The client lacks sufficient authorization :: Invalid response from

As the output says, I am unable to renew certificates on my server. I am having difficulty understanding what may be the problem and how to resolve it.

My domain is: sudhirkhanger.com

I ran this command: sudo certbot renew

It produced this output:

Attempting to renew cert (sudhirkhanger.com) from /etc/letsencrypt/renewal/sudhirkhanger.com.conf produced an unexpected error: Failed authorization procedure. sudhirkhanger.com (http-01): urn:ietf:params:acme:
error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://sudhirkhanger.com/.well-known/acme-challenge/X9mXBPjIvtGRlDAy_oSBdUhZwQGch4qZjS__eo6WOXE: "<!DOCTYPE html>\n<html
lang=\"en-US\" class=\"no-js no-svg\">\n<head>\n<meta charset=\"UTF-8\">\n<meta name=\"viewport\" content=\"width=devi", www.sudhirkhanger.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client la
cks sufficient authorization :: Invalid response from http://www.sudhirkhanger.com/.well-known/acme-challenge/v9bg2x1iwuid3r-rJ-CE0pyZE20E6wTboxZ3XegFf5c: "<!DOCTYPE html>\n<html lang=\"en-US\" class=\"no-js no
-svg\">\n<head>\n<meta charset=\"UTF-8\">\n<meta name=\"viewport\" content=\"width=devi". Skipping.

My web server is (include version): httpd-2.4.6-88.el7.centos.x86_64

The operating system my web server runs on is (include version): CentOS Linux release 7.6.1810 (Core)

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.30.2

VirtualHost file

    $ cat 000-default-vhost.conf
        <VirtualHost *:80>
                ServerAdmin MY-EMAIL
                ServerName sudhirkhanger.com
                ServerAlias www.sudhirkhanger.com
                DocumentRoot /var/www/sudhirkhanger.com/public_html
                ErrorLog logs/sudhirkhanger.com-wp-error.log
                CustomLog logs/sudhirkhanger-wp-access.log combined
                
                <Directory /var/www/sudhirkhanger.com/public_html>
                Options FollowSymLinks Indexes
                AllowOverride All 
        </Directory>
        </VirtualHost>

<VirtualHost *:443>
    ServerAdmin MY-EMAIL
    ServerName sudhirkhanger.com
    ServerAlias www.sudhirkhanger.com
    DocumentRoot /var/www/sudhirkhanger.com/public_html
    ErrorLog logs/sudhirkhanger.com-wp-error.log
    CustomLog logs/sudhirkhanger.com-wp-access.log combined
    
    <Directory /var/www/sudhirkhanger.com/public_html>
                Options FollowSymLinks Indexes
                AllowOverride All 
        </Directory>
    
    SSLEngine on 
    SSLCertificateFile /etc/letsencrypt/live/sudhirkhanger.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/sudhirkhanger.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/sudhirkhanger.com/chain.pem
 </VirtualHost>

httpaccess file

$ cat .htaccess
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

Hi @sudhirkhanger

checked your configuration via https://check-your-website.server-daten.de/?q=sudhirkhanger.com there is a problem:

Perhaps you have used tls-sni-01 - validation, this is deprecated. Then Certbot switches to another validation, that doesn't work.

But checking /.well-known/acme-challenge, there is a ConnectionClosed. Is there a blocking firewall or something else?

Ah - thanks sharing your config files. There is your webroot. Then use that.

certbot run -a webroot -i apache -w /var/www/sudhirkhanger.com/public_html -d sudhirkhanger.com -d www.sudhirkhanger.com

But before: The url

http://sudhirkhanger.com/.well-known/acme-challenge/1234

should answer with a http status 404 - Not Found.

What was the rest of Certbot’s output?

Looks like it had worked ( https://check-your-website.server-daten.de/?q=sudhirkhanger.com )

CN=sudhirkhanger.com
	16.02.2019
	17.05.2019
expires in 90 days	sudhirkhanger.com, www.sudhirkhanger.com - 2 entries

A new LE-certificate.

Yes, thanks for your help. It indeed worked.

I suppose I can continue using sudo certbot renew in future or will I have to use the command you mentioned above.

Also I see two more new files inside the /etc/httpd/vhost.d folder. I had only created 000-default-vhost.conf.

000-default-vhost.conf
000-default-vhost-le-ssl.conf
zxy-000-default-vhost.conf

Are 000-default-vhost-le-ssl.conf and zxy-000-default-vhost.conf created and maintained by certbot.

Check the config file of that domain.

/etc/letsencrypt/renewal

There should be webroot used. So certbot renew uses your last running command.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.