The client lacks sufficient authorization :: Invalid response from


#1

As the output says, I am unable to renew certificates on my server. I am having difficulty understanding what may be the problem and how to resolve it.

My domain is: sudhirkhanger.com

I ran this command: sudo certbot renew

It produced this output:

Attempting to renew cert (sudhirkhanger.com) from /etc/letsencrypt/renewal/sudhirkhanger.com.conf produced an unexpected error: Failed authorization procedure. sudhirkhanger.com (http-01): urn:ietf:params:acme:
error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://sudhirkhanger.com/.well-known/acme-challenge/X9mXBPjIvtGRlDAy_oSBdUhZwQGch4qZjS__eo6WOXE: "<!DOCTYPE html>\n<html
lang=\"en-US\" class=\"no-js no-svg\">\n<head>\n<meta charset=\"UTF-8\">\n<meta name=\"viewport\" content=\"width=devi", www.sudhirkhanger.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client la
cks sufficient authorization :: Invalid response from http://www.sudhirkhanger.com/.well-known/acme-challenge/v9bg2x1iwuid3r-rJ-CE0pyZE20E6wTboxZ3XegFf5c: "<!DOCTYPE html>\n<html lang=\"en-US\" class=\"no-js no
-svg\">\n<head>\n<meta charset=\"UTF-8\">\n<meta name=\"viewport\" content=\"width=devi". Skipping.

My web server is (include version): httpd-2.4.6-88.el7.centos.x86_64

The operating system my web server runs on is (include version): CentOS Linux release 7.6.1810 (Core)

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.30.2

VirtualHost file

    $ cat 000-default-vhost.conf
        <VirtualHost *:80>
                ServerAdmin MY-EMAIL
                ServerName sudhirkhanger.com
                ServerAlias www.sudhirkhanger.com
                DocumentRoot /var/www/sudhirkhanger.com/public_html
                ErrorLog logs/sudhirkhanger.com-wp-error.log
                CustomLog logs/sudhirkhanger-wp-access.log combined
                
                <Directory /var/www/sudhirkhanger.com/public_html>
                Options FollowSymLinks Indexes
                AllowOverride All 
        </Directory>
        </VirtualHost>

<VirtualHost *:443>
    ServerAdmin MY-EMAIL
    ServerName sudhirkhanger.com
    ServerAlias www.sudhirkhanger.com
    DocumentRoot /var/www/sudhirkhanger.com/public_html
    ErrorLog logs/sudhirkhanger.com-wp-error.log
    CustomLog logs/sudhirkhanger.com-wp-access.log combined
    
    <Directory /var/www/sudhirkhanger.com/public_html>
                Options FollowSymLinks Indexes
                AllowOverride All 
        </Directory>
    
    SSLEngine on 
    SSLCertificateFile /etc/letsencrypt/live/sudhirkhanger.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/sudhirkhanger.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/sudhirkhanger.com/chain.pem
 </VirtualHost>

httpaccess file

$ cat .htaccess
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

#2

Hi @sudhirkhanger

checked your configuration via https://check-your-website.server-daten.de/?q=sudhirkhanger.com there is a problem:

Domainname Http-Status redirect Sec. G
http://sudhirkhanger.com/
144.217.88.166 301 https://sudhirkhanger.com/ 0.656 A
http://www.sudhirkhanger.com/
144.217.88.166 301 https://sudhirkhanger.com/ 0.640 E
https://sudhirkhanger.com/
144.217.88.166 -9 0.390 N
TrustFailure - The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. The remote certificate is invalid according to the validation procedure.
https://www.sudhirkhanger.com/
144.217.88.166 -9 0.394 N
TrustFailure - The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. The remote certificate is invalid according to the validation procedure.
http://www.sudhirkhanger.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
144.217.88.166 301 http://sudhirkhanger.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.656 D
http://sudhirkhanger.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
144.217.88.166 -8 0.810 W
ConnectionClosed - The request was aborted: The connection was closed unexpectedly.

Perhaps you have used tls-sni-01 - validation, this is deprecated. Then Certbot switches to another validation, that doesn’t work.

But checking /.well-known/acme-challenge, there is a ConnectionClosed. Is there a blocking firewall or something else?

Ah - thanks sharing your config files. There is your webroot. Then use that.

certbot run -a webroot -i apache -w /var/www/sudhirkhanger.com/public_html -d sudhirkhanger.com -d www.sudhirkhanger.com

But before: The url

http://sudhirkhanger.com/.well-known/acme-challenge/1234

should answer with a http status 404 - Not Found.


#3

What was the rest of Certbot’s output?


#4

Looks like it had worked ( https://check-your-website.server-daten.de/?q=sudhirkhanger.com )

CN=sudhirkhanger.com
	16.02.2019
	17.05.2019
expires in 90 days	sudhirkhanger.com, www.sudhirkhanger.com - 2 entries

A new LE-certificate.


#5

Yes, thanks for your help. It indeed worked.

I suppose I can continue using sudo certbot renew in future or will I have to use the command you mentioned above.

Also I see two more new files inside the /etc/httpd/vhost.d folder. I had only created 000-default-vhost.conf.

000-default-vhost.conf
000-default-vhost-le-ssl.conf
zxy-000-default-vhost.conf

Are 000-default-vhost-le-ssl.conf and zxy-000-default-vhost.conf created and maintained by certbot.


#6

Check the config file of that domain.

/etc/letsencrypt/renewal

There should be webroot used. So certbot renew uses your last running command.


closed #7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.