Having changed waiter master for the regeneration of certificates, when I execute “cerbot renew” I obtain a message announcing to me that I would not enough be entitled.
Here is the error message:
Attempting to renew cert from /etc/letsencrypt/renewal/MY_DOMAIN.fr.conf produced an unexpected error: Failed authorization procedure. www.MY_DOMAIN.fr (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.MY_DOMAIN.fr/.well-known/acme-challenge/QvJv7OngAr_e411sV_39Sa9_BzVhIMonyno5eC3TI_I: "
404 Not Found
<p", MY_DOMAIN.fr (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://MY_DOMAIN.fr/.well-known/acme-challenge/rLdY0Q3Wu8y5fHX0K3ClTyHZKi1kype6dD4wJWcB-ms: "
404 Not Found
All renewal attempts failed. The following certs could not be renewed:
_ /MOUNT_POINT/letsencrypt/live/MY_DOMAIN.fr/fullchain.pem (failure)_
Precision: certificate SSL is in a directory on my NAS, directory shared between all my servers and mounted in NFS on it.
Thank’s for your help.
This response indicates that Let’s Encrypt was presented with an HTTP 404 response when it requested the challenge file. You haven’t really provided us with enough information to actually help you (the question prompts are there for a reason!) but the next troubleshooting step is to usually place a test.txt file in your .well-known/acme-challenge directory and attempt to load that in a web browser - preferably from somewhere outside your network in order to also eliminate possible routing discrepancies between local machines vs. the public internet.
I see that the .well-known directory is empty…
That's normal, most of the time. Certbot only puts stuff in it momentarily, and cleans up afterwards.
You can create an "
acme-challenge" subdirectory yourself.
OK. But which rights must have .well_known (and acme-challenge) directory ?
777 ? other ?
root:root ? other ?
Whatever permissions allow it to serve test files, like the rest of your web contents. 777 is usually not recommendable - 755 is about as unrestricted as I’d go, but this question is outside the scope of what this support forum is designed for. Depending on ownership, 600 or 644 should be fine.
It’s OK for me…
The error come from a bad configuration in the file 000-default.conf : bad “DocumentRoot”…
error corrected, it’s work…
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.