Type: unauthorised Detail: Invalid response from

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:onlyoffice.casajaguar.com.ar

I ran this command:certbot renew --force-renewal --tls-sni-01-port=54321 --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/onlyoffice.casajaguar.com.ar.conf


Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for nube.casajaguar.com.ar
http-01 challenge for casajaguar.com.ar
http-01 challenge for cloud.casajaguar.com.ar
http-01 challenge for docs.casajaguar.com.ar
http-01 challenge for oh.casajaguar.com.ar
http-01 challenge for onlyoffice.casajaguar.com.ar
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (onlyoffice.casajaguar.com.ar) from /etc/letsencrypt/renewal/onlyoffice.casajaguar.com.ar.conf produced an unexpected error: Failed authorization procedure. oh.casajaguar.com.ar (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://oh.casajaguar.com.ar/.well-known/acme-challenge/spMlVW7MtN4BJoXl9T_GnVOe6NBeuA6Dx3xp5pDNLYE [181.239.74.38]: "\n\n<html xmlns=“http”, docs.casajaguar.com.ar (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://docs.casajaguar.com.ar/.well-known/acme-challenge/zasRqBqgSuH-LuQFW3849z5G1zk7qhpTanuouUXd-nM [181.239.74.38]: “\n<html lang=“en”>\n\n<meta charset=“utf-8”>\nError\n\n\n

Cannot GET /.well-known/”, casajaguar.com.ar (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://casajaguar.com.ar/.well-known/acme-challenge/6PtapTS6b72XHDa67LcX9Gw2Hf9wlPJYNhJP3DVCjwQ [181.239.74.38]: "\n\n<html xmlns=“http”, cloud.casajaguar.com.ar (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://cloud.casajaguar.com.ar/.well-known/acme-challenge/Oc0_MaMN0y1BTTD38K8_Ffe6Skz3iTNx2U-U3z56aVQ [181.239.74.38]: "\n<html class=“ng-csp” data-placeholder-focus=“false” lang=“en” data-locale=“en” >\n\t<head\n data-requesttoken=“FGXY”, onlyoffice.casajaguar.com.ar (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://onlyoffice.casajaguar.com.ar/.well-known/acme-challenge/WxDQOKma8Ozphxm3v10qxrvczSgqR2rsnZIHMkIPQnQ [181.239.74.38]: 503. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/onlyoffice.casajaguar.com.ar/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/onlyoffice.casajaguar.com.ar/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): HaProxy

The operating system my web server runs on is (include version): Ubuntu 18.04.4 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.27.0

1 Like

There should be a newer version out there.
[not critical but an upgrade is recommended]

What is the expected action by HAproxy when processing the challenge requests?
http://onlyoffice.casajaguar.com.ar/.well-known/acme-challenge/<any>

I see that in the error it shows as having been redirected to HTTPS also along the way and then fails with 503 error.

1 Like

Will update thanks.

Haproxy detects “.well-know…) tonredirect traffic to letsencrypt server.

acl letsencrypt-acl path_beg /.well-known/acme-challenge/

And has other acl for each url-server behind
In this case server was shutdown that why 503.

I had use this configuration for haproxy and letsencrypt

https://serversforhackers.com/c/letsencrypt-with-haproxy

Thanks

2 Likes

So… is everything working as you would like it?

1 Like

No…I’ve tried to explain to you my configuration.
When I try to renew certificates with certbot renew --force-renewal --tls-sni-01-port=54321
I received those Failed authorization errors.

Regards

I see two problems with that request.

  1. TLS-SNI-01 is no longer supported.
  2. Port 54321 is not within the allowed authentication ports (80, 443)

It will most likely just be ignored and use HTTP on port 80.
[which is being redirected to HTTPS on port 443]

Also those two choices are more mutually exclusive than complementing each other.
--force-renewal will force an actual renewal (even if the cert doesn’t need to be renewed) while
--dry-run tries to simulate/validate the renewal process (but doesn’t actually “do/change” anything)

I know.
I’ve tried now turning off haproxy and making the lets encrypt server listening in 80/443. I had do certbot renew —dry-run.

With this result.

  • The following errors were reported by the server:

Domain: cloud.casajaguar.com.ar
Type: unauthorized
Detail: Invalid response from
https://cloud.casajaguar.com.ar/.well-known/acme-challenge/iyF4P8Eufr5JIWldyPyGJxitIPDVbkloexpOb2-RUW0
[181.239.74.38]: “\n\n404 Not
Found\n\n

Not Found

\n<p”

Domain: oh.casajaguar.com.ar
Type: unauthorized
Detail: Invalid response from
https://oh.casajaguar.com.ar/.well-known/acme-challenge/NBostRLRWAasB9nr1J2V0cM9kEtTqMUyhuoE6CuBSEI
[181.239.74.38]: "\n\n<html
xmlns=“http”

Domain: casajaguar.com.ar
Type: unauthorized
Detail: Invalid response from
https://casajaguar.com.ar/.well-known/acme-challenge/db0XrgBOvOjFlfca_fqUENHSmAilTTTQ7VkxY2M7v88
[181.239.74.38]: "\n\n<html
xmlns=“http”

Domain: onlyoffice.casajaguar.com.ar
Type: unauthorized
Detail: Invalid response from
https://onlyoffice.casajaguar.com.ar/.well-known/acme-challenge/wytodJQX60lRZfqU2xhyTikasu5yjeKIJcveCFrlJkE
[181.239.74.38]: “\n<html
lang=“en”>\n\n<meta
charset=“utf-8”>\nError\n\n\n

Cannot
GET /.well-known/”

Domain: docs.casajaguar.com.ar
Type: unauthorized
Detail: Invalid response from
https://docs.casajaguar.com.ar/.well-known/acme-challenge/v92biGvbd8q2h-jB0i2WoZtTNxBwPUdyOxNCXz3O89c
[181.239.74.38]: “\n<html
lang=“en”>\n\n<meta
charset=“utf-8”>\nError\n\n\n

Cannot
GET /.well-known/”

Send the request to the LE standalone server.

Your system connects to LE.
When LE tries to connect back (to verify) it fails with err message:

Those inbound connections need to be handled correctly.

Do you know the argument to change the —tls-sni-01? Might be this?

I don’t know anything about your network/setup.
[your command shows a very non-standard port 54321]

I do know that TLS-SNI is NOT supported, so it will need to use HTTP.

So, do inbound HTTP(port 80) connections reach your system?

Which web service handles those conenctions?

I’m getting the impression that English is NOT your native language.
If so, or if it is in anyway easier for you to convey your thoughts otherwise, feel free to reply in your language of choice.

I’m sorry, I may have missed something there.
Does that mean that you want certbot to handle the web service(listener) on port 80?
If so, that would require using certbot with:
--standalone
[and ensuring that there is no other service already listening on port 80]

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.