Unauthorized response from acme.example.com

I don’t understand why certbot is attempting challenges at acme.qualitybox.us when I’m attempting to issue a certificate for na-mic.org. I control the domain qualitybox.us, so is that a configuration value somewhere in my letsencrypt account or client? The DNS for na-mic.org is correct; and checks out fine at letsdebug.net.

My domain is: na-mic.org

I ran this command:
certbot certonly --cert-name labs.qualitybox.us --expand -d wiki.slicer.org,www.slicer.org,slicer.org,issues.slicer.org,wiki.na-mic.org,na-mic.org --dry-run

It produced this output:

 - The following errors were reported by the server:

   Domain: na-mic.org
   Type:   unauthorized
   Detail: Invalid response from
   https://acme.qualitybox.us/.well-known/acme-challenge/rTVqJ755XIQSr28OtsbVt9AAfFpAWcFAVWVwT-gKjfQ?redirect=yes
   [67.205.136.103]: 503

   Domain: wiki.na-mic.org
   Type:   unauthorized
   Detail: Invalid response from
   https://acme.qualitybox.us/.well-known/acme-challenge/bIQiahuBBGNeMuzCsDVTtNzvPWIeRz3I9KB2hlsCt5k?redirect=yes
   [67.205.136.103]: 503

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): nginx version: nginx/1.14.2

The operating system my web server runs on is (include version):

Distributor ID: Debian
Description:    Debian GNU/Linux 10 (buster)
Release:        10
Codename:       buster

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site: No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

1 Like

Hi @freephile

checking your domain there is such a redirect - https://check-your-website.server-daten.de/?q=na-mic.org

Domainname Http-Status redirect Sec. G
http://na-mic.org/ 138.197.225.173 301 https://na-mic.org/ Html is minified: 108,54 % 0.220 A
http://www.na-mic.org/ 198.199.121.96 301 https://na-mic.org/ Html is minified: 100,00 % 0.220 E
https://na-mic.org/ 138.197.225.173 301 https://na-mic.org/wiki/Main_Page Html is minified: 108,54 % 3.903 N
Certificate error: RemoteCertificateNameMismatch
https://www.na-mic.org/ 198.199.121.96 301 https://www.na-mic.org/wiki/Main_Page 3.940 B
https://na-mic.org/wiki/Main_Page GZip used - 5304 / 17024 - 68,84 % Inline-JavaScript (∑/total): 3/4659 Inline-CSS (∑/total): 0/0 200 Html is minified: 163,39 % 3.670 N
Certificate error: RemoteCertificateNameMismatch
https://www.na-mic.org/wiki/Main_Page GZip used - 4409 / 12336 - 64,26 % Inline-JavaScript (∑/total): 4/1865 Inline-CSS (∑/total): 0/0 200 Html is minified: 139,30 % 4.000 B
http://na-mic.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 138.197.225.173 Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0 307 http://acme.qualitybox.us/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de?redirect=yes Html is minified: 108,43 % 0.220 D
Visible Content: 307 Temporary Redirect nginx
http://www.na-mic.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 198.199.121.96 Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0 301 https://na-mic.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de Html is minified: 100,00 % 0.220 E
Visible Content: Moved Permanently The document has moved here . Apache/2.4.7 (Ubuntu) Server at na-mic.org Port 80

http + “/” works. But http + /.well-known/acme-challenge is redirected.

Looks like your hoster blocks (or redirects) /.well-known/acme-challenge, so your hoster blocks ACME-clients using http validation.

–> Ask your hoster or use dns-validation.

But it may be impossible to install the certificate.

PS: Sorry, one thing is missing: If you control the other domain, it’s your problem, not your hoster. Then you have a wrong redirect.

1 Like

Thanks, @JuergenAuer

By using the standalone method, and turning off nginx, I was able to avoid the redirect problems and obtain my expanded certificate:

certbot certonly --standalone --cert-name labs.qualitybox.us --expand -d wiki.slicer.org,www.slicer.org,slicer.org,issues.slicer.org,wiki.ncigt.org,wiki.na-mic.org,na-mic.org --pre-hook "service nginx stop" --post-hook "service nginx start"
2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.