[resolved] I have recently changed Registrars and the renew failed on the authorization process

Hello, I recently changed Registrars from (Name.com) to (Google Domains), and now I am having problems renewing the domain through the command line. Login into the site, bonsi.org or www.bonsi.org is fine from the web.

I was able to renew 2 others domains throughout the same command line with no issues. The domains still under the Registrar Name.com, the Sites are hosted on my server .


  1. Domain:

    bonsi.org
    www.bonsi.org


  1. renew command: (Letsencrypt/certboot)

    [server:~] root# cd /Users/AdminUser/letsencrypt
    [server:~/letsencrypt] root# ./certbot-auto certonly --webroot --webroot-path /Users/SiteUser/Sites/ --email
    webmaster@bonsi.org -d bonsi.org -d www.bonsi.org


  1. It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for bonsi.org
http-01 challenge for www.bonsi.org
Using the webroot path /Users/SiteUser/Sites for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. bonsi.org (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://bonsi.org/.well-known/acme-challenge/_WaRM1EIRh3bkVjMRJxkWL9dYmb3qYc9BvqSKHN3St0: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p", www.bonsi.org (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.bonsi.org/.well-known/acme-challenge/9TRfiTo1iYARSnJ_hJUlO84BKHG3hs5MgIlgZ22zoC0: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: bonsi.org
   Type:   unauthorized
   Detail: Invalid response from
   http://bonsi.org/.well-known/acme-challenge/_WaRM1EIRh3bkVjMRJxkWL9dYmb3qYc9BvqSKHN3St0:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>404 Not Found</title>
   </head><body>
   <h1>Not Found</h1>
   <p"

   Domain: www.bonsi.org
   Type:   unauthorized
   Detail: Invalid response from
   http://www.bonsi.org/.well-known/acme-challenge/9TRfiTo1iYARSnJ_hJUlO84BKHG3hs5MgIlgZ22zoC0:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>404 Not Found</title>
   </head><body>
   <h1>Not Found</h1>
   <p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

  1. Webserver:

    Apache 2.4


  1. Operating system:

    Mac Client OS X 10.9.5


  1. Previous Domain Registrar:

    Name.com


  1. Actual Domain Registrar:

    Google Domains


  1. Root shell Superuser login:

    Ok


I don’t think the registrar used has anything to do with the problem.

Try placing a test.txt file at:
http://bonsi.org/.well-known/acme-challenge/test.txt

And also look into the IPv6 address access, as LE prefers IPv6 when used:

nslookup www.bonsi.org
Addresses: 2602:306:ce87:4da0::2
2602:306:ce87:4da0::3
2602:306:ce87:4da0::4
108.232.116.218

nslookup bonsi.org
Addresses: 2602:306:ce87:4da0::2
2602:306:ce87:4da0::3
2602:306:ce87:4da0::4
108.232.116.218

Hi, Rudy, @rg305, thanks for dropping in,

During the renew process, (After had input the terminal LE command), I can see the challenge communication with the directory temporarily creating the “acme-challenge” folder. However, it fails immediately after that, producing the output logs! Therefore, there is a communication with the server but LE denies doing after that.

I have gone to this issue before about IPv6 and IPv4 and is not that LE prefers IPv6 over IPv4! It is when your network has both, it tries to communicate with IPv6 and fails if there is not a proper response from IPv6. Aware of that, I had turned off IPv6 on the router and the same output come out. So, I think is something else…

Note that I do have two other domains being hosted on this server with the same setup and they renewed without any problems.

E\

If IPv6 is in DNS, LE will prefer it.
Try removing the IPv6 (AAAA) records from DNS.

2 Likes

Ok, Problem resolved! Here was the issue;

I had turn-off IPv6 on the router but forgot to delete the IPv6 entries on the Registrar Parent, Google Domains. After deleting those IPv6 entries, the renew process went through fine.

> [server:~] root# cd /Users/AdminUser/letsencrypt 
> [server:~/letsencrypt] root# ./certbot-auto certonly --webroot --webroot-path /Users/SiteUser/Sites/ --email webmaster@bonsi.org -d bonsi.org -d www.bonsi.org
> Saving debug log to /var/log/letsencrypt/letsencrypt.log
> Plugins selected: Authenticator webroot, Installer None
> Cert is due for renewal, auto-renewing...
> Renewing an existing certificate
> Performing the following challenges:
> http-01 challenge for bonsi.org
> http-01 challenge for www.bonsi.org
> Using the webroot path /Users/SiteUser/Sites for all unmatched domains.
> Waiting for verification...
> Cleaning up challenges
> 
> IMPORTANT NOTES:
>  - Congratulations! Your certificate and chain have been saved at:
>    /etc/letsencrypt/live/bonsi.org/fullchain.pem
>    Your key file has been saved at:
>    /etc/letsencrypt/live/bonsi.org/privkey.pem
>    Your cert will expire on 2017-12-23. To obtain a new or tweaked
>    version of this certificate in the future, simply run certbot-auto
>    again. To non-interactively renew *all* of your certificates, run
>    "certbot-auto renew"
>  - If you like Certbot, please consider supporting our work by:
> 
>    Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
>    Donating to EFF:                    https://eff.org/donate-le

Thanks Rudy @rg305 for your participation!

E\

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.