Urn:acme:error:unauthorized HTTP method


#1

My domain is: help.mydomain.com

I ran this command: ./certbot-auto --nginx

It produced this output:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for help.mydomain.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. help.mydomain.com (http-01): urn:acme:error:unauthorized :: The client lacks suffic
ient authorization :: Invalid response from http://help.mydomain.com/.well-known/acme-challenge/oP34Chb4MTpNYQw3NXz
B4YcpOOLur2p1BY8HhCt5NDk: "<!doctype html>
<html lang="en" data-direction="ltr">
  <head>

    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: help.mydomain.com
   Type:   unauthorized
   Detail: Invalid response from
   http://help.mydomain.com/.well-known/acme-challenge/oP34Chb4MTpNYQw3NXzB4YcpOOLur2p1BY8HhCt5NDk:
   "<!doctype html>
   <html lang="en" data-direction="ltr">
     <head>

       <meta charset="utf-8">
       <meta http-equiv="X-UA-Compatible"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):

The operating system my web server runs on is (include version): CentOS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


It’s looking for .well-known/acme-challenge/oP34Chb4MTpNYQw3NXz B4YcpOOLur2p1BY8HhCt5NDk which I don’t know if Certbot is supposed to add that itself, or I need to add it manually? if the latter, how do I know what to put in the content? It tells me part of the HTML but then cuts off.

I’m doing the HTTP verification and would ideally like to use just that.

Any help is appreciated.


#2

The nginx plugin to Certbot attempts to parse the nginx configuration, identify the virtual host, temporarily modify the configuration as necessary and, create the validation file and serve the request from the web root.

You can try to hold Certbot’s hand a bit if that is failing by using the webroot authenticator and passing the webroot manually:

./certbot-auto -a webroot -i nginx -w /var/www/html -d help.voodoosms.com

Your domain (help.voodoosms.com) appears to point to custom.intercom.help via CNAME. Based on my short research, this is a hosted platform/SaaS, which means it would not resolve to your nginx server.

Do you actually control the server where this domain currently points?


#3

Hi,

Yes, the Help section is using a CNAME to point to our Intercom Knowledge Base.

On the Intercom website it states this is how an NGINX config should be set-up

and I did some Googling which brought me to this Gist

Which explains how to use LetsEncrypt with these Intercom KB’s.

This is the NGINX config I have for the site

server {
    server_name help.voodoosms.com;

    root /var/www/vhosts/help.voodoosms.com;

    location / {
        proxy_set_header Host $host;
        proxy_pass https://help.voodoosms.com;
    }
}

#4

(Off-topic: Wow. That is a massive hack. -1 to Intercom for even suggesting it. I’d suggest following the Cloudfront or Cloudflare route instead).

There’s a few things that need to change in order to achieve what you want

Point the domain at your TLS proxy

First thing, the domain (help.voodoosms.com) needs to point at your nginx server before you do anything. Otherwise you will not be able to issue a certificate. Don’t continue until you’ve done that.

Fix your TLS proxy configuration

Next, your nginx configuration needs to match exactly what appears in the Intercom docs. The following line isn’t going to work because it’s going to be self-referential. So change it:

proxy_pass https://help.voodoosms.com;

needs to be reverted back to:

proxy_pass https://custom.intercom.help;

I think you also need to add

listen 80;

Exclude the Let’s Encrypt validation path and issue the certificate

Add this to the nginx configuration on the TLS proxy:

location /.well-known/acme-challenge/ {
    root /var/www/vhosts/help.voodoosms.com;
}

and then run Certbot:

certbot-auto -d help.voodoosms.com -a webroot -i nginx -w /var/www/vhosts/help.voodoosms.com

#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.