The client lacks sufficient authorization during Certbot renewal


#1

Hi!

My domain is: https://biokinet.belozersky.msu.ru/

I ran this command:
/root/certbot-auto renew --pre-hook “systemctl stop apache2” --post-hook “apache2ctl stop && systemctl start apache2”

Eventually the problem is:
Failed authorization procedure. biokinet.belozersky.msu.ru (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid respon
se from http://biokinet.belozersky.msu.ru/.well-known/acme-challenge/Uuw_5KuQjBlyc52RwfnRTt6kqYoCpJCi-iTQjNov9KM: “<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>\n<ht
ml><head>\n<title>403 Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p”

IMPORTANT NOTES:

  • The following errors were reported by the server:

  Domain: biokinet.belozersky.msu.ru
  Type:   unauthorized
  Detail: Invalid response from
  http://biokinet.belozersky.msu.ru/.well-known/acme-challenge/Uuw_5KuQjBlyc52RwfnRTt6kqYoCpJCi-iTQjNov9KM:
  “<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML
  2.0//EN”>\n<html><head>\n<title>403
  Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p”

Indeed:
cat /var/log/apache2/access_log | grep Uuw_5KuQjBlyc52RwfnRTt6kqYoCpJCi-iTQjNov9KM
66.133.109.36 - - [05/Dec/2018:18:36:53 +0300] “GET /.well-known/acme-challenge/Uuw_5KuQjBlyc52RwfnRTt6kqYoCpJCi-iTQjNov9KM HTTP/1.1” 403 - “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”

At the same time, I did renew the certificate manually from a different computer.

This is probably an Apache misconfiguration. Please suggest a workaround.

Thank you.
Dmitry

My web server is (include version):
Server version: Apache/2.4.10 (Linux/SUSE)
Server built:   2016-07-18 16:42:09.000000000 +0000


#2

The issue is that when Let’s Encrypt tries to validate the challenge file located at http://biokinet.belozersky.msu.ru/.well-known/acme-challenge/Uuw_5KuQjBlyc52RwfnRTt6kqYoCpJCi-iTQjNov9KM, your web server is returning a 403 Forbidden page instead of the file contents. There could be any number of reasons, but it is 100% related to your apache configurations. Could you post these? I’m more familiar with nginx myself, but there are a lot of people here who are very familiar with apache and would be able to help you fix the config issues.


#3

Jared, thank you for response.

My httpd.conf has a standard contents:
Include /etc/apache2/uid.conf
Include /etc/apache2/server-tuning.conf
ErrorLog /var/log/apache2/error_log
Include /etc/apache2/sysconfig.d/loadmodule.conf
Include /etc/apache2/listen.conf
Include /etc/apache2/mod_log_config.conf
Include /etc/apache2/sysconfig.d/global.conf
Include /etc/apache2/mod_status.conf
Include /etc/apache2/mod_info.conf
Include /etc/apache2/mod_usertrack.conf
Include /etc/apache2/mod_autoindex-defaults.conf
TypesConfig /etc/apache2/mime.types
Include /etc/apache2/mod_mime-defaults.conf
Include /etc/apache2/errors.conf
Include /etc/apache2/ssl-global.conf
<Directory />
   Options None
   AllowOverride None
   Order deny,allow
   Deny from all
</Directory>
AccessFileName .htaccess
<Files ~ “^.ht”>
   Order allow,deny
   Deny from all
</Files>
DirectoryIndex index.html index.html.var
Include /etc/apache2/default-server.conf
Include /etc/apache2/sysconfig.d/include.conf
IncludeOptional /etc/apache2/vhosts.d/*.conf

The additional .htaccess file looks like this:
<FilesMatch ".(engine|inc|info|install|make|module|profile|test|po|sh|.sql|theme|tpl(.php)?|xtmpl|svn-base)|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all- wcprops|entries|format)">
 Order allow,deny
</FilesMatch>
Options -Indexes
Options +FollowSymLinks
ErrorDocument 404 /index.php
<Files favicon.ico>
 ErrorDocument 404 "The requested file favicon.ico was not found.
</Files>
DirectoryIndex index.php
<IfModule mod_php4.c>
 php_value magic_quotes_gpc                0
 php_value register_globals                0
 php_value session.auto_start              0
 php_value mbstring.http_input             pass
 php_value mbstring.http_output            pass
 php_value mbstring.encoding_translation   0
</IfModule>
<IfModule sapi_apache2.c>
 php_value magic_quotes_gpc                0
 php_value register_globals                0
 php_value session.auto_start              0
 php_value mbstring.http_input             pass
 php_value mbstring.http_output            pass
 php_value mbstring.encoding_translation   0
</IfModule>
<IfModule mod_php5.c>
 php_value magic_quotes_gpc                0
 php_value register_globals                0
 php_value session.auto_start              0
 php_value mbstring.http_input             pass
 php_value mbstring.http_output            pass
 php_value mbstring.encoding_translation   0
</IfModule>
<IfModule mod_expires.c>
 ExpiresActive On
 ExpiresDefault A1209600
 <FilesMatch .php$>
   ExpiresActive Off
 </FilesMatch>
</IfModule>
<IfModule mod_rewrite.c>
 RewriteEngine on
 RewriteBase /
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteCond %{REQUEST_URI} !=/favicon.ico
 RewriteRule ^(.
)$ index.php?q=$1 [L,QSA]
</IfModule>
AddType application/octet-stream .pze
AddType application/octet-stream .ze
AddType application/octet-stream .fasta

Thank you for your help


#4

Hi @genesup

now it looks good. Your /.well-known/acme-challenge sends a 404 if the file is unknown.

And there is a new certificate, created today:

CN=biokinet.belozersky.msu.ru - 05.12.2018 - 05.03.2019 biokinet.belozersky.msu.ru - 1 entry