Renew Failure - Invalid response from http://reportbase.com/.well-known/acme-challenge/


#1

I’m getting a renew failure of my certificate.
My server is configured correctly because I can verify access to acme-challange folder with this curl command:
curl http://reportbase.com/.well-known/acme-challenge/a.jpg

Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for reportbase.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/reportbase.com.conf produced an unexpected error: Failed authorization procedure. reportbase.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://reportbase.com/.well-known/acme-challenge/64HvQ55fQUoChlIFPMyeJ2DemhuM2mjntB2_Xy4ccJ8: "

404 Not Found

404 Not Found


". Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/reportbase.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:


#2

wget http://reportbase.com/.well-known/acme-challenge/a.jpg
–2017-07-15 17:46:01-- http://reportbase.com/.well-known/acme-challenge/a.jpg
Resolving reportbase.com (reportbase.com)… 206.196.115.56
Connecting to reportbase.com (reportbase.com)|206.196.115.56|:80… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: https://reportbase.com/.well-known/acme-challenge/a.jpg [following]
–2017-07-15 17:46:01-- https://reportbase.com/.well-known/acme-challenge/a.jpg
Connecting to reportbase.com (reportbase.com)|206.196.115.56|:443… connected.
ERROR: cannot verify reportbase.com’s certificate, issued by ‘CN=Let’s Encrypt Authority X3,O=Let’s Encrypt,C=US’:
Issued certificate has expired.
To connect to reportbase.com insecurely, use `–no-check-certificate’.


#3

For simple/straight http challenges, you should probably exclude /.well-known/ from the HTTPS redirection.


#4

Not sure what you mean by excluding ./well-known.

I can get the acme-challenge folder from the brower like this.
http://reportbase.com/.well-known/acme-challenge/a.jpg

Here is my nginix config:

server
{
listen 80;
listen [::]:80;
server_name reportbase.com;
return 301 https://$host$request_uri;
}

server
{
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/reportbase.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/reportbase.com/privkey.pem;
server_name reportbase.com;

root /srv/http/reportbase.com;

location /icons/
{
root /srv/http;
}

location /js/
{
root /srv/http;
}

location /.well-known/acme-challenge
{
allow all;
root /srv/http;
default_type “text/plain”;
try_files $uri =404;
}

location /
{
proxy_pass http://reportbase.com:3999;
}
}

Here is my error message:

Attempting to renew cert from /etc/letsencrypt/renewal/reportbase.com.conf
produced an unexpected error: Failed authorization procedure. reportbase.com
(http-01): urn:acme:error:unauthorized :: The client lacks sufficient
authorization :: Invalid response from
http://reportbase.com/.well-known/acme-challenge/oyr9QAeppy5mPWIRkuQK0odcmU3SzRAjw_8wI_y3S44
:

Thanks so much.


#5

Can you tell us what plugin you are using (Apache, nginx, manual, standalone, etc)?


#6

nginx Standalone. Vanilla nginx setup.


#7

hi @reportbase

I can see you are doing a redirection from HTTP to HTTPS

The only issue I can see with that is that your certificate expired I can view your image with a browser if I ignore SSL errors.

I am not sure how boulder deals with expired certs (if it ignores them or if the connection fails) but it should follow the 301 redirects

I would suggest turning of the HTTP to HTTPS redirection of temporarily and see if the challenge passes and then turn it back on

Andrei


#8

Does that mean you are using the standalone plugin (–save) with nginx? Can you send us the exact command line you ran originally?


#9

What command?

I run it with systemd like this:
systemctl restart nginx

Thats all I do to start nginix. I don’t know what standalone is.

Turning off http to https rederiect did not fix it either.


#10

No, I mean what is your Certbot command? Since this is a renewal, it’s possible you don’t remember; if so, share /etc/letsencrypt/HOSTNAME/renewal.conf


#11

1 # renew_before_expiry = 30 days
2 version = 0.13.0
3 archive_dir = /etc/letsencrypt/archive/reportbase.com
4 cert = /etc/letsencrypt/live/reportbase.com/cert.pem
5 privkey = /etc/letsencrypt/live/reportbase.com/privkey.pem
6 chain = /etc/letsencrypt/live/reportbase.com/chain.pem
7 fullchain = /etc/letsencrypt/live/reportbase.com/fullchain.pem
8
9 # Options used in the renewal process
10 [renewalparams]
11 authenticator = webroot
12 installer = None
13 account = 74f43f88696303e4e85aa1777aa18114
14 webroot_path = /srv/http/reportbase.com,
15 [[webroot_map]]
16 reportbase.com = /srv/http/reportbase.com


#12

Try this:

server
{
listen 80;
listen [::]:80;
server_name reportbase.com;
location /.well-known/acme-challenge
{
allow all;
root /srv/http;
default_type “text/plain”;
try_files $uri =404;
}
return 301 https://$host$request_uri;
}


#13

Ok fixed now thanks.


#14

So what was the fix?


#15

I changed the root path
I made my nginx paths match up with the paths in this file.

/etc/letsencrypt/HOSTNAME/renewal.conf


#16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.