencrypt/archive/reportbase.com
4 cert = /etc/letsencrypt/live/reportbase.com/cert.pem
5 privkey = /etc/letsencrypt/live/reportbase.com/privkey.pem
6 chain = /etc/letsencrypt/live/reportbase.com/chain.pem
7 fullchain = /etc/letsencrypt/live/reportbase.com/fullchain.pem
8
9 # Options used in the renewal process
10 [renewalparams]
11 authenticator = webroot
12 installer = None
13 account = 74f43f88696303e4e85aa1777aa18114
14 webroot_path = /srv/http/reportbase.com,
15 [[webroot_map]]
16 reportbase.com = /srv/http/reportbase.com

Try this:

server
{
listen 80;
listen [::]:80;
server_name reportbase.com;
location /.well-known/acme-challenge
{
allow all;
root /srv/http;
default_type “text/plain”;
try_files $uri =404;
}
return 301 https://$host$request_uri;
}

Ok fixed now thanks.

So what was the fix?

I changed the root path
I made my nginx paths match up with the paths in this file.

/etc/letsencrypt/HOSTNAME/renewal.conf

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.