Trouble to renew cerbot certificate (error 401)


#1

Hi,
I m trying to renew my certificates but i got a failure (check below).
I did it once (25/05) without problem with the same command but today it doesn’t work. :slightly_frowning_face:

I haven’t made change on apache or bind since last renew.

The folder .well-known/acme-challenge doesn’t exist.
If i create it and add a file text.txt i reach it with my browser.
If i launch the renew command after creating the folder, it doesn’t work too.

My domains are : notgoodbutcrazy.eu and notgoodbutcrazy.info

I ran this command: ./certbot-auto renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/notgoodbutcrazy.eu.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for notgoodbutcrazy.eu
http-01 challenge for www.notgoodbutcrazy.eu
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (notgoodbutcrazy.eu) from /etc/letsencrypt/renewal/notgoodbutcrazy.eu.conf produced an unexpected error: Failed authorization procedure. www.notgoodbutcrazy.eu (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.notgoodbutcrazy.eu/.well-known/acme-challenge/lF748k7mM3GByciYQ8GDKfkWSMZLHNHtTsxRBMlqkXQ [178.33.248.105]: 401, notgoodbutcrazy.eu (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://notgoodbutcrazy.eu/.well-known/acme-challenge/m4vuycBfHq8MqE8DnI9HJZnqAPO6DJBniTKcEuBm6Wg [178.33.248.105]: 401. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/notgoodbutcrazy.info.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for arma3.notgoodbutcrazy.info
http-01 challenge for b3ech.notgoodbutcrazy.info
http-01 challenge for cod4.notgoodbutcrazy.info
http-01 challenge for notgoodbutcrazy.info
http-01 challenge for panel.notgoodbutcrazy.info
http-01 challenge for www.notgoodbutcrazy.info
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (notgoodbutcrazy.info) from /etc/letsencrypt/renewal/notgoodbutcrazy.info.conf produced an unexpected error: Failed authorization procedure. b3ech.notgoodbutcrazy.info (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://b3ech.notgoodbutcrazy.info/.well-known/acme-challenge/jcGlHbh19PDlgUx8wRd_2UcgQoVD12p4v5r8ro2ZMdM [178.33.248.105]: 401, arma3.notgoodbutcrazy.info (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://arma3.notgoodbutcrazy.info/.well-known/acme-challenge/mfyH9V6kswX_PGm-TcfZnzHq1BF6GDbMhhbkwrYUpSw [178.33.248.105]: 401, panel.notgoodbutcrazy.info (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://panel.notgoodbutcrazy.info/.well-known/acme-challenge/oWrpZtJdfXNUsIJyBj4er9ivExecNLoyUkP0d0b_2Y8 [178.33.248.105]: 401, www.notgoodbutcrazy.info (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.notgoodbutcrazy.info/.well-known/acme-challenge/Em6oskyVqUiWgQnkEc4uNURiuZHfEjgrqYClnj4pc4I [178.33.248.105]: 401, cod4.notgoodbutcrazy.info (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://cod4.notgoodbutcrazy.info/.well-known/acme-challenge/0hkX6hUPWq79sBCeJamBKRlWLrxua40Tq6nb2ZjdVaw [178.33.248.105]: 401, notgoodbutcrazy.info (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://notgoodbutcrazy.info/.well-known/acme-challenge/EACu-V37jYMh7qtF9WqTYWyNBf6xt_VqWK1RdXOKgEY [178.33.248.105]: 401. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/notgoodbutcrazy.eu/fullchain.pem (failure)
  /etc/letsencrypt/live/notgoodbutcrazy.info/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/notgoodbutcrazy.eu/fullchain.pem (failure)
  /etc/letsencrypt/live/notgoodbutcrazy.info/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: b3ech.notgoodbutcrazy.info
   Type:   unauthorized
   Detail: Invalid response from
   http://b3ech.notgoodbutcrazy.info/.well-known/acme-challenge/jcGlHbh19PDlgUx8wRd_2UcgQoVD12p4v5r8ro2ZMdM
   [178.33.248.105]: 401

   Domain: arma3.notgoodbutcrazy.info
   Type:   unauthorized
   Detail: Invalid response from
   http://arma3.notgoodbutcrazy.info/.well-known/acme-challenge/mfyH9V6kswX_PGm-TcfZnzHq1BF6GDbMhhbkwrYUpSw
   [178.33.248.105]: 401

   Domain: panel.notgoodbutcrazy.info
   Type:   unauthorized
   Detail: Invalid response from
   http://panel.notgoodbutcrazy.info/.well-known/acme-challenge/oWrpZtJdfXNUsIJyBj4er9ivExecNLoyUkP0d0b_2Y8
   [178.33.248.105]: 401

   Domain: www.notgoodbutcrazy.info
   Type:   unauthorized
   Detail: Invalid response from
   http://www.notgoodbutcrazy.info/.well-known/acme-challenge/Em6oskyVqUiWgQnkEc4uNURiuZHfEjgrqYClnj4pc4I
   [178.33.248.105]: 401

   Domain: cod4.notgoodbutcrazy.info
   Type:   unauthorized
   Detail: Invalid response from
   http://cod4.notgoodbutcrazy.info/.well-known/acme-challenge/0hkX6hUPWq79sBCeJamBKRlWLrxua40Tq6nb2ZjdVaw
   [178.33.248.105]: 401

   Domain: notgoodbutcrazy.info
   Type:   unauthorized
   Detail: Invalid response from
   http://notgoodbutcrazy.info/.well-known/acme-challenge/EACu-V37jYMh7qtF9WqTYWyNBf6xt_VqWK1RdXOKgEY
   [178.33.248.105]: 401

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - The following errors were reported by the server:

   Domain: www.notgoodbutcrazy.eu
   Type:   unauthorized
   Detail: Invalid response from
   http://www.notgoodbutcrazy.eu/.well-known/acme-challenge/lF748k7mM3GByciYQ8GDKfkWSMZLHNHtTsxRBMlqkXQ
   [178.33.248.105]: 401

   Domain: notgoodbutcrazy.eu
   Type:   unauthorized
   Detail: Invalid response from
   http://notgoodbutcrazy.eu/.well-known/acme-challenge/m4vuycBfHq8MqE8DnI9HJZnqAPO6DJBniTKcEuBm6Wg
   [178.33.248.105]: 401

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): Apache 2.2.222

The operating system my web server runs on is (include version): Debian 7.11

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Thanks by advance for your help.


#2

It looks like your server is responding with a 401 Unauthorized response to requests for files in .well-known/acme-challenge. Can you try creating a file without an extension in this directory, and also make sure you are able to access it externally?


#3

I have create files with and without extension and i m able to reach them :
https://www.notgoodbutcrazy.eu/.well-known/acme-challenge/text
https://www.notgoodbutcrazy.eu/.well-known/acme-challenge/test.txt


#4

Hm, I’m able to reach those as well. Are you able to see any of the 401 responses in your server logs from when Let’s Encrypt tried?


#5

Thank you @jared.m for your help. :hugs:
I didn’t think to check website logs. :roll_eyes:
The problem is solved.:sunglasses:

The problem cames from spamhaus module for apache which locked cerbot IP
(it seems their ip is blacklisted :smirk: )


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.