Unable to obtain certificate on Ubuntu 14.04 for Apache2 server


#1

Please fill out the fields below so we can help you better.

My domain is: nathanroz.com

I ran this command: ./certbot -auto --apache

It produced this output:

Failed authorization procedure. nathanroz.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested 34b78ae7be7f3c1a9fa23122fecb18d6.05f8c8062ec2e48cacdcfbab5408388f.acme.invalid from 45.27.206.127:443. Received certificate containing ‘’

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: nathanroz.com
    Type: unauthorized
    Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
    Requested
    34b78ae7be7f3c1a9fa23122fecb18d6.05f8c8062ec2e48cacdcfbab5408388f.acme.invalid
    from 45.27.206.127:443. Received certificate containing ‘’

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.

My operating system is (include version): Ubuntu 14.04

My web server is (include version): Apache2

apache2 -v
Server version: Apache/2.4.7 (Ubuntu)
Server built: Jul 15 2016 15:34:04

My hosting provider, if applicable, is: noip.com

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Full log output:

2016-08-06 22:57:27,587:DEBUG:certbot.main:Root logging level set at 30
2016-08-06 22:57:27,587:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-08-06 22:57:27,587:DEBUG:certbot.main:certbot version: 0.8.1
2016-08-06 22:57:27,587:DEBUG:certbot.main:Arguments: []
2016-08-06 22:57:27,587:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2016-08-06 22:57:27,589:DEBUG:certbot.plugins.selection:Requested authenticator None and installer None
2016-08-06 22:57:27,873:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server - Alpha
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.configurator:ApacheConfigurator
Initialized: <certbot_apache.configurator.ApacheConfigurator object at 0x7f7549534250>
Prep: True
2016-08-06 22:57:27,873:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_apache.configurator.ApacheConfigurator object at 0x7f7549534250> and installer <certbot_apache.configurator.ApacheConfigurator obj ect at 0x7f7549534250>
2016-08-06 22:57:36,680:DEBUG:certbot.main:Picked account: <Account(709cd481da1a4a1954ddafe6c7d062c4)>
2016-08-06 22:57:36,681:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory. args: (), kwargs: {}
2016-08-06 22:57:36,683:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-08-06 22:57:36,822:DEBUG:requests.packages.urllib3.connectionpool:“GET /directory HTTP/1.1” 200 280
2016-08-06 22:57:36,823:DEBUG:root:Received <Response [200]>. Headers: {‘Content-Length’: ‘280’, ‘Expires’: ‘Sat, 06 Aug 2016 22:57:37 GMT’, ‘Boulder-Request-Id’: ‘o2ru5e8RsX-o0H3NmZwfLJlUMS3QsweBR7332RMzFzY’, ‘Strict- Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Sat, 06 Aug 2016 22:57:37 GMT’, ‘X-Frame-Options’: ‘DENY’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘r8qdhSN8DXOKoKAHnhFRbs_wRIyd_Tva5YJyRlqdZwA’}. Content: '{\n “new-authz”: “https://acme-v01.api.letsencrypt.org/acme/new-authz”,\n “new-cert”: “https://acm e-v01.api.letsencrypt.org/acme/new-cert”,\n “new-reg”: “https://acme-v01.api.letsencrypt.org/acme/new-reg”,\n “revoke-cert”: “https://acme-v01.api.letsencrypt.org/acme/revoke-cert”\n}'
2016-08-06 22:57:36,823:DEBUG:acme.client:Received response <Response [200]> (headers: {‘Content-Length’: ‘280’, ‘Expires’: ‘Sat, 06 Aug 2016 22:57:37 GMT’, ‘Boulder-Request-Id’: ‘o2ru5e8RsX-o0H3NmZwfLJlUMS3QsweBR7332R MzFzY’, ‘Strict-Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Sat, 06 Aug 2016 22:57:37 GMT’, ‘X- Frame-Options’: ‘DENY’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘r8qdhSN8DXOKoKAHnhFRbs_wRIyd_Tva5YJyRlqdZwA’}): '{\n “new-authz”: “https://acme-v01.api.letsencrypt.org/acme/new-authz”,\n “new-cert”: “htt ps://acme-v01.api.letsencrypt.org/acme/new-cert”,\n “new-reg”: “https://acme-v01.api.letsencrypt.org/acme/new-reg”,\n “revoke-cert”: “https://acme-v01.api.letsencrypt.org/acme/revoke-cert”\n}'
2016-08-06 22:57:36,823:DEBUG:root:Requesting fresh nonce
2016-08-06 22:57:36,824:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {}
2016-08-06 22:57:36,876:DEBUG:requests.packages.urllib3.connectionpool:“HEAD /acme/new-authz HTTP/1.1” 405 0
2016-08-06 22:57:36,877:DEBUG:root:Received <Response [405]>. Headers: {‘Content-Length’: ‘91’, ‘Pragma’: ‘no-cache’, ‘Boulder-Request-Id’: ‘7XJeta28yoF1nBeD_KePxJ1q3l0CY2aHfaM4wqXkqvs’, ‘Expires’: ‘Sat, 06 Aug 2016 22 :57:37 GMT’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Allow’: ‘POST’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Sat, 06 Aug 2016 22:57:37 GMT’, ‘Content-Type’: ‘application/problem+json’, ‘Repla y-Nonce’: ‘Ofq-6N1-8KB8482ltdoZtzGgxGB_EwWGqoM4-tu-iQM’}. Content: ‘‘
2016-08-06 22:57:36,877:DEBUG:acme.client:Storing nonce: ‘9\xfa\xbe\xe8\xdd~\xf0\xa0|\xe3\xcd\xa5\xb5\xda\x19\xb71\xa0\xc4`\x7f\x13\x05\x86\xaa\x838\xfa\xdb\xbe\x89\x03’
2016-08-06 22:57:36,877:DEBUG:acme.jose.json_util:Omitted empty fields: expires=None, challenges=None, status=None, combinations=None
2016-08-06 22:57:36,877:DEBUG:acme.client:Serialized JSON: {“identifier”: {“type”: “dns”, “value”: “nathanroz.com”}, “resource”: “new-authz”}
2016-08-06 22:57:36,878:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), kid=None, jwk=None, x5t=None, x5tS256=None, cty=None, x5u=None, typ=None, alg=None, jku=None
2016-08-06 22:57:36,879:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), kid=None, nonce=None, x5tS256=None, cty=None, x5t=None, x5u=None, typ=None, jku=None
2016-08-06 22:57:36,880:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {‘data’: ‘{“header”: {“alg”: “RS256”, “jwk”: {“e”: “AQAB”, “kty”: “RSA”, “n”: “ys7fzjOJJ 1w4tvmeVjMccOyxTFzbX6mjyhdpEOANMTmsbJhn9QF9_DSoeXF0zJXCgOj5i97lBDNm79KnNnpZhjm_7JzDB2TgTPF-sATqCo74Zo7DJCuWgLURXGaP2qDPodmqRTI-HxkwMwW8uX5P3iuf6hD06B9EX3KHyq2HXxr3EDUTkUqsulgRXpkzLLVmHMLFUK2oAK03nxevf4p8erUa4Aq98gFeGqY Snfuf1DLB1JNhQX2sw0MqrvbiinjP0mWS6-26isAJtMia2ZeLDehKilnafApcraxS-SNcMfi5UoDVzkek5ZNaN7PUfipscFRUD3YfpIsYrRybwD6kOw”}}, “protected”: “eyJub25jZSI6ICJPZnEtNk4xLThLQjg0ODJsdGRvWnR6R2d4R0JfRXdXR3FvTTQtdHUtaVFNIn0”, “paylo ad”: “eyJpZGVudGlmaWVyIjogeyJ0eXBlIjogImRucyIsICJ2YWx1ZSI6ICJuYXRoYW5yb3ouY29tIn0sICJyZXNvdXJjZSI6ICJuZXctYXV0aHoifQ”, “signature”: “nbYpkUGnWxxL_L0VS2lkl3QNZ_WZEiQL8NGtKvG8FUjKKDkF0l7i0OXGvlsNGNIz_7wSFojtV43Xnmj8nolhE 5EiaWsHYxqYIQvxl0YNud1efpvTbEYMEjEgCXyQo7wQ8QUfZfo33Pv2_5XPmMovH9hTi_RHZqR6KGzahP-f9s6XTTbHI-fndQpMet7_psz8spgVIVSUuE7f_TGDvdeYXKDFLvrXIvSwxzRQ4kXatryIffIwWJICXbRc4kktdk6IWpZkJqh7ptcpPhTZidh6sMFZjiszVRZa19UBnuVJNPXJdGF W1ypWYls48An7_a3h7ApgJ3Ce1_4iE3PmN_qx4Q”}’}
2016-08-06 22:57:36,963:DEBUG:requests.packages.urllib3.connectionpool:“POST /acme/new-authz HTTP/1.1” 201 998
2016-08-06 22:57:36,963:DEBUG:root:Received <Response [201]>. Headers: {‘Content-Length’: ‘998’, ‘Expires’: ‘Sat, 06 Aug 2016 22:57:37 GMT’, ‘Boulder-Request-Id’: ‘9PzcZM00MhxdRsLowBI0xq8cGez1tsrfudvl3aUPjUY’, ‘Strict- Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Connection’: ‘keep-alive’, ‘Link’: ‘https://acme-v01.api.letsencrypt.org/acme/new-cert;rel=“next”’, ‘Locati on’: ‘https://acme-v01.api.letsencrypt.org/acme/authz/SpU6UV0cisk5F4iZWnTp04jKbJmUOtrNaTUJ2MieSJk’, ‘Pragma’: ‘no-cache’, ‘Boulder-Requester’: ‘2976404’, ‘Date’: ‘Sat, 06 Aug 2016 22:57:37 GMT’, ‘X-Frame-Options’: ‘DEN Y’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘6DsNFeMqqeKuv2xqkyz1E7QL6HMjL9xj2ls7RtBL1Uk’}. Content: ‘{\n “identifier”: {\n “type”: “dns”,\n “value”: “nathanroz.com”\n },\n “status”: “pending”,\n “expires”: “2016-08-13T22:57:37.781494149Z”,\n “challenges”: [\n {\n “type”: “tls-sni-01”,\n “status”: “pending”,\n “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/SpU6UV0cisk5F4iZWnTp04j KbJmUOtrNaTUJ2MieSJk/220847964”,\n “token”: “YmoB98VGdUJ-dA1x-wmX4UeVcEoW4-sPH6SpYZOizqE”\n },\n {\n “type”: “dns-01”,\n “status”: “pending”,\n “uri”: “https://acme-v01.api.letsencrypt.org/acm e/challenge/SpU6UV0cisk5F4iZWnTp04jKbJmUOtrNaTUJ2MieSJk/220847965”,\n “token”: “fTTv-pgoSrddlGLiVaK0u06pvPSKaaf9GCIh2ChUugU”\n },\n {\n “type”: “http-01”,\n “status”: “pending”,\n “uri”: “http s://acme-v01.api.letsencrypt.org/acme/challenge/SpU6UV0cisk5F4iZWnTp04jKbJmUOtrNaTUJ2MieSJk/220847966”,\n “token”: “lgDqb5etsCNtYymN17gG2InKmGjQSs2lOBlnYfEpGqM”\n }\n ],\n “combinations”: [\n [\n 2\n ],\n [\n 0\n ],\n [\n 1\n ]\n ]\n}‘
2016-08-06 22:57:36,964:DEBUG:acme.client:Storing nonce: ‘\xe8;\r\x15\xe3*\xa9\xe2\xae\xbflj\x93,\xf5\x13\xb4\x0b\xe8s#/\xdcc\xda[;F\xd0K\xd5I’
2016-08-06 22:57:36,964:DEBUG:acme.client:Received response <Response [201]> (headers: {‘Content-Length’: ‘998’, ‘Expires’: ‘Sat, 06 Aug 2016 22:57:37 GMT’, ‘Boulder-Request-Id’: ‘9PzcZM00MhxdRsLowBI0xq8cGez1tsrfudvl3a UPjUY’, ‘Strict-Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Connection’: ‘keep-alive’, ‘Link’: ‘https://acme-v01.api.letsencrypt.org/acme/new-cert;rel= “next”’, ‘Location’: ‘https://acme-v01.api.letsencrypt.org/acme/authz/SpU6UV0cisk5F4iZWnTp04jKbJmUOtrNaTUJ2MieSJk’, ‘Pragma’: ‘no-cache’, ‘Boulder-Requester’: ‘2976404’, ‘Date’: ‘Sat, 06 Aug 2016 22:57:37 GMT’, ‘X-Fram e-Options’: ‘DENY’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘6DsNFeMqqeKuv2xqkyz1E7QL6HMjL9xj2ls7RtBL1Uk’}): ‘{\n “identifier”: {\n “type”: “dns”,\n “value”: “nathanroz.com”\n },\n “status”: “pendi ng”,\n “expires”: “2016-08-13T22:57:37.781494149Z”,\n “challenges”: [\n {\n “type”: “tls-sni-01”,\n “status”: “pending”,\n “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/SpU6UV0cisk5F4i ZWnTp04jKbJmUOtrNaTUJ2MieSJk/220847964”,\n “token”: “YmoB98VGdUJ-dA1x-wmX4UeVcEoW4-sPH6SpYZOizqE”\n },\n {\n “type”: “dns-01”,\n “status”: “pending”,\n “uri”: “https://acme-v01.api.letsencrypt .org/acme/challenge/SpU6UV0cisk5F4iZWnTp04jKbJmUOtrNaTUJ2MieSJk/220847965”,\n “token”: “fTTv-pgoSrddlGLiVaK0u06pvPSKaaf9GCIh2ChUugU”\n },\n {\n “type”: “http-01”,\n “status”: “pending”,\n "uri ": “https://acme-v01.api.letsencrypt.org/acme/challenge/SpU6UV0cisk5F4iZWnTp04jKbJmUOtrNaTUJ2MieSJk/220847966”,\n “token”: “lgDqb5etsCNtYymN17gG2InKmGjQSs2lOBlnYfEpGqM”\n }\n ],\n “combinations”: [\n [\n 2\n ],\n [\n 0\n ],\n [\n 1\n ]\n ]\n}‘
2016-08-06 22:57:36,964:DEBUG:acme.challenges:dns-01 was not recognized, full message: {u’status’: u’pending’, u’token’: u’fTTv-pgoSrddlGLiVaK0u06pvPSKaaf9GCIh2ChUugU’, u’type’: u’dns-01’, u’uri’: u’https://acme-v01.ap i.letsencrypt.org/acme/challenge/SpU6UV0cisk5F4iZWnTp04jKbJmUOtrNaTUJ2MieSJk/220847965’}
2016-08-06 22:57:36,964:INFO:certbot.auth_handler:Performing the following challenges:
2016-08-06 22:57:36,964:INFO:certbot.auth_handler:tls-sni-01 challenge for nathanroz.com
2016-08-06 22:57:37,211:DEBUG:certbot_apache.tls_sni_01:Adding Include /etc/apache2/le_tls_sni_01_cert_challenge.conf to /files/etc/apache2/apache2.conf
2016-08-06 22:57:37,212:DEBUG:certbot_apache.tls_sni_01:writing a config file with text:

<VirtualHost *:443>
ServerName 4c63015bcc516d0b225b4eb4cc71bcf5.7f8b9c8d7e0a7dc828978c4d2a7e4098.acme.invalid
UseCanonicalName on
SSLStrictSNIVHostCheck on

LimitRequestBody 1048576

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /var/lib/letsencrypt/YmoB98VGdUJ-dA1x-wmX4UeVcEoW4-sPH6SpYZOizqE.crt
SSLCertificateKeyFile /var/lib/letsencrypt/YmoB98VGdUJ-dA1x-wmX4UeVcEoW4-sPH6SpYZOizqE.pem

DocumentRoot /var/lib/letsencrypt/tls_sni_01_page/

2016-08-06 22:57:37,223:DEBUG:certbot.reverter:Creating backup of /etc/apache2/apache2.conf


#3

If you create a plain text file in your webroot/.well-known/acme-challenge/test can you then reach it in a browser at nathanroz.com/.well-known/acme-challenge/test ?


#4

Thanks for the reply.

It would appear not. I made the path and put a test file in there with some text in it. The path was not there to start. I’m unable to hit this in a browser.

root@UbuntuOwnCloud:/var/www/html/.well-known/acme-challenge# ls -al
total 12
drwxr-xr-x 2 root root 4096 Aug 7 09:22 .
drwxr-xr-x 3 root root 4096 Aug 7 09:21 …
-rw-r–r-- 1 root root 9 Aug 7 09:22 test


#5

going from the name on your prompt - is this an instance of owncloud ? if so, then the default location isn’t in /var/www/html

what is the directory location as defined in your apache config ?


#6

Ubuntu VM on VirtualBox running on a Windows 10 host. Yes the primary purpose of the install is to host an OwnCloud instance.

You’re 100% correct, /var/www/owncloud is the default path. My apologies, I’m far from an expert.

I created the path and put a test file there:

root@UbuntuOwnCloud:/var/www/owncloud/.well-known/acme-challenge# ls -al
total 12
drwxr-xr-x 2 root root 4096 Aug 7 11:03 .
drwxr-xr-x 3 root root 4096 Aug 7 11:03 …
-rw-r–r-- 1 root root 10 Aug 7 11:03 test

I’m still unable to open this location from a web browser.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.