The client lacks sufficient authorization :: Invalid response from http://erp.versus-alternative.ch/.well-known/acme-challenge/

Help
1

My domain is:
cloud.versus-alternative.ch
erp.versus-alternative.ch
planning.versus-alternative.ch
planning.versus-alternative.com
planning2016.versus-alternative.ch
planning2017.versus-alternative.ch
planning2018.versus-alternative.ch
planning2018.versus-alternative.com
pointage.versus-alternative.ch
pointage2017.versus-alternative.ch

I ran this command:
sudo certbot renew --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/cloud.versus-alternative.ch.conf

Cert not due for renewal, but simulating renewal for dry run

Plugins selected: Authenticator apache, Installer apache

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for cloud.versus-alternative.ch

http-01 challenge for erp.versus-alternative.ch

http-01 challenge for planning.versus-alternative.ch

http-01 challenge for planning.versus-alternative.com

http-01 challenge for planning2016.versus-alternative.ch

http-01 challenge for planning2017.versus-alternative.ch

http-01 challenge for planning2018.versus-alternative.ch

http-01 challenge for planning2018.versus-alternative.com

http-01 challenge for pointage.versus-alternative.ch

http-01 challenge for pointage2017.versus-alternative.ch

http-01 challenge for www.planning2016.versus-alternative.ch

Waiting for verificationā€¦

Cleaning up challenges

Attempting to renew cert (cloud.versus-alternative.ch) from /etc/letsencrypt/renewal/cloud.versus-alternative.ch.conf produced an unexpected error: Failed authorization procedure. erp.versus-alternative.ch (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://erp.versus-alternative.ch/.well-known/acme-challenge/R7UqrzEBtff7y6yRdPzsNIy0GVvTxUsCWJrYexgvvhE [37.59.54.183]: ā€œ<!DOCTYPE HTML PUBLIC ā€œ-//IETF//DTD HTML 2.0//ENā€>\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<pā€, planning.versus-alternative.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://planning.versus-alternative.com/.well-known/acme-challenge/HrRTwJJhhDSMnzzqn00QLQWbIRKyMwb5nKIYUo32iCA [37.59.54.183]: ā€œ<!DOCTYPE HTML PUBLIC ā€œ-//IETF//DTD HTML 2.0//ENā€>\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<pā€, cloud.versus-alternative.ch (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://cloud.versus-alternative.ch/.well-known/acme-challenge/H4qMyHlYu762yKA_m2PFTgjJEn2gxIBdB_2PXHTJnng [37.59.54.183]: ā€œ<!DOCTYPE HTML PUBLIC ā€œ-//IETF//DTD HTML 2.0//ENā€>\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<pā€, planning2018.versus-alternative.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://planning2018.versus-alternative.com/.well-known/acme-challenge/xp9hDQ74rfK8rMrGwkOpBv83URykZcGpbPQM-T_V1kw [37.59.54.183]: ā€œ<!DOCTYPE HTML PUBLIC ā€œ-//IETF//DTD HTML 2.0//ENā€>\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<pā€, planning.versus-alternative.ch (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://planning.versus-alternative.ch/.well-known/acme-challenge/RAbcv_WDNd_91D4EH4viUgYG6SWfxYBMJAo0HdOLU1U [37.59.54.183]: ā€œ<!DOCTYPE HTML PUBLIC ā€œ-//IETF//DTD HTML 2.0//ENā€>\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<pā€, planning2017.versus-alternative.ch (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://planning2017.versus-alternative.ch/.well-known/acme-challenge/hP1fXi_lRHu4Iny-z0B4NLIvXgfvlcBVdybIw-Cw5y8 [37.59.54.183]: ā€œ<!DOCTYPE HTML PUBLIC ā€œ-//IETF//DTD HTML 2.0//ENā€>\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<pā€, planning2018.versus-alternative.ch (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://planning2018.versus-alternative.ch/.well-known/acme-challenge/YluzvbD6F6rLPEFi7uoIiSJ20Egh8tAdiaaRXgLFmZE [37.59.54.183]: ā€œ<!DOCTYPE HTML PUBLIC ā€œ-//IETF//DTD HTML 2.0//ENā€>\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<pā€, pointage.versus-alternative.ch (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://erp.versus-alternative.ch/.well-known/acme-challenge/k2qGTz8KJRfefDQfLfuWTt263QpFb_U_CshwICxDs2U [37.59.54.183]: ā€œ<!DOCTYPE HTML PUBLIC ā€œ-//IETF//DTD HTML 2.0//ENā€>\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<pā€. Skipping.

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/cloud.versus-alternative.ch/fullchain.pem (failure)

** DRY RUN: simulating ā€˜certbot renewā€™ close to cert expiry

** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/cloud.versus-alternative.ch/fullchain.pem (failure)

** DRY RUN: simulating ā€˜certbot renewā€™ close to cert expiry

** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: erp.versus-alternative.ch

Type: unauthorized

Detail: Invalid response from

http://erp.versus-alternative.ch/.well-known/acme-challenge/R7UqrzEBtff7y6yRdPzsNIy0GVvTxUsCWJrYexgvvhE

[37.59.54.183]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML

2.0//EN">\n<html><head>\n<title>404 Not

Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

Domain: planning.versus-alternative.com

Type: unauthorized

Detail: Invalid response from

http://planning.versus-alternative.com/.well-known/acme-challenge/HrRTwJJhhDSMnzzqn00QLQWbIRKyMwb5nKIYUo32iCA

[37.59.54.183]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML

2.0//EN">\n<html><head>\n<title>404 Not

Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

Domain: cloud.versus-alternative.ch

Type: unauthorized

Detail: Invalid response from

http://cloud.versus-alternative.ch/.well-known/acme-challenge/H4qMyHlYu762yKA_m2PFTgjJEn2gxIBdB_2PXHTJnng

[37.59.54.183]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML

2.0//EN">\n<html><head>\n<title>404 Not

Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

Domain: planning2018.versus-alternative.com

Type: unauthorized

Detail: Invalid response from

http://planning2018.versus-alternative.com/.well-known/acme-challenge/xp9hDQ74rfK8rMrGwkOpBv83URykZcGpbPQM-T_V1kw

[37.59.54.183]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML

2.0//EN">\n<html><head>\n<title>404 Not

Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

Domain: planning.versus-alternative.ch

Type: unauthorized

Detail: Invalid response from

http://planning.versus-alternative.ch/.well-known/acme-challenge/RAbcv_WDNd_91D4EH4viUgYG6SWfxYBMJAo0HdOLU1U

[37.59.54.183]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML

2.0//EN">\n<html><head>\n<title>404 Not

Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

Domain: planning2017.versus-alternative.ch

Type: unauthorized

Detail: Invalid response from

http://planning2017.versus-alternative.ch/.well-known/acme-challenge/hP1fXi_lRHu4Iny-z0B4NLIvXgfvlcBVdybIw-Cw5y8

[37.59.54.183]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML

2.0//EN">\n<html><head>\n<title>404 Not

Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

Domain: planning2018.versus-alternative.ch

Type: unauthorized

Detail: Invalid response from

http://planning2018.versus-alternative.ch/.well-known/acme-challenge/YluzvbD6F6rLPEFi7uoIiSJ20Egh8tAdiaaRXgLFmZE

[37.59.54.183]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML

2.0//EN">\n<html><head>\n<title>404 Not

Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

Domain: pointage.versus-alternative.ch

Type: unauthorized

Detail: Invalid response from

http://erp.versus-alternative.ch/.well-known/acme-challenge/k2qGTz8KJRfefDQfLfuWTt263QpFb_U_CshwICxDs2U

[37.59.54.183]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML

2.0//EN">\n<html><head>\n<title>404 Not

Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

To fix these errors, please make sure that your domain name was

entered correctly and the DNS A/AAAA record(s) for that domain

contain(s) the right IP address.

My web server is (include version):
apache 2.4.7

The operating system my web server runs on is (include version):
ubuntu 14.04

My hosting provider, if applicable, is:
self hosted on a dedicated server

I can login to a root shell on my machine (yes or no, or I donā€™t know):
yes

Iā€™m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if youā€™re using Certbot):
certbot 0.28.0

More information:
I have been using Certbot for a couple of months. It was all good until I received the email stating that TLS-SNI-01 wonā€™t be supported anymore. So I followed this tutorial: How to stop using TLS-SNI-01 with Certbot and the dry run was successful. So I thought I was all good. But then my certificates all expired today, so I uninstalled certbot (sudo certbot delete), and re-installed it (sudo certbot --apache). The install was successful (all certificates are generated, all my websites are accessible through https://). But then I try to run sudo certbot renew --dry-run to make sure this time they will renew properly, and I get the console log that you find up there.

So I have been looking around to fix the issue. I made sure http://cloud.versus-alternative.ch/.well-known/acme-challenge/ is accessible through the web by creating a test file: http://cloud.versus-alternative.ch/.well-known/acme-challenge/test and indeed it works. Iā€™ve made sure my DNS entries for these domain names are pointing to the right IP v4 address, and they are. So Iā€™m a bit lost. Where can this problem come from ?

Thanks a lot for any help

2

Hi @marcvander,

This can happen because --apache doesn't use your existing .well-known/acme-challenge directory, but creates its own temporary one (basically to deal with cases where the web server does something other than serve static files from directories on disk, like when it passes all requests through to some kind of web app). In some cases, Certbot can fail to reconfigure Apache correctly, so Certbot's temporary .well-known/acme-challenge is not used.

Certbot 0.31.0 includes a fix that's improved this situation for many users, so one option might be to upgrade to a newer Certbot (you could also do this using our certbot-auto autoinstaller script); another option is to switch the authenticator to webroot with -a webroot for these certificates, and then specify the corresponding location of your document root for each domain. (In that case, Certbot will do something more like what you expectedā€”it will write the challenge files as text files under your existing document root directories.)

1 Like
3

Hey @schoen,

thanks so much for the answer.

So here is what I have done:

I uninstalled certbot by running:
sudo certbot delete

Then I made a clean of all folders:
rm -rf ~/.local/share/letsencrypt rm -rf /etc/letsencrypt rm -rf /var/log/letsencrypt rm -rf /var/lib/letsencrypt

Then I downloaded certbot-auto and launched it:
wget https://dl.eff.org/certbot-auto chmod a+x ./certbot-auto ./certbot-auto --apache

All certificates are installed properly, and my websites are accessible via https://

I checked my version of certbot:
sudo ./certbot-auto --version OUTPUT -> certbot 0.32.0

Now I tried to run:
sudo certbot renew --dry-run
To test if the renewal would work this time, but still I get the same errors:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/cloud.versus-alternative.ch.conf

Attempting to parse the version 0.32.0 renewal configuration file found at /etc/letsencrypt/renewal/cloud.versus-alternative.ch.conf with version 0.28.0 of Certbot. This might not work.

Cert not due for renewal, but simulating renewal for dry run

Plugins selected: Authenticator apache, Installer apache

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for cloud.versus-alternative.ch

http-01 challenge for erp.versus-alternative.ch

http-01 challenge for planning.versus-alternative.ch

http-01 challenge for planning.versus-alternative.com

http-01 challenge for planning2016.versus-alternative.ch

http-01 challenge for planning2017.versus-alternative.ch

http-01 challenge for planning2018.versus-alternative.ch

http-01 challenge for planning2018.versus-alternative.com

http-01 challenge for pointage.versus-alternative.ch

http-01 challenge for pointage2017.versus-alternative.ch

Waiting for verificationā€¦

Cleaning up challenges

Attempting to renew cert (cloud.versus-alternative.ch) from /etc/letsencrypt/renewal/cloud.versus-alternative.ch.conf produced an unexpected error: Failed authorization procedure. planning.versus-alternative.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://planning.versus-alternative.com/.well-known/acme-challenge/z4_8xX6MBW_nB2-35-xlSjLMenmm3w6MdmiVXr9ENyU [37.59.54.183]: ā€œ<!DOCTYPE HTML PUBLIC ā€œ-//IETF//DTD HTML 2.0//ENā€>\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<pā€, planning.versus-alternative.ch (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://planning.versus-alternative.ch/.well-known/acme-challenge/9KfOI_fkvvOjg9J-1GuZ29I-3LVgiOsElhSHU8pkpsw [37.59.54.183]: ā€œ<!DOCTYPE HTML PUBLIC ā€œ-//IETF//DTD HTML 2.0//ENā€>\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<pā€, erp.versus-alternative.ch (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://erp.versus-alternative.ch/.well-known/acme-challenge/8ssdwyWJt_sC_Ve-kCI_brrbWJjI8OjH3jY7ely9eis [37.59.54.183]: ā€œ<!DOCTYPE HTML PUBLIC ā€œ-//IETF//DTD HTML 2.0//ENā€>\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<pā€, planning2018.versus-alternative.ch (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://planning2018.versus-alternative.ch/.well-known/acme-challenge/wf133fKZY4BKeZBrjDJQE4m8BpVbWtIzgQaV1ACSRyY [37.59.54.183]: ā€œ<!DOCTYPE HTML PUBLIC ā€œ-//IETF//DTD HTML 2.0//ENā€>\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<pā€, pointage.versus-alternative.ch (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://erp.versus-alternative.ch/.well-known/acme-challenge/5K3_QGDDDSf06AybhnjpSsPiz_gzRzZ4aT8yKs9L6-c [37.59.54.183]: ā€œ<!DOCTYPE HTML PUBLIC ā€œ-//IETF//DTD HTML 2.0//ENā€>\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<pā€, planning2018.versus-alternative.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://planning2018.versus-alternative.com/.well-known/acme-challenge/6K2Wj45kqo7P___rvIZT-yVFXj0O0jie7IieG24oL_w [37.59.54.183]: ā€œ<!DOCTYPE HTML PUBLIC ā€œ-//IETF//DTD HTML 2.0//ENā€>\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<pā€, cloud.versus-alternative.ch (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://cloud.versus-alternative.ch/.well-known/acme-challenge/49_dkFWvfuIi_85tESxODtuFc23lAjZDEU_LmPI_am0 [37.59.54.183]: ā€œ<!DOCTYPE HTML PUBLIC ā€œ-//IETF//DTD HTML 2.0//ENā€>\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<pā€, planning2017.versus-alternative.ch (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://planning2017.versus-alternative.ch/.well-known/acme-challenge/tx7rU0HiSSWvmw-biO3v93SWKcHtKQupDrmSt3N5CnM [37.59.54.183]: ā€œ<!DOCTYPE HTML PUBLIC ā€œ-//IETF//DTD HTML 2.0//ENā€>\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<pā€. Skipping.

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/cloud.versus-alternative.ch/fullchain.pem (failure)

** DRY RUN: simulating ā€˜certbot renewā€™ close to cert expiry

** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/cloud.versus-alternative.ch/fullchain.pem (failure)

** DRY RUN: simulating ā€˜certbot renewā€™ close to cert expiry

** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: planning.versus-alternative.com

Type: unauthorized

Detail: Invalid response from

http://planning.versus-alternative.com/.well-known/acme-challenge/z4_8xX6MBW_nB2-35-xlSjLMenmm3w6MdmiVXr9ENyU

[37.59.54.183]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML

2.0//EN">\n<html><head>\n<title>404 Not

Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

Domain: planning.versus-alternative.ch

Type: unauthorized

Detail: Invalid response from

http://planning.versus-alternative.ch/.well-known/acme-challenge/9KfOI_fkvvOjg9J-1GuZ29I-3LVgiOsElhSHU8pkpsw

[37.59.54.183]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML

2.0//EN">\n<html><head>\n<title>404 Not

Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

Domain: erp.versus-alternative.ch

Type: unauthorized

Detail: Invalid response from

http://erp.versus-alternative.ch/.well-known/acme-challenge/8ssdwyWJt_sC_Ve-kCI_brrbWJjI8OjH3jY7ely9eis

[37.59.54.183]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML

2.0//EN">\n<html><head>\n<title>404 Not

Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

Domain: planning2018.versus-alternative.ch

Type: unauthorized

Detail: Invalid response from

http://planning2018.versus-alternative.ch/.well-known/acme-challenge/wf133fKZY4BKeZBrjDJQE4m8BpVbWtIzgQaV1ACSRyY

[37.59.54.183]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML

2.0//EN">\n<html><head>\n<title>404 Not

Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

Domain: pointage.versus-alternative.ch

Type: unauthorized

Detail: Invalid response from

http://erp.versus-alternative.ch/.well-known/acme-challenge/5K3_QGDDDSf06AybhnjpSsPiz_gzRzZ4aT8yKs9L6-c

[37.59.54.183]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML

2.0//EN">\n<html><head>\n<title>404 Not

Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

Domain: planning2018.versus-alternative.com

Type: unauthorized

Detail: Invalid response from

http://planning2018.versus-alternative.com/.well-known/acme-challenge/6K2Wj45kqo7P___rvIZT-yVFXj0O0jie7IieG24oL_w

[37.59.54.183]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML

2.0//EN">\n<html><head>\n<title>404 Not

Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

Domain: cloud.versus-alternative.ch

Type: unauthorized

Detail: Invalid response from

http://cloud.versus-alternative.ch/.well-known/acme-challenge/49_dkFWvfuIi_85tESxODtuFc23lAjZDEU_LmPI_am0

[37.59.54.183]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML

2.0//EN">\n<html><head>\n<title>404 Not

Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

Domain: planning2017.versus-alternative.ch

Type: unauthorized

Detail: Invalid response from

http://planning2017.versus-alternative.ch/.well-known/acme-challenge/tx7rU0HiSSWvmw-biO3v93SWKcHtKQupDrmSt3N5CnM

[37.59.54.183]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML

2.0//EN">\n<html><head>\n<title>404 Not

Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

To fix these errors, please make sure that your domain name was

entered correctly and the DNS A/AAAA record(s) for that domain

contain(s) the right IP address.

  • Your account credentials have been saved in your Certbot

configuration directory at /etc/letsencrypt. You should make a

secure backup of this folder now. This configuration directory will

also contain certificates and private keys obtained by Certbot so

making regular backups of this folder is ideal.

Any other ideas ?

4

I will try that tomorrow:

5

@schoen, I have tried your last option with webroot right now actually.

I ran ./certbot-auto --authenticator webroot --installer apache

And then I specified for each domain where the root folder is (/var/www/FolderOfTheWebsite)

And then I get this log in the console:

Waiting for verificationā€¦
Challenge failed for domain cloud.versus-alternative.ch
Challenge failed for domain erp.versus-alternative.ch
Challenge failed for domain planning.versus-alternative.ch
Challenge failed for domain planning.versus-alternative.com
Challenge failed for domain planning2016.versus-alternative.ch
Challenge failed for domain planning2017.versus-alternative.ch
Challenge failed for domain planning2018.versus-alternative.ch
Challenge failed for domain planning2018.versus-alternative.com
Challenge failed for domain pointage.versus-alternative.ch
Challenge failed for domain pointage2017.versus-alternative.ch
http-01 challenge for cloud.versus-alternative.ch
http-01 challenge for erp.versus-alternative.ch
http-01 challenge for planning.versus-alternative.ch
http-01 challenge for planning.versus-alternative.com
http-01 challenge for planning2016.versus-alternative.ch
http-01 challenge for planning2017.versus-alternative.ch
http-01 challenge for planning2018.versus-alternative.ch
http-01 challenge for planning2018.versus-alternative.com
http-01 challenge for pointage.versus-alternative.ch
http-01 challenge for pointage2017.versus-alternative.ch
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

6

Hi @marcvander

your main configuration is ok, port 80 is open - oh, what's that?

Checked your domain, but there is a new certificate, created today ( https://check-your-website.server-daten.de/?q=cloud.versus-alternative.ch ):

CN=cloud.versus-alternative.ch
	12.03.2019
	10.06.2019
expires in 90 days	cloud.versus-alternative.ch, 
erp.versus-alternative.ch, planning.versus-alternative.ch, 
planning.versus-alternative.com, planning2016.versus-alternative.ch, 
planning2017.versus-alternative.ch, planning2018.versus-alternative.ch, 
planning2018.versus-alternative.com, pointage.versus-alternative.ch, 
pointage2017.versus-alternative.ch - 10 entries
7

Hey @JuergenAuer,

thanks for your reply :slight_smile:

But I donā€™t understand what you are trying to tell me. Are you showing me that I have successfully created new certificates today? If so, that is true, generation of certificates worked, and my websites are accessible through https. But the issue is when I run sudo certbot renew --dry-run -> I want to check if the renewal will be good in 90 days, but it gives me the error I displayed above, so Iā€™d like to find where it comes from to avoid interruption of my websites through https in 90 days

8

The Certbot PPA has version 0.31.0 now. Can you upgrade your packages and see if it works?

Why do you have two Certbot installations, both certbot-auto and the packages?

9

@mnordhoff, thanks for your reply.

So I again deleted everything: sudo certbot delete rm -rf ~/.local/share/letsencrypt rm -rf /etc/letsencrypt rm -rf /var/log/letsencrypt rm -rf /var/lib/letsencrypt

And I ran sudo apt-get install certbot python-certbot-apache to update certbot packages. Afterwards I checked my certbot version, it is 0.31.0

So I launched sudo certbot --apache. It is successful, my certificates are deployed, and my websites are accessible through https.

But then again, I tried the dry run to test renewal, and I get the same error again:

root@ns3267680:~# sudo certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/cloud.versus-alternative.ch.conf

Cert not due for renewal, but simulating renewal for dry run

Plugins selected: Authenticator apache, Installer apache

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for cloud.versus-alternative.ch

http-01 challenge for erp.versus-alternative.ch

http-01 challenge for planning.versus-alternative.ch

http-01 challenge for planning.versus-alternative.com

http-01 challenge for planning2016.versus-alternative.ch

http-01 challenge for planning2017.versus-alternative.ch

http-01 challenge for planning2018.versus-alternative.ch

http-01 challenge for planning2018.versus-alternative.com

http-01 challenge for pointage.versus-alternative.ch

http-01 challenge for pointage2017.versus-alternative.ch

Waiting for verification...

Cleaning up challenges

Attempting to renew cert (cloud.versus-alternative.ch) from /etc/letsencrypt/renewal/cloud.versus-alternative.ch.conf produced an unexpected error: Failed authorization procedure. planning2017.versus-alternative.ch (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://planning2017.versus-alternative.ch/.well-known/acme-challenge/Dr7kkkWJmX8Mgvvs38qEw6hVmxb9ZC3h6mJBnG7Se_8 [37.59.54.183]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p", planning.versus-alternative.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://planning.versus-alternative.com/.well-known/acme-challenge/UGBixn14NwNAxzEP4tCQqeE4YCxywfkkBrWa_r1gYJg [37.59.54.183]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p", planning.versus-alternative.ch (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://planning.versus-alternative.ch/.well-known/acme-challenge/0IlYfJqQcBxi7VLPFg2bpYsINJ_sQl-toH7WXUJ1mTQ [37.59.54.183]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p", erp.versus-alternative.ch (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://erp.versus-alternative.ch/.well-known/acme-challenge/8MWXrl0-s3lKSKtRYnJLk8FRlEXOEzPTprRUiWzsIQU [37.59.54.183]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p", cloud.versus-alternative.ch (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://cloud.versus-alternative.ch/.well-known/acme-challenge/Vmr45pvpCCkV8EWHlY51C_MOpF9DF3iTs-bMeUlvHxI [37.59.54.183]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p", planning2018.versus-alternative.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://planning2018.versus-alternative.com/.well-known/acme-challenge/XMNKpqIrnrouEYkGI3KuFAf647T3MhX-9zPHx9UD16o [37.59.54.183]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p", pointage.versus-alternative.ch (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://erp.versus-alternative.ch/.well-known/acme-challenge/mEUsNzggzq_wcFYZQccomfiIIcULF528LWofKeTfNyk [37.59.54.183]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p", planning2018.versus-alternative.ch (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://planning2018.versus-alternative.ch/.well-known/acme-challenge/wWbGlfQm15zuUOtFOsYDLpLlRRp8b3-hYdhMOVURRXk [37.59.54.183]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p". Skipping.

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/cloud.versus-alternative.ch/fullchain.pem (failure)

** DRY RUN: simulating 'certbot renew' close to cert expiry

** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/cloud.versus-alternative.ch/fullchain.pem (failure)

** DRY RUN: simulating 'certbot renew' close to cert expiry

** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: planning2017.versus-alternative.ch

Type: unauthorized

Detail: Invalid response from

http://planning2017.versus-alternative.ch/.well-known/acme-challenge/Dr7kkkWJmX8Mgvvs38qEw6hVmxb9ZC3h6mJBnG7Se_8

[37.59.54.183]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML

2.0//EN">\n<html><head>\n<title>404 Not

Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

Domain: planning.versus-alternative.com

Type: unauthorized

Detail: Invalid response from

http://planning.versus-alternative.com/.well-known/acme-challenge/UGBixn14NwNAxzEP4tCQqeE4YCxywfkkBrWa_r1gYJg

[37.59.54.183]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML

2.0//EN">\n<html><head>\n<title>404 Not

Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

Domain: planning.versus-alternative.ch

Type: unauthorized

Detail: Invalid response from

http://planning.versus-alternative.ch/.well-known/acme-challenge/0IlYfJqQcBxi7VLPFg2bpYsINJ_sQl-toH7WXUJ1mTQ

[37.59.54.183]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML

2.0//EN">\n<html><head>\n<title>404 Not

Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

Domain: erp.versus-alternative.ch

Type: unauthorized

Detail: Invalid response from

http://erp.versus-alternative.ch/.well-known/acme-challenge/8MWXrl0-s3lKSKtRYnJLk8FRlEXOEzPTprRUiWzsIQU

[37.59.54.183]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML

2.0//EN">\n<html><head>\n<title>404 Not

Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

Domain: cloud.versus-alternative.ch

Type: unauthorized

Detail: Invalid response from

http://cloud.versus-alternative.ch/.well-known/acme-challenge/Vmr45pvpCCkV8EWHlY51C_MOpF9DF3iTs-bMeUlvHxI

[37.59.54.183]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML

2.0//EN">\n<html><head>\n<title>404 Not

Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

Domain: planning2018.versus-alternative.com

Type: unauthorized

Detail: Invalid response from

http://planning2018.versus-alternative.com/.well-known/acme-challenge/XMNKpqIrnrouEYkGI3KuFAf647T3MhX-9zPHx9UD16o

[37.59.54.183]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML

2.0//EN">\n<html><head>\n<title>404 Not

Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

Domain: pointage.versus-alternative.ch

Type: unauthorized

Detail: Invalid response from

http://erp.versus-alternative.ch/.well-known/acme-challenge/mEUsNzggzq_wcFYZQccomfiIIcULF528LWofKeTfNyk

[37.59.54.183]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML

2.0//EN">\n<html><head>\n<title>404 Not

Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

Domain: planning2018.versus-alternative.ch

Type: unauthorized

Detail: Invalid response from

http://planning2018.versus-alternative.ch/.well-known/acme-challenge/wWbGlfQm15zuUOtFOsYDLpLlRRp8b3-hYdhMOVURRXk

[37.59.54.183]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML

2.0//EN">\n<html><head>\n<title>404 Not

Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

To fix these errors, please make sure that your domain name was

entered correctly and the DNS A/AAAA record(s) for that domain

contain(s) the right IP address.

  • Your account credentials have been saved in your Certbot

configuration directory at /etc/letsencrypt. You should make a

secure backup of this folder now. This configuration directory will

also contain certificates and private keys obtained by Certbot so

making regular backups of this folder is ideal.

But maybe this will help: I got an email from noreply@letsencrypt.org:

Hello,

Action may be required to prevent your Let's Encrypt certificate renewals from
breaking.

If you already received a similar e-mail, this one contains updated information.

Your Let's Encrypt client used ACME TLS-SNI-01 domain validation to issue a
certificate in the past 3 days. Below is a list of names and IP addresses
validated (max of one per account):

cloud.versus-alternative.ch (37.59.54.183) on 2019-03-11

TLS-SNI-01 validation has reached end-of-life. It stopped working permanently
on March 13th, 2019. Any certificates issued before then will continue to work
for 90 days after their issuance date.

You need to update your ACME client to use an alternative validation method
(HTTP-01, DNS-01 or TLS-ALPN-01) or your certificate renewals will break and
existing certificates will start to expire.

If you'd like to test whether your system is still working, you can run
against staging: Staging Environment - Let's Encrypt

If you're a Certbot user, you can find more information here:

Our forum has many threads on this topic. Please search to see if your question
has been answered, then open a new thread if it has not:
https://community.letsencrypt.org/

For more information about the TLS-SNI-01 end-of-life, please see our API
announcement:

Thank you,
Let's Encrypt Staff

So this is maybe what is causing my error (since ACME TLS-SNI-01 has reached end of life, that's why I cannot renew properly).

So I followed what's here: How to stop using TLS-SNI-01 with Certbot

And afterwards I ran a dry run, and still I'm getting the same issue ...
@schoen

10

Did you run ā€œsudo apt-get upgradeā€ or maybe ā€œsudo apt-get dist-upgradeā€?

If you run ā€œdpkg -l '*certbot*'ā€, are all of Certbotā€™s packages up-to-date?

What does ā€œsudo apachectl -t -D DUMP_VHOSTSā€ show?

1 Like
11

@joohoi, do you think this could be a genuine case of 0.31.0 not completing a challenge successfully with --apache?

12

@mnordhoff, to update certbot to 0.31.0 I ran: sudo apt-get install certbot python-certbot-apache

So I followed your advice and I ran: sudo apt-get upgrade to upgrade all my packages.

And then sudo certbot renew --dry-run

And this time it worked, the dry run was successful !!! So maybe the issue came from another package that certbot was dependent on ? Anyway it worked. Thanks for all the help guys !

@schoen No need to push that case further :slight_smile:

13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.