Unauthorized Access


#1

My domain is:
dev.welaunch.io

I ran this command:
certbot renew --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/dev.welaunch.io.conf


Cert is due for renewal, auto-renewing…

Plugins selected: Authenticator webroot, Installer None

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for dev.welaunch.io

Waiting for verification…

Cleaning up challenges

Attempting to renew cert (dev.welaunch.io) from /etc/letsencrypt/renewal/dev.welaunch.io.conf produced an unexpected error: Failed authorization procedure. dev.welaunch.io (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://dev.welaunch.io/.well-known/acme-challenge/u2Cw_J3MDk4sxZKRnUPbwPcfa1KRHRTlX4wDQRRTAw8: “<html>\r\n<head><title>401 Authorization Required</title></head>\r\n<body>\r\n<center><h1>401 Authorization Required</h1></center>\r\n<h”. Skipping.

My web server is (include version):
nginx/1.15.8

The operating system my web server runs on is (include version):
Debian 9

My hosting provider, if applicable, is:
Hetzner

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.28.0


#2

Hi @welaunch

your server sends a http status 401, so Letsencrypt can’t check the validation file.

Same as your other domain ( https://check-your-website.server-daten.de/?q=dev.welaunch.io ):

I see redirects (that’s ok),

but in the end - a blocking 401. So check your folder permissions, the last url should send a http status 404 - Not Found.


#3

Instead of sending everything to HTTPS only to have to deal with allowing unauthenticated access there.
You could NOT forward the /.well-known/acme-challenge/ requests; and handle then in HTTP.

In any case you will have to make some sort of exception for the authentication path.
It makes the best sense to me to do that “outside” the authenticated/secure system.