Standalone certonly http-01 insufficient authorization

I’m running a standalone certonly challenge over HTTP and am receiving a 503 / urn:acme:error:unauthorized :: The client lacks sufficient authorization

The command I’m running (domain redacted):

certbot certonly -n -d subdomain.domain.com -m me@domain.com --standalone --agree-tos --staging --preferred-challenges http

I’ve verified that port 80 is available via the subdomain by running a separate webserver on the same box. If I stop that webserver and run the certbot command it fails with:

 - The following errors were reported by the server:

   Domain: subdomain.domain.com
   Type:   unauthorized
   Detail: Invalid response from
   http://subdomain.domain.com/.well-known/acme-challenge/iyvJ4D6KLHDXbywMLocTvBwhJvPbIvOSybjVbPlxmtc
   [54.xx.xxx.xxx]: 503

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

I’m unclear where the standalone command attempts to place the .well-known files for challenging. It seems like this could be causing the issue.

Any help on this would be much appreciated.

Could you please provide the real domain name?

Thanks, I would rather not. If there’s information that can be gleaned from having the actual domain name, could you let me know what it is?

You have to make sure, that the domain is accessible. How did you do the test with the temporary webserver?

Does your domain have an AAAA record in addition to an A? What version of Certbot are you using?

The subdomain has an A record, the domain itself has an NS record and an SOA record. I have used this setup with Let’s Encrypt successfully many times in the past.

Running certbot --version shows certbot 0.19.0

I verified port 80 by setting up an nginx server (before running certbot) and browsing to the subdomain over http - I successfully recevied the nginx holding page. I then stopped nginx before running the certbot command.

I would suggest adding --debug to your command line and paste the full output here.

503 Service Unavailable
The server is currently unavailable (because it is overloaded or down for maintenance). Generally, this is a temporary state.

Thanks, output from /var/log/letsncrypt/letsencrypt.log

2017-11-27 14:52:20,780:DEBUG:certbot.main:certbot version: 0.19.0
2017-11-27 14:52:20,780:DEBUG:certbot.main:Arguments: ['-n', '-d', 'subdomain.domain.com', '-m', 'me@domain.com', '--standalone', '--agree-tos', '--staging', '--preferred-challenges', 'http', '--debug']
2017-11-27 14:52:20,780:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2017-11-27 14:52:20,791:DEBUG:certbot.log:Root logging level set at 20
2017-11-27 14:52:20,791:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-11-27 14:52:20,792:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2017-11-27 14:52:20,867:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7f1bb1d79b50>
Prep: True
2017-11-27 14:52:20,868:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x7f1bb1d79b50> and installer None
2017-11-27 14:52:20,868:INFO:certbot.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2017-11-27 14:52:20,871:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, contact=(u'mailto:me@domain.com',), agreement=u'https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf', key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f1bb1d79b90>)>)), uri=u'https://acme-staging.api.letsencrypt.org/acme/reg/5140195', new_authzr_uri=u'https://acme-staging.api.letsencrypt.org/acme/new-authz', terms_of_service=u'https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'), f37586153e54421fde25624d2f9ce98e, Meta(creation_host=u'ip-22-0-4-61', creation_dt=datetime.datetime(2017, 11, 27, 13, 47, 14, tzinfo=<UTC>)))>
2017-11-27 14:52:20,872:DEBUG:acme.client:Sending GET request to https://acme-staging.api.letsencrypt.org/directory.
2017-11-27 14:52:20,873:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
2017-11-27 14:52:21,158:DEBUG:urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 582
2017-11-27 14:52:21,159:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 582
Replay-Nonce: nzqp878RhDmxGX1rxh7OBHv2h7X-AiHOSv3Wv-6VTlM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 27 Nov 2017 14:52:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 27 Nov 2017 14:52:21 GMT
Connection: keep-alive

{
  "3m6cYpYQ318": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "key-change": "https://acme-staging.api.letsencrypt.org/acme/key-change",
  "meta": {
    "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
  },
  "new-authz": "https://acme-staging.api.letsencrypt.org/acme/new-authz",
  "new-cert": "https://acme-staging.api.letsencrypt.org/acme/new-cert",
  "new-reg": "https://acme-staging.api.letsencrypt.org/acme/new-reg",
  "revoke-cert": "https://acme-staging.api.letsencrypt.org/acme/revoke-cert"
}
2017-11-27 14:52:21,159:INFO:certbot.main:Obtaining a new certificate
2017-11-27 14:52:21,160:DEBUG:acme.client:Requesting fresh nonce
2017-11-27 14:52:21,160:DEBUG:acme.client:Sending HEAD request to https://acme-staging.api.letsencrypt.org/acme/new-authz.
2017-11-27 14:52:21,348:DEBUG:urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 "HEAD /acme/new-authz HTTP/1.1" 405 0
2017-11-27 14:52:21,349:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Replay-Nonce: EWhAxEmNZ5MJwaRNudHs3NDsyXYxtB6YXZz8U1jIwNQ
Expires: Mon, 27 Nov 2017 14:52:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 27 Nov 2017 14:52:21 GMT
Connection: keep-alive


2017-11-27 14:52:21,349:DEBUG:acme.client:Storing nonce: EWhAxEmNZ5MJwaRNudHs3NDsyXYxtB6YXZz8U1jIwNQ
2017-11-27 14:52:21,349:DEBUG:acme.client:JWS payload:
{
  "identifier": {
    "type": "dns", 
    "value": "subdomain.domain.com"
  }, 
  "resource": "new-authz"
}
2017-11-27 14:52:21,352:DEBUG:acme.client:Sending POST request to https://acme-staging.api.letsencrypt.org/acme/new-authz:
{
  "protected": "eyJub25jZSI6ICJFV2hBeEVtTlo1TUp3YVJOdWRIczNORHN5WFl4dEI2WVhaejhVMWpJd05RIiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAiMjNqbnhhSXJLTThxUTlNd0JITmtkdFcwTkpaV2FBWTVWWVJCYTF1ZmNlR0VWdmh1UnJWQlYzelR5X2pYNW5wNGo4cFlDa1VLcWhzWV8xWVFpZnEwVUVJNFpBMmYxdlE2VEVjaF9sWmR1ZHJsOXBSTEg3UUhsdGZEOW9QbDdXTWt4SkdXSVV2QUdxemF2RXhKcHpNeGN2bDNoanNaVkZxLTRMelM4cldINEZhZ0stUTJTWW5ENVJqMG1XRHJ2NVA2cEcxaGwyY3g2U1E3dkFObUMxZjZvcWdDUzJpeFI5MUM2Nk1YRHB4TkVvcXBnQlBmaFZGZUtISWF5TGNnSVVYNTdYUENhMFNBU21WZ1JXZzF6bnMzZGRRVkUyTlR5YVg1c2g1MG9OdjFPZEo4QVZiXzdUYzFKQW9QblMtdFJRMHhXaXY2SGs2aFZFQ0hmYnQybWJaX0tRIn19", 
  "payload": "ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAiZGV2LnBhcmFkaW5vLmlvIgogIH0sIAogICJyZXNvdXJjZSI6ICJuZXctYXV0aHoiCn0", 
  "signature": "J-knPnuBY3Dl1G6o-nYBmFM_uFUhidPfcGB4yBgsYRpL8mU4V0UW9qeAvOGRjd7ZEm4uKW4-82BSr5w-odsNa4ArgzKwOpLKKg8TY6ASWQRK2pDSKyRdsYMg5k-ZSrmGAACZmC88-12Gizu7CZ6lbz0wcqvNspsY3TGZMp9xULlG-02vyfOMAl8TVPtbRJQNXaOxUd6OieUo72Y-neIZRUna_vMk8JagAvTdvOzqQVnMhzlG_4Tp7lMspPbqTMqs4LhkYRDAurKxV5_PqPFgsQPFMVRHEeZMnt1mqm3-gEabRHesSnHySPOU-p5zU4nwakvtFuLt1Lk9shVgT8-m1Q"
}
2017-11-27 14:52:21,561:DEBUG:urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 "POST /acme/new-authz HTTP/1.1" 201 1009
2017-11-27 14:52:21,561:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 1009
Boulder-Requester: 5140195
Link: <https://acme-staging.api.letsencrypt.org/acme/new-cert>;rel="next"
Location: https://acme-staging.api.letsencrypt.org/acme/authz/hJFSPeoGPiG5pvSgsYD4KxmIKdSSON9azCF2onAIwP8
Replay-Nonce: eiRYJI114Zhg_trlJxTkaRKOpFyQu0f_vOCzpbUuM9U
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 27 Nov 2017 14:52:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 27 Nov 2017 14:52:21 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "subdomain.domain.com"
  },
  "status": "pending",
  "expires": "2017-12-04T14:52:21.444542706Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/hJFSPeoGPiG5pvSgsYD4KxmIKdSSON9azCF2onAIwP8/79564232",
      "token": "NNJ-OEzbyWDgw1pRZFewDw3yif4nsXjeow8yYYBP_7U"
    },
    {
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/hJFSPeoGPiG5pvSgsYD4KxmIKdSSON9azCF2onAIwP8/79564233",
      "token": "MUXeSBQz8vPExO02benZaH1bwzTlB-gnHhw6MBl4hFo"
    },
    {
      "type": "tls-sni-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/hJFSPeoGPiG5pvSgsYD4KxmIKdSSON9azCF2onAIwP8/79564234",
      "token": "LyTVptVytJB-CeoXyoGj-3rF1J3wuUVly-wsNdwKYIo"
    }
  ],
  "combinations": [
    [
      0
    ],
    [
      2
    ],
    [
      1
    ]
  ]
}
2017-11-27 14:52:21,561:DEBUG:acme.client:Storing nonce: eiRYJI114Zhg_trlJxTkaRKOpFyQu0f_vOCzpbUuM9U
2017-11-27 14:52:21,562:INFO:certbot.auth_handler:Performing the following challenges:
2017-11-27 14:52:21,562:INFO:certbot.auth_handler:http-01 challenge for subdomain.domain.com
2017-11-27 14:52:21,563:DEBUG:acme.standalone:Failed to bind to :80 using IPv4
2017-11-27 14:52:21,566:INFO:certbot.auth_handler:Waiting for verification...
2017-11-27 14:52:21,566:DEBUG:acme.client:JWS payload:
{
  "keyAuthorization": "MUXeSBQz8vPExO02benZaH1bwzTlB-gnHhw6MBl4hFo.ZP9pZIWOJFYfBSG7P8YJHdShf8fwGLJ-Y0S33CV7iiE", 
  "type": "http-01", 
  "resource": "challenge"
}
2017-11-27 14:52:21,569:DEBUG:acme.client:Sending POST request to https://acme-staging.api.letsencrypt.org/acme/challenge/hJFSPeoGPiG5pvSgsYD4KxmIKdSSON9azCF2onAIwP8/79564233:
{
  "protected": "eyJub25jZSI6ICJlaVJZSkkxMTRaaGdfdHJsSnhUa2FSS09wRnlRdTBmX3ZPQ3pwYlV1TTlVIiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAiMjNqbnhhSXJLTThxUTlNd0JITmtkdFcwTkpaV2FBWTVWWVJCYTF1ZmNlR0VWdmh1UnJWQlYzelR5X2pYNW5wNGo4cFlDa1VLcWhzWV8xWVFpZnEwVUVJNFpBMmYxdlE2VEVjaF9sWmR1ZHJsOXBSTEg3UUhsdGZEOW9QbDdXTWt4SkdXSVV2QUdxemF2RXhKcHpNeGN2bDNoanNaVkZxLTRMelM4cldINEZhZ0stUTJTWW5ENVJqMG1XRHJ2NVA2cEcxaGwyY3g2U1E3dkFObUMxZjZvcWdDUzJpeFI5MUM2Nk1YRHB4TkVvcXBnQlBmaFZGZUtISWF5TGNnSVVYNTdYUENhMFNBU21WZ1JXZzF6bnMzZGRRVkUyTlR5YVg1c2g1MG9OdjFPZEo4QVZiXzdUYzFKQW9QblMtdFJRMHhXaXY2SGs2aFZFQ0hmYnQybWJaX0tRIn19", 
  "payload": "ewogICJrZXlBdXRob3JpemF0aW9uIjogIk1VWGVTQlF6OHZQRXhPMDJiZW5aYUgxYnd6VGxCLWduSGh3Nk1CbDRoRm8uWlA5cFpJV09KRllmQlNHN1A4WUpIZFNoZjhmd0dMSi1ZMFMzM0NWN2lpRSIsIAogICJ0eXBlIjogImh0dHAtMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9", 
  "signature": "FrvoODVwoc6biOXscDdFrO8s4aezxuRY_rAwYjBdpFDL45ccAOSQdiKTMyxbQjN1pLIhbvrmdumMN1nsECoulM2BasOCumlq4ncXMi-gBAshWlpVByTmS5sU5cTJu9nXF50iErO-NCtCEb6siO8wB8v4j-Wp3rRCO5ie_fJc1mTvbx8u3n7p6jIjQrwFGOGuikEskMz8SFSvo8Om2G3A6FPTvpFzK60Wck6NKAee7XVy5FIHKKpPiHOBgVLjV6to9U24y_oB5zTmJR5Nxu8Yj-ueCkt5dyuUI3YWZen1nfBAznIULgOuCas6iaw8hZ1REt6EzYy_3Pcamr4L-aqCtw"
}
2017-11-27 14:52:21,782:DEBUG:urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 "POST /acme/challenge/hJFSPeoGPiG5pvSgsYD4KxmIKdSSON9azCF2onAIwP8/79564233 HTTP/1.1" 202 338
2017-11-27 14:52:21,782:DEBUG:acme.client:Received response:
HTTP 202
Server: nginx
Content-Type: application/json
Content-Length: 338
Boulder-Requester: 5140195
Link: <https://acme-staging.api.letsencrypt.org/acme/authz/hJFSPeoGPiG5pvSgsYD4KxmIKdSSON9azCF2onAIwP8>;rel="up"
Location: https://acme-staging.api.letsencrypt.org/acme/challenge/hJFSPeoGPiG5pvSgsYD4KxmIKdSSON9azCF2onAIwP8/79564233
Replay-Nonce: x32ylXrFfqIGpcEfyFDJ5biDMbrdHvJot5iCmSYCY5Y
Expires: Mon, 27 Nov 2017 14:52:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 27 Nov 2017 14:52:21 GMT
Connection: keep-alive

{
  "type": "http-01",
  "status": "pending",
  "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/hJFSPeoGPiG5pvSgsYD4KxmIKdSSON9azCF2onAIwP8/79564233",
  "token": "MUXeSBQz8vPExO02benZaH1bwzTlB-gnHhw6MBl4hFo",
  "keyAuthorization": "MUXeSBQz8vPExO02benZaH1bwzTlB-gnHhw6MBl4hFo.ZP9pZIWOJFYfBSG7P8YJHdShf8fwGLJ-Y0S33CV7iiE"
}
2017-11-27 14:52:21,782:DEBUG:acme.client:Storing nonce: x32ylXrFfqIGpcEfyFDJ5biDMbrdHvJot5iCmSYCY5Y
2017-11-27 14:52:24,786:DEBUG:acme.client:Sending GET request to https://acme-staging.api.letsencrypt.org/acme/authz/hJFSPeoGPiG5pvSgsYD4KxmIKdSSON9azCF2onAIwP8.
2017-11-27 14:52:24,985:DEBUG:urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 "GET /acme/authz/hJFSPeoGPiG5pvSgsYD4KxmIKdSSON9azCF2onAIwP8 HTTP/1.1" 200 1778
2017-11-27 14:52:24,986:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1778
Link: <https://acme-staging.api.letsencrypt.org/acme/new-cert>;rel="next"
Replay-Nonce: UKaF8vUBT3o2LtTT7PoFId50vG8K6oRntVkMqYKEDX8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 27 Nov 2017 14:52:24 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 27 Nov 2017 14:52:24 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "subdomain.domain.com"
  },
  "status": "invalid",
  "expires": "2017-12-04T14:52:21Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/hJFSPeoGPiG5pvSgsYD4KxmIKdSSON9azCF2onAIwP8/79564232",
      "token": "NNJ-OEzbyWDgw1pRZFewDw3yif4nsXjeow8yYYBP_7U"
    },
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:acme:error:unauthorized",
        "detail": "Invalid response from http://subdomain.domain.com/.well-known/acme-challenge/MUXeSBQz8vPExO02benZaH1bwzTlB-gnHhw6MBl4hFo [34.240.74.18]: 503",
        "status": 403
      },
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/hJFSPeoGPiG5pvSgsYD4KxmIKdSSON9azCF2onAIwP8/79564233",
      "token": "MUXeSBQz8vPExO02benZaH1bwzTlB-gnHhw6MBl4hFo",
      "keyAuthorization": "MUXeSBQz8vPExO02benZaH1bwzTlB-gnHhw6MBl4hFo.ZP9pZIWOJFYfBSG7P8YJHdShf8fwGLJ-Y0S33CV7iiE",
      "validationRecord": [
        {
          "url": "http://subdomain.domain.com/.well-known/acme-challenge/MUXeSBQz8vPExO02benZaH1bwzTlB-gnHhw6MBl4hFo",
          "hostname": "subdomain.domain.com",
          "port": "80",
          "addressesResolved": [
            "34.240.74.18",
            "54.77.192.196"
          ],
          "addressUsed": "34.240.74.18",
          "addressesTried": []
        }
      ]
    },
    {
      "type": "tls-sni-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/hJFSPeoGPiG5pvSgsYD4KxmIKdSSON9azCF2onAIwP8/79564234",
      "token": "LyTVptVytJB-CeoXyoGj-3rF1J3wuUVly-wsNdwKYIo"
    }
  ],
  "combinations": [
    [
      0
    ],
    [
      2
    ],
    [
      1
    ]
  ]
}
2017-11-27 14:52:24,987:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: subdomain.domain.com
Type:   unauthorized
Detail: Invalid response from http://subdomain.domain.com/.well-known/acme-challenge/MUXeSBQz8vPExO02benZaH1bwzTlB-gnHhw6MBl4hFo [34.240.74.18]: 503

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2017-11-27 14:52:24,987:INFO:certbot.auth_handler:Cleaning up challenges
2017-11-27 14:52:24,987:DEBUG:certbot.plugins.standalone:Stopping server at :::80...
2017-11-27 14:52:25,071:ERROR:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.19.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 861, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 786, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 85, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 357, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 318, in obtain_certificate
    self.config.allow_subset_of_names)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 81, in get_authorizations
    self._respond(resp, best_effort)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 138, in _respond
    self._poll_challenges(chall_update, best_effort)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 202, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. subdomain.domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://subdomain.domain.com/.well-known/acme-challenge/MUXeSBQz8vPExO02benZaH1bwzTlB-gnHhw6MBl4hFo [34.240.74.18]: 503

Console output was:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for domain.subdomain.com
Waiting for verification...
Cleaning up challenges
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.19.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 861, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 786, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 85, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 357, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 318, in obtain_certificate
    self.config.allow_subset_of_names)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 81, in get_authorizations
    self._respond(resp, best_effort)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 138, in _respond
    self._poll_challenges(chall_update, best_effort)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 202, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. domain.subdomain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain.subdomain.com/.well-
known/acme-challenge/MUXeSBQz8vPExO02benZaH1bwzTlB-gnHhw6MBl4hFo [34.240.74.18]: 503
Please see the logfiles in /var/log/letsencrypt for more details.

Thanks - I believe the 503 is because the certbot process has been unable to actually create / read the challenge files - which is what I’m asking help for.

Have a look into the output of netstat -nlp
There seems to be running another webserver software.

Thanks, I wondered this too but couldn’t see anything that was already on port 80 (at this point I’m stretching my network understanding):

root@ip-22-0-4-61:~# netstat -nlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1268/sshd       
tcp6       0      0 :::22                   :::*                    LISTEN      1268/sshd       
udp        0      0 0.0.0.0:68              0.0.0.0:*                           929/dhclient    
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node   PID/Program name    Path
unix  2      [ ACC ]     STREAM     LISTENING     8782     1/init              /run/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     8787     1/init              /run/lvm/lvmpolld.socket
unix  2      [ ACC ]     STREAM     LISTENING     34036    7163/systemd        /run/user/1000/systemd/private
unix  2      [ ACC ]     SEQPACKET  LISTENING     8790     1/init              /run/udev/control
unix  2      [ ACC ]     STREAM     LISTENING     8789     1/init              /run/lvm/lvmetad.socket
unix  2      [ ACC ]     STREAM     LISTENING     8791     1/init              /run/systemd/journal/stdout
unix  2      [ ACC ]     STREAM     LISTENING     12830    1/init              /run/acpid.socket
unix  2      [ ACC ]     STREAM     LISTENING     12831    1/init              /var/lib/lxd/unix.socket
unix  2      [ ACC ]     STREAM     LISTENING     12834    1/init              /run/snapd.socket
unix  2      [ ACC ]     STREAM     LISTENING     12835    1/init              /run/snapd-snap.socket
unix  2      [ ACC ]     STREAM     LISTENING     12836    1/init              /run/uuidd/request
unix  2      [ ACC ]     STREAM     LISTENING     12837    1/init              /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     12991    1061/iscsid         @ISCSIADM_ABSTRACT_NAMESPACE

Standalone spins up a temporary web server on port 80.
But it seems that you are already running something on port 80 or it requires root privileges.
Try adding "sudo" before "certbot..."

Thanks, I actually am already running with sudo (and logged in as root).

I’m wondering if there are any certbot specific logs to look at (rather than letsencrypt output) that might shed light on why it’s unable to bind to port 80?

It seems to be using (listening) IPv6, although your domain name is not connected via IPv6.

Ah ok - so you mean that the server that is spun up by --standalone is listening via IPv6? Is there a way to ask it not to?

There is nothing in the official documentation about that, I think it should be implemented, though.
The question is: why couldn't certbot bind to port 80 IPv4.

I tried adding an AAAA record, which gave exactly the same result.

it definitely seems to be an issue with creating the actual standalone webserver - and perhaps also, relatedly, the creation / placement of the actual challenge files.

Hmm, what I wonder about the output of netstat: you are logged in into your machine, but there is no line of a connected ssh client. How did you login and could you really access your temporary webserver (to test port 80) from an upstream internet connection?

@bmw, @schoen Do you folks have any insight for this case? I think there's some confusion about how Certbot tries to bind IPv4 & IPv6 interfaces that is likely unrelated to the root problem.