Unauthorized response on Azure VM

Hello,

I tried to install Mailtrain, a newsletter service, on an Azure Virtual Machine. Mailtrain uses Let's Encrypt to generate the certificates, but it returns a 503 error when it tries to retrieve that challenge data. When I log into the VM via SSH, the folder ".well-known" doesn't seem to exist.

My domain is:
lists.correlaid.org (20.52.237.161) / mailtrain.correlaid.org / sbox.mailtrain.correlaid.org

I ran this command:
I followed this installation guide for Mailtrain (Installation on fresh CentOS 7 or Ubuntu 18.04 LTS (public website secured by SSL)) until step 4.

It produced this output:

[...]
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for lists.correlaid.org
http-01 challenge for mailtrain.correlaid.org
http-01 challenge for sbox.mailtrain.correlaid.org
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. 
lists.correlaid.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://lists.correlaid.org/.well-known/acme-challenge/_fe7XvHLyN5M-6OYNNIawJdJFd9d86hxpU1e6UqsHjU [20.52.237.161]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>503 Service Unavailable</title>\n</head><body>\n<h1>Service", sbox.mailtrain.correlaid.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://sbox.mailtrain.correlaid.org/.well-known/acme-challenge/YYqrDp5NepVHIFX-svdroKAxOKFwp5aa1eny9jHqL8M [20.52.237.161]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>503 Service Unavailable</title>\n</head><body>\n<h1>Service", mailtrain.correlaid.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://mailtrain.correlaid.org/.well-known/acme-challenge/n3erbBWaF5BZCt9ePOJWgZg9kEZrik4yQIKoSBDTLJI [20.52.237.161]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>503 Service Unavailable</title>\n</head><body>\n<h1>Service"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: lists.correlaid.org
   Type:   unauthorized
   Detail: Invalid response from
   https://lists.correlaid.org/.well-known/acme-challenge/_fe7XvHLyN5M-6OYNNIawJdJFd9d86hxpU1e6UqsHjU
   [20.52.237.161]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>503 Service
   Unavailable</title>\n</head><body>\n<h1>Service"

   Domain: sbox.mailtrain.correlaid.org
   Type:   unauthorized
   Detail: Invalid response from
   https://sbox.mailtrain.correlaid.org/.well-known/acme-challenge/YYqrDp5NepVHIFX-svdroKAxOKFwp5aa1eny9jHqL8M
   [20.52.237.161]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>503 Service
   Unavailable</title>\n</head><body>\n<h1>Service"

   Domain: mailtrain.correlaid.org
   Type:   unauthorized
   Detail: Invalid response from
   https://mailtrain.correlaid.org/.well-known/acme-challenge/n3erbBWaF5BZCt9ePOJWgZg9kEZrik4yQIKoSBDTLJI
   [20.52.237.161]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>503 Service
   Unavailable</title>\n</head><body>\n<h1>Service"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):
Apache/2.4.29

The operating system my web server runs on is (include version):
Linux (ubuntu 18.04)

My hosting provider, if applicable, is:
Microsoft Azure

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Azure Portal

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.27.0

2 Likes

Hi and welcome to the LE community forum.

I can't be certain; as I'm unfamiliar with:

Azure
Mailtrain
install-ubuntu1804-https.sh

But since no one has responded...
I will give it a try.

Based on:

I can see that the HTTP challenge requests have been redirected to HTTPS.
But HTTPS is currently returning only 503 errors (I don't know why and I'm not trying to fix that now).
So, I would find and temporarily comment out the redirection and try it again (via HTTP).
Are you familiar with Apache enough to do that?

3 Likes

Thanks for the quick response!
I edited the file /etc/apache2/sites-enabled/000-default.conf and inserted SSLEngine off inside the existing VirtualHost entry and restarted the Apache sever with sudo service apache2 restart But this didn't make any difference, the error is the same. Or do I have to disable the redirection somewhere else?

2 Likes

Yes, it should be in the file:

Let's have a look at it.

Actually, let's start with the output of:
sudo acpachectl -S

3 Likes

Oh, thanks for the tip!
sudo acpachectl -S did point me to another longer config file with multiple VirtualHosts for the ports 80 and 443 which also needed to be edited. I changed SSLEngine to off everywhere and now the verification process and the further installation process works fine. The installation takes a bit time. Maybe the redirection will work again after the installation has been completed?

2 Likes

Will turn off the ability for Apache to encrypt within that block (port).
That isn't part of the problem.

2 Likes

I can see that this assumption is present in the script in question—

certbot certonly --agree-tos --email "${email}" --webroot --webroot-path /var/www/html -n -d "${hostPublic}" -d "${hostTrusted}" -d "${hostSandbox}"

Is it right for your server? If you place files of any sort under /var/www/html, are those files then visible on http://lists.correlaid.org/ and the other two names?

2 Likes

The problem has now resolved itself. I created a new virtual machine and reinstalled Mailtrain there. It worked right away and there was no 503 error. However, I cannot explain why this is because nothing has changed in the standard settings. Many thanks for your help!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.