Hello,
First, thanks a lot to Let’s Encrypt !
As stated in the title, this is another client-lacks-sufficient-authorization problem.
I have read the posts with similar topic, and fixed accordingly when it seemed fit.
My domain is: www.alchimie-web.com (plus a couple other domain.alchimie-web.com)
I first issued the certificate with Docker certbot, in manual mode. It worked like a charm.
The webserver is an nginx Docker container dedicated to the cert renewal (I’m leaving it on so you guys can test for yourselves).
It serves nothing except the default nginx page and the .well-known/acme-challenge
dir with a test file to make sure it is accessible : http://www.alchimie-web.com/.well-known/acme-challenge/test.html
Il also checked with a plain text file, and it is served correctly as well.
Here’s the nginx log when I hit the test URL :
123.123.123.123 - - [28/Aug/2018:10:54:10 +0000] "GET /.well-known/acme-challenge/test.html HTTP/1.1" 200 46 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36" "-"
Now the cert has expired, and I’m trying to renew it, with this command :
docker run --rm --name certbot \
-v '/home/etc/letsencrypt:/etc/letsencrypt' \
-v '/var/lib/letsencrypt:/var/lib/letsencrypt' \
-v "/tmp/acme-challenge:/tmp/acme-challenge:rw" \
certbot/certbot renew --webroot \
--webroot-path "tmp/acme-challenge" \
--dry-run
The directory /tmp/acme-challenge
is correctly mapped to nginx container’s /usr/share/nginx/html/.well-known/acme-challenge
and to make things easy to test it’s all chmod 777
It produced this output:
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/atanor.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
/usr/local/lib/python2.7/site-packages/josepy/jwa.py:107: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
signer = key.signer(self.padding, self.hash)
Performing the following challenges:
http-01 challenge for alchimie-web.com
http-01 challenge for cloud.alchimie-web.com
http-01 challenge for gitea.alchimie-web.com
http-01 challenge for jenkins.alchimie-web.com
http-01 challenge for pga.alchimie-web.com
http-01 challenge for pma.alchimie-web.com
http-01 challenge for sonar.alchimie-web.com
http-01 challenge for www.alchimie-web.com
Using the webroot path /tmp/.well-known/acme-challenge for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (atanor) from /etc/letsencrypt/renewal/atanor.conf produced an unexpected error: Failed authorization procedure. www.alchimie-web.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.alchimie-web.com/.well-known/acme-challenge/HOyN2fOK-00WWJkf_xrv1zS28M1ufYUInsJ4wLNrbro: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
(skip same error for all domains)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/atanor/fullchain.pem (failure)
-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/atanor/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: www.alchimie-web.com
Type: unauthorized
Detail: Invalid response from
http://www.alchimie-web.com/.well-known/acme-challenge/HOyN2fOK-00WWJkf_xrv1zS28M1ufYUInsJ4wLNrbro:
"<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"
(skip same output for all domains)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
I have no AAAA record for the domain(s) and the A record seems correct.
I checked /etc/letsencrypt/renewal/atanor.conf
(for webroot mode instead of manual I used to install the cert) :
# renew_before_expiry = 30 days
version = 0.23.0
archive_dir = /etc/letsencrypt/archive/atanor
cert = /etc/letsencrypt/live/atanor/cert.pem
privkey = /etc/letsencrypt/live/atanor/privkey.pem
chain = /etc/letsencrypt/live/atanor/chain.pem
fullchain = /etc/letsencrypt/live/atanor/fullchain.pem
# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = None
account = abcdef123456
manual_public_ip_logging_ok = True
The certbot container is able to reach through to nginx, as it appears in nginx log :
66.133.109.36 - - [28/Aug/2018:11:24:05 +0000] "GET /.well-known/acme-challenge/jocAHKSQzdvxHQ1fDG47i8H-rSbm2v8HdPudjQT5K_o HTTP/1.1" 404 170 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
2018/08/28 11:24:05 [error] 7#7: *67 open() "/usr/share/nginx/html/.well-known/acme-challenge/HOyN2fOK-00WWJkf_xrv1zS28M1ufYUInsJ4wLNrbro" failed (2: No such file or directory), client: 52.29.173.72, server: *.alchimie-web.com, request: "GET /.well-known/acme-challenge/HOyN2fOK-00WWJkf_xrv1zS28M1ufYUInsJ4wLNrbro HTTP/1.1", host: "www.alchimie-web.com"
34.213.106.112 - - [28/Aug/2018:11:24:05 +0000] "GET /.well-known/acme-challenge/jocAHKSQzdvxHQ1fDG47i8H-rSbm2v8HdPudjQT5K_o HTTP/1.1" 404 170 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
2018/08/28 11:24:05 [error] 7#7: *69 open() "/usr/share/nginx/html/.well-known/acme-challenge/HOyN2fOK-00WWJkf_xrv1zS28M1ufYUInsJ4wLNrbro" failed (2: No such file or directory), client: 13.58.30.69, server: *.alchimie-web.com, request: "GET /.well-known/acme-challenge/HOyN2fOK-00WWJkf_xrv1zS28M1ufYUInsJ4wLNrbro HTTP/1.1", host: "www.alchimie-web.com"
It seems to me the challenge files are simply not created. They’re not in /tmp/acme-challenge, but certbot seems to do some cleanup (Cleaning up challenges
), so I can’t tell…
Is there a debug mode that would prevent certbot / letcert from cleaning the challenge files, so I can check that they are actually created (though I suppose it would throw an error if it wasn’t able to create them in the first place) ?
Also, I noticed the IPs in the nginx log a bit puzzling :
66.133.109.36 - - [28/Aug/2018:11:24:05 +0000] “GET /.well-known/acme-challenge/jocAHKSQzdvxHQ1fDG47i8H-rSbm2v8HdPudjQT5K_o HTTP/1.1” 404 170 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)” “-”
2018/08/28 11:24:05 [error] 7#7: *67 open() “/usr/share/nginx/html/.well-known/acme-challenge/HOyN2fOK-00WWJkf_xrv1zS28M1ufYUInsJ4wLNrbro” failed (2: No such file or directory), client: 52.29.173.72, server: *.alchimie-web.com, request: “GET /.well-known/acme-challenge/HOyN2fOK-00WWJkf_xrv1zS28M1ufYUInsJ4wLNrbro HTTP/1.1”, host: “www.alchimie-web.com”
Anybody got a clue ?
Thanks in advance for your help.