Unauthorized on renew

sigithidayat · May 29, 2020, 1:29am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: optikvct.com

I ran this command: certbot renew

It produced this output:

Processing /etc/letsencrypt/renewal/optikvct.com.conf

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/optikvct.com/fullchain.pem (failure)

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: optikvct.com
Type: unauthorized
Detail: Invalid response from
https://optikvct.com/.well-known/acme-challenge/LRhjLkStl2-vmp1sLDGfThcPc_S3Ki7JFKoPp_jwSQw
[103.27.206.90]: “\n \n \n <html
lang=“en-US” data-website-id=“1” data-oe-company-name=“Optik
VCT”>\n <head”

Domain: www.optikvct.com
Type: unauthorized
Detail: Invalid response from
https://optikvct.com/.well-known/acme-challenge/yO6L15rUR8JzkHGSeAXoObcuMqYTMQSDLNSTLA5Lt-k
[103.27.206.90]: “\n \n \n <html
lang=“en-US” data-website-id=“1” data-oe-company-name=“Optik
VCT”>\n <head”

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version): nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04.4 LTS

My hosting provider, if applicable, is: Jagoanhosting.com

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

mnordhoff · May 29, 2020, 2:18am

What was the output between those lines?

Can you post the contents of /etc/letsencrypt/renewal/optikvct.com.conf?

sigithidayat · May 29, 2020, 2:56am

Is this right?
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for optikvct.com
http-01 challenge for www.optikvct.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (optikvct.com) from /etc/letsencrypt/renewal/optikvct.com.conf produced an unexpected error: Failed authorization procedure. optikvct.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://optikvct.com/.well-known/acme-challenge/LRhjLkStl2-vmp1sLDGfThcPc_S3Ki7JFKoPp_jwSQw [103.27.206.90]: "\n \n \n <html lang="en-US" data-website-id="1" data-oe-company-name="Optik VCT">\n <head", www.optikvct.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://optikvct.com/.well-known/acme-challenge/yO6L15rUR8JzkHGSeAXoObcuMqYTMQSDLNSTLA5Lt-k [103.27.206.90]: "\n \n \n <html lang="en-US" data-website-id="1" data-oe-company-name="Optik VCT">\n <head". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/optikvct.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/optikvct.com
cert = /etc/letsencrypt/live/optikvct.com/cert.pem
privkey = /etc/letsencrypt/live/optikvct.com/privkey.pem
chain = /etc/letsencrypt/live/optikvct.com/chain.pem
fullchain = /etc/letsencrypt/live/optikvct.com/fullchain.pem

Options used in the renewal process

[renewalparams]
account = 492ac7f69d31fb76401b6bff0e961ca8
authenticator = webroot
webroot_path = /var/lib/letsencrypt,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
optikvct.com = /var/lib/letsencrypt
www.optikvct.com = /var/lib/letsencrypt

mnordhoff · May 29, 2020, 3:10am

So, Certbot is configured to write the challenge files to /var/lib/letsencrypt/.well-known/acme-challenge/. Let’s Encrypt makes requests to http://optikvct.com/.well-known/acme-challenge/ and http://www.optikvct.com/.well-known/acme-challenge/, gets redirected to https://optikvct.com/.well-known/acme-challenge/ (via another intermediate redirection, for one of them), and the website responds with a 404 Not Found that seems to have been generated by Odoo.

What’s changed about the web server configuration? Where is that going wrong? Is it using a different document root? Is some configuration for /.well-known/acme-challenge/ gone?

Do the web server’s logs provide more information?

sigithidayat · June 10, 2020, 7:41pm

Hi, I have solved it by reinstalling and reconfigure from scratch because I can’t find the error. Thanks for the support.

system · July 10, 2020, 7:41pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.