Unable to get certificate due to "Invalid response" error

Help
1

I’m trying to start using LetsEncrypt. In the past three years I have been using Comodo-provided SSL certs but I want to migrate to LetsEncrypt now. So my website has been using SSL for a while, but it’s the first time using LetsEncrypt. I’m trying to figure what exactly the problem is. I know the IPs are correct because I can access my site just fine. I couldn’t find any potential errors in my DNS config either.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

andyibanez.com

I ran this command:

sudo certbot --apache -d andyibanez.com -d www.andyibanez.com

It produced this output:

Performing the following challenges:
http-01 challenge for andyibanez.com
http-01 challenge for www.andyibanez.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. andyibanez.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://www.andyibanez.com [45.79.163.159]: "<!DOCTYPE html>\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\n<head>\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=u"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: andyibanez.com
   Type:   unauthorized
   Detail: Invalid response from https://www.andyibanez.com
   [45.79.163.159]: "<!DOCTYPE html>\n<html
   xmlns=\"http://www.w3.org/1999/xhtml\">\n<head>\n<meta
   http-equiv=\"Content-Type\" content=\"text/html; charset=u"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

My web server is (include version):

Server version: Apache/2.4.7 (Ubuntu)
Server built:   Apr  3 2019 18:04:25

The operating system my web server runs on is (include version):

Distributor ID: Ubuntu
Description: Ubuntu 14.04.6 LTS
Release: 14.04
Codename: trusty

My hosting provider, if applicable, is:

I run a VPS provided by Linode.

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Yes and no. I use Webmin but I have been doing this from the command line.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

2

Hi @AndyIbanez

your non-www version has a wrong redirect to your start page ( https://check-your-website.server-daten.de/?q=andyibanez.com ):

Domainname Http-Status redirect Sec. G
http://andyibanez.com/
192.64.119.250 302 https://www.andyibanez.com 0.367 E
http://www.andyibanez.com/
45.79.163.159 301 https://www.andyibanez.com/ 1.213 A
https://andyibanez.com/
192.64.119.250 -14 10.023 T
Timeout - The operation has timed out
https://www.andyibanez.com 200 1.397 B
https://www.andyibanez.com/
45.79.163.159 200 3.306 B
http://andyibanez.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
192.64.119.250 302 https://www.andyibanez.com 0.374 E
Visible Content: Found .
http://www.andyibanez.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
45.79.163.159 404 1.080 A
Not Found

If you use http-01 validation, Certbot creates a file in /.well-known/acme-challenge, Letsencrypt checks that file.

Your www version answers with the expected result 404 - Not Found. But your non-www redirects to your root, that can't work.

So check if you can remove the redirect of the non-www version from /.well-known/acme-challenge to /.

1 Like
3

Hello @JuergenAuer.

Thank you for your response. I ended up removing the redirect from andyibanez.com to www.andyibanez.com after reading your post. I’m not sure if this will have any implications in the long run, but it works for now.

Thank you again!

4

A redirect isn’t a problem.

But you have to use the correct version.

http://domain/folder/file -> https://domain/folder/file

not

http://domain/folder/file -> https://domain/

RewriteEngine on
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

The request uri (folder and file name) shouldn’t be removed.

1 Like
5

Hi @JuergenAuer. I readded the redirections shortly after removed them and what I did instead was to change the command:

sudo certbot --apache -d andyibanez.com -d www.andyibanez.com

To just sudo certbot --apache -d www.andyibanez.com

I think this makes more sense in my scenario because my naked domain was always redirecting to the www one, and I never use the naked domain directly. My site has been running for a while so I don’t want links on other sites to break and the like. I think this is the right solution in my case, but I’m pretty amateurish when it comes to server administration so if you think it’s wrong, let me know.

Thank you very much for your help again. Your initial post is what helped me find a good solution.

1 Like
6

In principle, someone might explicitly type (or link to) https://andyibanez.com/ instead of http://andyibanez.com/; most browsers (although not Google Chrome) will then show a certificate mismatch error rather than following the redirect.

1 Like
7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.