The client lacks sufficient authorization :: Invalid response


#1

Hi

I installed Apache today and ran sudo certbot --apache -d… after I already had certbot working for -standalone. With that I ran into some problems like a new certificate folder “/etc/letsencrypt/live/epikur.duckdns.org-0001” (and then 0002 on the next try after deleting 0001). I “solved” the problem by purging apache and certbot and re-installing them. As far as I can tell the next attempt with sudo certbot --apache -d… was successul, but the renew dryrun immediately afterwards produced the following error:

My domain is: epikur.duckdns.org

I ran this command: sudo certbot renew --dry-run

It produced this output:
Processing /etc/letsencrypt/renewal/epikur.duckdns.org.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for epikur.duckdns.org
http-01 challenge for vipa.duckdns.org
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (epikur.duckdns.org) from /etc/letsencrypt/renewal/epikur.duckdns.org.conf produced an unexpected error: Failed authorization procedure. epikur.duckdns.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://epikur.duckdns.org/.well-known/acme-challenge/ATYh6x0lgiZpZb9lVi_MwQbgjFagBB1FRZjI4DlQU58: “\n\n404 Not Found\n\n

Not Found

\n<p”, vipa.duckdns.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://vipa.duckdns.org/.well-known/acme-challenge/TqD1Oqt63ymv3jHEMhn9_diP2uW8elC7XcD_y_VuDPw: “\n\n404 Not Found\n\n

Not Found

\n<p”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/epikur.duckdns.org/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/epikur.duckdns.org/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu Server 18.04 (with Mate Desktop)

My hosting provider, if applicable, is: -

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I went through the suggested similar topics but haven’t found a solution yet (e.g. placing an OK file in acme-challenge to see if that works; it does). I hope someone has an idea?


#2

Can you please check if all the above domain get a corresponding virtual host in your Apache configuration? (Instead of a default virtual host with unknow names?)

Thank you


#3

Thank you for the reply, but I’m not sure I understand, sorry. But if I do, I added the second domain as an alias:

epikur.duckdns.org.conf
<VirtualHost *:80>

    ServerAdmin admin@epikur

    ServerName epikur.duckdns.org

    ServerAlias vipa.duckdns.org

    DocumentRoot /var/www/epikur.duckdns.org/html

    ErrorLog ${APACHE_LOG_DIR}/error.log

    CustomLog ${APACHE_LOG_DIR}/access.log combined

RewriteEngine on
RewriteCond %{SERVER_NAME} =epikur.duckdns.org [OR]
RewriteCond %{SERVER_NAME} =vipa.duckdns.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

#4

Well I did a complete purge again and now it works, I will never know what happened, but at least it works.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.