The client lacks sufficient authorization - renew not working

Hello,

My certbot works fine for several months and suddenly it stop renewing the certificate.
No idea what's wrong..
Please your advise

J C

My domain is: track1.conexait.com

I ran this command: certbot renew --dry-run
It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/track1.conexait.com.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator manual, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for track1.conexait.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (track1.conexait.com) from /etc/letsencrypt/renewal/track1.conexait.com.conf produced an unexpected error: Failed authorization procedure. track1.conexait.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://track1.conexait.com/.well-known/acme-challenge/HSCYfncNJ01zCmlXez-o7jleFHkXfeqI-GYOWNA2t-Y [209.240.97.170]: 404. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/track1.conexait.com/fullchain.pem (failure)


** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/track1.conexait.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): ubuntu 18.04.5 LTS (Bionic Beaver)

The operating system my web server runs on is (include version): PHP

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0


My current certificates is valid until 19 - DEC

Please help

JC

I forgot to metion that I did not use any sudo user......I used root
Do not know if is important

That's your operating system.

PHP is a scripting language, not an operating system (nor a webserver).

Most users use Apache or nginx as their webserver. Which webserver are you using?

1 Like

Sorry....my webserver is APACHE

OK, great, thanks.

Further more, this came across my eye:

You're using the manual authenticator. Did certbot ask you to put certain files at certain places? I'm not seeing that from your output.. Perhaps you're using a manual-auth-hook?

If you're not entering the details of the challenges manually, could you please share the contents of /etc/letsencrypt/renewal/track1.conexait.com.conf? It doesn't contain sensitive info. Please put the output between two separate lines with three backticks (```).

Really not sure what I did...I ran a script and all works fine several months til now.

here is the track1.conexait.com.conf output

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/track1.conexait.com
cert = /etc/letsencrypt/live/track1.conexait.com/cert.pem
privkey = /etc/letsencrypt/live/track1.conexait.com/privkey.pem
chain = /etc/letsencrypt/live/track1.conexait.com/chain.pem
fullchain = /etc/letsencrypt/live/track1.conexait.com/fullchain.pem

Options used in the renewal process

[renewalparams]
account = 7d99b1a35422a64bc29c24a7d2380af4
must_staple = True
pref_challs = http-01,
authenticator = manual
manual_auth_hook = /opt/webinoly/lib/ex-ssl-authentication
manual_cleanup_hook = /opt/webinoly/lib/ex-ssl-cleanup
manual_public_ip_logging_ok = True
server = https://acme-v02.api.letsencrypt.org/directory

OK, just as I thought, you're using a manual auth hook.What's that "webinoly"? I've never heard of it. Any idea where those scripts come from? How did you get the certificate in the first place? No offence, but it doesn't sound like you manually configured certbot, otherwise you probably would know how to debug this issue a little bit better.

Ok, interesting:

Linux Ubuntu + Nginx + MariaDB (MySQL) + PHP is one of the most reliable and powerful configurations to host your websites. With Webinoly you can set up your web server in just one step.
(https://github.com/QROkes/webinoly)

It says Webinoly uses Nginx.. A simple curl command indeed shows your webserver identifying itself as "nginx".. That's not Apache as you said earlier? I'm confused right now......

Sorry....As you realized..i am not a tech guy......
So it is nginx

Could you also please try to answer the questions from earlier?:

I think it's quite important to know how your setup came to be..

Sure...
I followed this steps: (from command line)

add-apt-repository ppa:certbot/certbot
apt install python-certbot-nginx

Use webinoly script with this command:
wget -qO weby qrok.es/wy && sudo bash weby 3
site track1.conexait.com -proxy=[localhost:8082]

Install SSL with
site track1.conexait.com -ssl=on -root-path=/opt/traccar/web

verifying nginx installation with
• sudo nginx -t

No errors so next step reload nginx with
systemctl reload nginx

thats all

Is:

still correct?

It looks like the Webinoly scripts use that stored path to write the challenge token to. If that root path has changed, you probably would like to update it. The script doesn't seem to have an update option, but perhaps you can turn SSL off and on again with the site command and -ssl=off and then repeat your previous command used to enable it, but now with the updated root.

No, root path has not changed.

So what would be the next step?

I'm not sure, but as you've used the site command to enable SSL on your site (which uses certbot internally), perhaps using that script for renewal works better. The script should recognise the renew command if I read the code correctly:

site track1.conexait.com -ssl=renew -root-path=/opt/traccar/web

No..it just activated ssl but does not renew the certificate

root@track1:~# site track1.conexait.com -ssl=renew -root-path=/opt/traccar/web
[ERROR] Invalid value for SSL command!
root@track1:~# site track1.conexait.com -ssl=on -root-path=/opt/traccar/web
SSL is already enabled for your site - track1.conexait.com

Please show the version of certbot in use:
certbot --version

[to be 100% sure]

Perhaps you can turn it off and on again with:

site track1.conexait.com -ssl=off
site track1.conexait.com -ssl=on -root-path=/opt/traccar/web

However, I would only use that as a last resort, i.e., when you don't get it working before the 19th.

1 Like

Here is the version

certbot 0.31.0

1 Like

Thanks OSIRIS...you gave me the clue
I specified the path and search and found this command.... -ssl=force-renewal

complete command :
site track1.conexait.com -ssl=force-renewal -root-path=/opt/traccar/web

and now my cert ir renewed

Thanks a lot for your help

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.