The client lacks sufficient authorization after following the instructions in email


#1

My domain is: brick9.com

I ran this command:I got an email stating I had to upgrade to keep letsencrypt working. So this is what I did:

  • was running certbot 0.22 to upgraded to .28
  • ran the command: sudo sh -c “sed -i.bak -e ‘s/^(pref_challs.)tls-sni-01(.)/\1http-01\2/g’ /etc/letsencrypt/renewal/; rm -f /etc/letsencrypt/renewal/.bak”

Then when doing the dry tun for renew I suddenly get these errors:

Attempting to renew cert (www.brick9.com) from /etc/letsencrypt/renewal/www.brick9.com.conf produced an unexpected error: Failed authorization procedure. www.brick9.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.brick9.com/.well-known/acme-challenge/Y6o03UuCUCSmiUQtPNd9XjMat3X1F4Q6435GUexklF0: "\n<html class=“avada-html-layout-wide” lang=“en-US” prefix="og: http://ogp.me/ns# fb: http://ogp.me/ns/fb#">\n<head". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/brick9.com/fullchain.pem (failure)
/etc/letsencrypt/live/www.brick9.com/fullchain.pem (failure)

My web server is Apache


#2

Hi @B055

your main configuration looks ok ( https://check-your-website.server-daten.de/?q=brick9.com ):

Port 80 is open, non-www is redirected to www, there is the expected http status 404 - not found.

So find your DocumentRoot in your VirtualHost and use it.

certbot run -a webroot -i apache -w yourDocumentRoot -d www.brick9.com -d brick9.com

#3

Thank you that command activated succesfully (i choose to attempt to reinstall)

After that tried a new renew dry-run. But getting the same output.


#4

Please show output of:
certbot certificates

and also the matching cert named .conf file in folder (if any):
/etc/letsencrypt/renewal/

And for good measure the most recent letsencrypt log file entries.


#5

I’m afraid @JuergenAuer’s command may have created a new separately-managed certificate if you didn’t have www.brick9.com and brick9.com on the same certificate before. :frowning: You can check with certbot certificates.


#6

I can’t find a new certificate.

Last certificate is 2019-01-18.

https://crt.sh/?q=brick9.com


#7

Hi output


Found the following certs:
Certificate Name: brick9.com
Domains: brick9.com www.brick9.com
Expiry Date: 2019-04-18 11:25:15+00:00 (VALID: 69 days)
Certificate Path: /etc/letsencrypt/live/brick9.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/brick9.com/privkey.pem
Certificate Name: www.brick9.com
Domains: www.brick9.com
Expiry Date: 2019-04-16 11:14:34+00:00 (VALID: 67 days)
Certificate Path: /etc/letsencrypt/live/www.brick9.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.brick9.com/privkey.pem


brick9.com.conf:

renew_before_expiry = 30 days

version = 0.22.2
archive_dir = /etc/letsencrypt/archive/brick9.com
cert = /etc/letsencrypt/live/brick9.com/cert.pem
privkey = /etc/letsencrypt/live/brick9.com/privkey.pem
chain = /etc/letsencrypt/live/brick9.com/chain.pem
fullchain = /etc/letsencrypt/live/brick9.com/fullchain.pem

Options used in the renewal process

[renewalparams]
account = b44c9ecafb08f9d66026cbb7779c0b2b
authenticator = apache
installer = apache

www.brick9.com.conf:

renew_before_expiry = 30 days

version = 0.22.2
archive_dir = /etc/letsencrypt/archive/www.brick9.com
cert = /etc/letsencrypt/live/www.brick9.com/cert.pem
privkey = /etc/letsencrypt/live/www.brick9.com/privkey.pem
chain = /etc/letsencrypt/live/www.brick9.com/chain.pem
fullchain = /etc/letsencrypt/live/www.brick9.com/fullchain.pem

Options used in the renewal process

[renewalparams]
account = b44c9ecafb08f9d66026cbb7779c0b2b
installer = apache
authenticator = apache

So this looks good no?


#8

It looks like you have two cert good for at least 67 days.
But one has two names and one has one name.
Both have the same single name; So, I wonder if you are even using the single name cert…
[you can do without it]

Please show:
grep -Eri 'brick9.com/fullchain' /etc/apache2