[SOLVED] Certbot certonly FailedChallenges: Failed authorization procedure. (404)

Hi,

Before starting I want to say I search through the whole forum and ACME docs for hours. This error is already well documented. I still struggle to get rid of it. If someone have a clue it would be much appreciated. Thank you.

As you can see in the title I run the certonly with webroot module.

  • All site’s assets are located in var/www/w3st.digital/public

  • I’ve manually added a /var/www/w3st.digital/public/.well-known/acme-challenge/a text file that I’m able to query over http using curl and chromium. You can try.
    http://w3st.digital/.well-known/acme-challenge/a

  • Acme script is generating the challenge at the right path. Meaning I’ve correctly set the webroot, as you can see in debug logs:

    2019-07-23 08:29:41,135:DEBUG:certbot.error_handler:Calling registered functions
    2019-07-23 08:29:41,135:INFO:certbot.auth_handler:Cleaning up challenges
    2019-07-23 08:29:41,136:DEBUG:certbot.plugins.webroot:Removing /var/www/w3st.digital/public/.well-known/acme-challenge/D31FGPPWu2lr8INMSwQi5j0MNpOg6zyAXk1C1HxIb2k
    2019-07-23 08:29:41,136:DEBUG:certbot.plugins.webroot:Removing /var/www/w3st.digital/public/.well-known/acme-challenge/uoNrzeaprMll4Do7NWfXVjemAhPbMyvlPA81dmFA0C8
    2019-07-23 08:29:41,136:DEBUG:certbot.plugins.webroot:All challenges cleaned up
    2019-07-23 08:29:41,137:DEBUG:certbot.log:Exiting abnormally:

It produced this output error, nginx is not able to find the file:

certbot.errors.FailedChallenges: Failed authorization procedure. www.w3st.digital (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.w3st.digital/.well-known/acme-challenge/uoNrzeaprMll4Do7NWfXVjemAhPbMyvlPA81dmFA0C8 [2a03:b0c0:3:d0::da2:3001]: “\r\n404 Not Found\r\n<body bgcolor=“white”>\r\n

404 Not Found

\r\n
”, w3st.digital (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://w3st.digital/.well-known/acme-challenge/D31FGPPWu2lr8INMSwQi5j0MNpOg6zyAXk1C1HxIb2k [2a03:b0c0:3:d0::da2:3001]: “\r\n404 Not Found\r\n<body bgcolor=“white”>\r\n

404 Not Found

\r\n

My domain is:
w3st.digital

/etc/nginx/sites-available/w3st.digital:

server {
        root /var/www/w3st.digital/public;
        index index.html index.htm index.nginx-debian.html;

        server_name w3st.digital www.w3st.digital;

        location ~ /.well-known {
                allow all;
        }
}

I ran this command:
certbot certonly --webroot -w /var/www/w3st.digital/public -d w3st.digital -d www.w3st.digital

My web server is (include version):
nginx version: nginx/1.14.2

The operating system my web server runs on is (include version):
GNU/Linux Debian Buster 10

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

Hope someone can help me figure this out.
I wish you all a nice day.
Regards
Thomas.

Hi @tomVlt

looks like a curious problem. Checking your main domain all looks good - https://check-your-website.server-daten.de/?q=w3st.digital

You have ipv4 and ipv6

Host T IP-Address is auth. ∑ Queries ∑ Timeout
w3st.digital A 165.227.150.150 Frankfurt am Main/Hesse/Germany (DE) - DigitalOcean, LLC No Hostname found yes 1 0
AAAA 2a03:b0c0:3:d0::da2:3001 Frankfurt am Main/Hesse/Germany (DE) - DigitalOcean, LLC yes
www.w3st.digital A 165.227.150.150 Frankfurt am Main/Hesse/Germany (DE) - DigitalOcean, LLC No Hostname found yes 1 0
AAAA 2a03:b0c0:3:d0::da2:3001 Frankfurt am Main/Hesse/Germany (DE) - DigitalOcean, LLC yes

And checking your standard urls it's the same, all works. Not the typical ipv6 missing configuration error.

Domainname Http-Status redirect Sec. G
http://w3st.digital/
165.227.150.150 200 0.030 H
http://w3st.digital/
2a03:b0c0:3:d0::da2:3001 200 0.046 H
http://www.w3st.digital/
165.227.150.150 200 0.047 H
http://www.w3st.digital/
2a03:b0c0:3:d0::da2:3001 200 0.034 H
https://w3st.digital/
165.227.150.150 -2 1.076 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 165.227.150.150:443
https://w3st.digital/
2a03:b0c0:3:d0::da2:3001 -2 1.063 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it [2a03:b0c0:3:d0::da2:3001]:443
https://www.w3st.digital/
165.227.150.150 -2 1.047 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 165.227.150.150:443
https://www.w3st.digital/
2a03:b0c0:3:d0::da2:3001 -2 1.080 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it [2a03:b0c0:3:d0::da2:3001]:443
http://w3st.digital/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
165.227.150.150 404 0.030 A
Not Found
Visible Content: 404 Not Found nginx
http://w3st.digital/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2a03:b0c0:3:d0::da2:3001 404 0.030 A
Not Found
Visible Content: 404 Not Found nginx
http://www.w3st.digital/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
165.227.150.150 404 0.046 A
Not Found
Visible Content: 404 Not Found nginx
http://www.w3st.digital/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2a03:b0c0:3:d0::da2:3001 404 0.047 A
Not Found
Visible Content: 404 Not Found nginx

https doesn't work, but if you don't have a certificate, that's ok. All /.well-known/acme-challenge have the same, expected answer http status 404 - Not Found.

But checking your challenge file - https://check-your-website.server-daten.de/?q=w3st.digital%2F.well-known%2Facme-challenge%2Fa

there are different answers:

Domainname Http-Status redirect Sec. G
http://w3st.digital/.well-known/acme-challenge/a
165.227.150.150 200 0.030 H
http://w3st.digital/.well-known/acme-challenge/a
2a03:b0c0:3:d0::da2:3001 404 0.046 M
Not Found
http://www.w3st.digital/.well-known/acme-challenge/a
165.227.150.150 200 0.034 H
http://www.w3st.digital/.well-known/acme-challenge/a
2a03:b0c0:3:d0::da2:3001 404 0.030 M
Not Found

Your challenge file works with ipv4, but not with ipv6.

Letsencrypt prefers ipv6, so it's critical.

So you must have a configuration with an incomplete ipv6 part.

1 Like

Dear Juergen,

It worked as expected.
Many thanks for your time.

I must say support is solid and fast at LE. You are awesome.

Regards,
Thomas.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.