The client lacks sufficient authorization


#1

I have been trying to figure out how to add https to my site using certbot. I am very green to linux commands and procedures.

I can place a test file in my well-known directory.
http://www.nonewbs.com/.well-known/acme-challenge/test

My domain is: nonewbs.com

I ran this command: sudo certbot --nginx -d nonewbs.com -d www.nonewbs.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for nonewbs.com
http-01 challenge for www.nonewbs.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. nonewbs.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://nonewbs.com/.well-known/acme-challenge/d8gUt5B7aMasMuVEy_kiJo3KJQjuI8y_5-LGgc1vyh8: “\n\n404 Not Found\n\n

Not Found

\n<p”, www.nonewbs.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.nonewbs.com/.well-known/acme-challenge/7dL25Ve_tJV2uK86VYyVeRtNmYc9fTsYAv-IJ_hYqbs: “\n\n404 Not Found\n\n

Not Found

\n<p”

IMPORTANT NOTES:

My web server is (include version):
nginx version: nginx/1.4.6 (Ubuntu)

Server version: Apache/2.4.7 (Ubuntu)
Server built: Apr 18 2018 15:36:26

The operating system my web server runs on is (include version):ubuntu 14.04

My hosting provider, if applicable, is: AWS / google domains

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Hi @nonewbsdotcom

checking your output:

Non - www is redirected to www


D:\temp>download http://nonewbs.com/.well-known/acme-challenge/test -h
X-Frame-Options: SAMEORIGIN
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Length: 262
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 15 Oct 2018 21:42:56 GMT
Location: http://www.nonewbs.com/.well-known/acme-challenge/test
Server: Apache

Status: 301 MovedPermanently

311,18 milliseconds
0,31 seconds


But your output has no redirect.

Checking www:


D:\temp>download http://www.nonewbs.com/.well-known/acme-challenge/test -h
X-Frame-Options: SAMEORIGIN
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
Content-Length: 4
Date: Mon, 15 Oct 2018 21:43:04 GMT
ETag: “4-5783d61480000”
Last-Modified: Mon, 15 Oct 2018 05:05:04 GMT
Server: Apache

Status: 200 OK

317,31 milliseconds
0,32 seconds

But: There is an Apache, no nginx. So certbot may try to create a new nginx-instance or something else.

Please try

sudo certbot --apache -d nonewbs.com -d www.nonewbs.com

#3

sudo certbot --apache -d nonewbs.com -d www.nonewbs.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for nonewbs.com
http-01 challenge for www.nonewbs.com
Enabled Apache rewrite module
Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Unable to restart apache using [‘apache2ctl’, ‘graceful’]
Cleaning up challenges
Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Unable to restart apache using [‘apache2ctl’, ‘graceful’]
Encountered exception during recovery:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2023, in _reload
util.run_script(self.constant(“restart_cmd”))
File “/usr/lib/python3/dist-packages/certbot/util.py”, line 86, in run_script
raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 75, in handle_authorizations
resp = self._solve_challenges(aauthzrs)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 126, in _solve_challenges
resp = self.auth.perform(all_achalls)
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2125, in perform
self.restart()
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2013, in restart
self._reload()
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2041, in _reload
raise errors.MisconfigurationError(error)
certbot.errors.MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2023, in _reload
util.run_script(self.constant(“restart_cmd”))
File “/usr/lib/python3/dist-packages/certbot/util.py”, line 86, in run_script
raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/error_handler.py”, line 108, in _call_registered
self.funcs-1
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 310, in _cleanup_challenges
self.auth.cleanup(achalls)
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2150, in cleanup
self.restart()
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2013, in restart
self._reload()
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2041, in _reload
raise errors.MisconfigurationError(error)
certbot.errors.MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs


#4

There is already an apache running. Or something else.

Or you have a too old certbot. Check it with the --version - option.

Test it with the webroot option

So that you use the running instance.


#5

Now you have two correct certificates:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:nonewbs.com&lu=cert_search

So this part works. Please use these - and don’t delete them and recreate them.

There is a rate limit:


#6

It looks like I was able to get the certificates but my site is still showing as unsecured.


#7

You have a self signed certificate.

Which command did you used?


#8

I tried using the webroot command

certbot --webroot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
With the webroot plugin, you probably want to use the “certonly” command, eg:

certbot certonly --webroot

(Alternatively, add a --installer flag. See https://eff.org/letsencrypt-plugins
and “–help plugins” for more information.)
root@ip-172-31-4-216:~# certbot certonly --webroot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): nonewbs.com www.nonewbs.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for nonewbs.com
http-01 challenge for www.nonewbs.com
Input the webroot for nonewbs.com: (Enter ‘c’ to cancel): /opt/bitnami/apps/mybb/htdocs

Select the webroot for www.nonewbs.com:


1: Enter a new webroot
2: /opt/bitnami/apps/mybb/htdocs


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/nonewbs.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/nonewbs.com/privkey.pem
    Your cert will expire on 2019-01-13. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le


#9

If you use the certonly command, there is no installation. So you have to install the certificate manual. But then there are a lot of errors possible.

Perhaps try (only one time!) certbot again. Or first use the test system. There are own limits, but the certificate isn’t valide (the issuer isn’t valide). But if the test certificate works (and is installed), you can use the configuration.

certbot --webroot -w [yourWebroot] -d nonewbs.com -d www.nonewbs.com --test-cert -i apache

If that works, you can remove the --test-cert - option to get one correct certificate. But it’s possible that certbot doesn’t understand your configuration.


#10

It didn’t like me trying to replace a live cert with a test cert.
I tried it a few different ways

certbot --webroot -d nonewbs.com -d www.nonewbs.com --test-cert -i apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/nonewbs.com.conf)

What would you like to do?


1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
Keeping the existing certificate
Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf

We were unable to find a vhost with a ServerName or Address of www.nonewbs.com.
Which virtual host would you like to choose?
(note: conf files with multiple vhosts are not yet supported)


1: 000-default.conf | | | Enabled
2: 000-default-le-ssl.conf | nonewbs.com | HTTPS | Enabled


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Unable to restart apache using [‘apache2ctl’, ‘graceful’]
Rolling back to previous server configuration…
Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Unable to restart apache using [‘apache2ctl’, ‘graceful’]
Encountered exception during recovery:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2023, in _reload
util.run_script(self.constant(“restart_cmd”))
File “/usr/lib/python3/dist-packages/certbot/util.py”, line 86, in run_script
raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 507, in deploy_certificate
self.installer.restart()
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2013, in restart
self._reload()
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2041, in _reload
raise errors.MisconfigurationError(error)
certbot.errors.MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2023, in _reload
util.run_script(self.constant(“restart_cmd”))
File “/usr/lib/python3/dist-packages/certbot/util.py”, line 86, in run_script
raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/error_handler.py”, line 108, in _call_registered
self.funcs-1
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 607, in _rollback_and_restart
self.installer.restart()
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2013, in restart
self._reload()
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2041, in _reload
raise errors.MisconfigurationError(error)
certbot.errors.MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

IMPORTANT NOTES:

  • An error occurred and we failed to restore your config and restart
    your server. Please post to
    https://community.letsencrypt.org/c/server-config with details
    about your configuration and this error you received.
  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/nonewbs.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/nonewbs.com/privkey.pem
    Your cert will expire on 2019-01-13. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”
    root@ip-172-31-4-216:~# certbot --webroot -d nonewbs.com -d www.nonewbs.com --test-cert -i apache
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer apache
    Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/nonewbs.com.conf)

What would you like to do?


1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
Keeping the existing certificate
Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf

We were unable to find a vhost with a ServerName or Address of www.nonewbs.com.
Which virtual host would you like to choose?
(note: conf files with multiple vhosts are not yet supported)


1: 000-default.conf | | | Enabled
2: 000-default-le-ssl.conf | nonewbs.com | HTTPS | Enabled


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
The selected vhost would conflict with other HTTPS VirtualHosts within Apache. Please select another vhost or add ServerNames to your configuration.
VirtualHost not able to be selected.

IMPORTANT NOTES:

  • Unable to install the certificate
  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/nonewbs.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/nonewbs.com/privkey.pem
    Your cert will expire on 2019-01-13. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”
    root@ip-172-31-4-216:~#

#11

The option you selected is good, because you can test only the install-part and you can use your existing certificate.

There are a lot of google-results, a hanging process. Restart your complete server or try to find the process, kill it and start your apache.

Sample:


#12

I got rid of the first error complaining about port 80 already being in use. now I am getting one regarding 443. I haven’t had as much luck fixing this one. Once I get this fixed I will try to re-run the certbot and report back.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:443
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:443


#13

I was able to get the cert setup and I now get a green icon in the address bar but now my site doesn’t load.
"You don’t have permission to access / on this server.

Apache/2.4.7 (Ubuntu) Server at www.nonewbs.com Port 443"


#14

Your port 443 works now. The certificate is correct, valid from 2018-10-15. So this part is done.

But now I see the raw php code, not the content.


#15

thank you for the assistance in getting the certificate setup! I am still working on trying to figure out why it is not displaying the content.


#16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.