Urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: walden.cloud

I ran this command: sudo certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/walden.cloud.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.walden.cloud
http-01 challenge for nextcloud.walden.cloud
http-01 challenge for walden.cloud
Waiting for verification…
Cleaning up challenges
Unable to clean up challenge directory /var/www/html/.well-known/acme-challenge
Attempting to renew cert (walden.cloud) from /etc/letsencrypt/renewal/walden.cloud.conf produced an unexpected error: Failed authorization procedure. www.walden.cloud (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.walden.cloud/.well-known/acme-challenge/xdv6MeuRuJnGi_1QRbEgQgjzzSlEyyeEZ0HpfnxrsBI: "

404 Not Found

Not Found

<p", walden.cloud (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://walden.cloud/.well-known/acme-challenge/yuwRHtfqy8cLF3sPmbEhtUCJ4TeCjSnK-E_1hFwB2SA: " 404 Not Found

Not Found

<p". Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/walden.cloud/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/walden.cloud/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): apache2

The operating system my web server runs on is (include version): Ubuntu 17.10

My hosting provider, if applicable, is: digitalocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I also tested that i can reach https://walden.cloud/.well-known/acme-challenge/ok in my browser. As u can see it works but the error is still popping up on renew.
Anyone has an idea?

Hi @rwefan,

Keep in mind that Let’s Encrypt is trying to validate your domain using http-01 challenge so it tries to reach the http version of your site instead of https:

With https it works ok:

$ curl -ikL https://walden.cloud/.well-known/acme-challenge/ok
HTTP/1.1 200 OK
Date: Tue, 16 Jan 2018 10:32:25 GMT
Server: Apache/2.4.27 (Ubuntu)
Last-Modified: Tue, 16 Jan 2018 09:08:11 GMT
ETag: "3-562e111ea002d"
Accept-Ranges: bytes
Content-Length: 3

ok

But using http it doesn’t work:

$ curl -ikL http://walden.cloud/.well-known/acme-challenge/ok
HTTP/1.1 404 Not Found
Date: Tue, 16 Jan 2018 10:33:00 GMT
Server: Apache/2.4.27 (Ubuntu)
Content-Length: 305
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /.well-known/acme-challenge/ok was not found on this server.</p>
<hr>
<address>Apache/2.4.27 (Ubuntu) Server at walden.cloud Port 80</address>
</body></html>

You can modify your Apache conf so your http version has the same documentroot as the https version or you could redirect http to https and Let’s Encrypt will follow this redirection so your domains will get validated.

Cheers,
sahsanu

I already redirect to https in my default.conf:

RewriteEngine on
RewriteCond %{SERVER_NAME} =www.walden.cloud [OR]
RewriteCond %{SERVER_NAME} =walden.cloud
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

I dont get it why this isnt working?

Do you have a <VirtualHost *:80> block in any of your conf files with ServerName directive assigned to your domains walden.cloud or www.walden.cloud ?.

Yes, i have my walden.cloud.conf what looks like this:

<VirtualHost *:80>
ServerAdmin myemail@email.mail
DocumentRoot /var/www/html
ServerName walden.cloud
ServerAlias www.walden.cloud

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

RewriteEngine on
RewriteCond %{SERVER_NAME} =www.walden.cloud [OR]
RewriteCond %{SERVER_NAME} =walden.cloud
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

It ist also enabled in apache:

:/etc/apache2/sites-available$ ll …/sites-enabled/
total 8
drwxr-xr-x 2 root root 4096 Jan 16 12:46 ./
drwxr-xr-x 8 root root 4096 Jan 16 08:57 …/
lrwxrwxrwx 1 root root 42 Jan 16 10:45 000-default-le-ssl.conf -> …/sites-available/000-default-le-ssl.conf
lrwxrwxrwx 1 root root 35 Jan 14 01:25 couchpotato.conf -> …/sites-available/couchpotato.conf
lrwxrwxrwx 1 root root 33 Jan 14 01:25 nextcloud.conf -> …/sites-available/nextcloud.conf
lrwxrwxrwx 1 root root 36 Jan 16 12:46 walden.cloud.conf -> …/sites-available/walden.cloud.conf

The conf seems ok, I see you have modified walden.cloud.conf today, did you restart your apache?

No changes, i just typed :wq instead of :q but yes apache and the server restarted multible times today because this error drives me crazy :slight_smile:

It is strange but without all your conf is hard to guess what is going on.

Double check that mod rewrite is enabled:

apache2ctl -M | grep rewrite

or

ls -l /etc/apache2/mods-enabled/ | grep rewrite

Also, check all your conf to see where your domains are appearing:

grep -ri 'walden.cloud' /etc/apache2/*

And can also check that your conf is ok:

apache2ctl configtest

You can also try to made the walden.cloud conf file the first in the list:

a2dissite walden.cloud
mv /etc/apache2/sites-available/walden.cloud.conf /etc/apache2/sites-available/0000-walden.cloud.conf
a2ensite 0000-walden.cloud
apache2ctl graceful

Edit: Sorry, instead of 0- use 0000-, I’ve modified the commands.

And try again…

Yeah there must be something in my configs… But i really dont get it because everything seems so fine…

Here is what i needed to check:

sudo apache2ctl -M | grep rewrite
rewrite_module (shared)

ls -l /etc/apache2/mods-enabled/ | grep rewrite
lrwxrwxrwx 1 root root 30 Jan 13 12:55 rewrite.load -> ../mods-available/rewrite.load

grep -ri 'walden.cloud' /etc/apache2/*
/etc/apache2/apache2.conf:ServerName walden.cloud
/etc/apache2/sites-available/000-default-le-ssl.conf:ServerName walden.cloud
/etc/apache2/sites-available/000-default-le-ssl.conf:ServerAlias www.walden.cloud
/etc/apache2/sites-available/000-default-le-ssl.conf:SSLCertificateFile /etc/letsencrypt/live/walden.cloud/fullchain.pem
/etc/apache2/sites-available/000-default-le-ssl.conf:SSLCertificateKeyFile /etc/letsencrypt/live/walden.cloud/privkey.pem
/etc/apache2/sites-available/nextcloud.conf:<VirtualHost nextcloud.walden.cloud:80>
/etc/apache2/sites-available/nextcloud.conf:ServerName nextcloud.walden.cloud
/etc/apache2/sites-available/couchpotato.conf:<VirtualHost couchpotato.walden.cloud:80>
/etc/apache2/sites-available/couchpotato.conf:ServerName couchpotato.walden.cloud
/etc/apache2/sites-available/walden.cloud.conf: ServerName walden.cloud
/etc/apache2/sites-available/walden.cloud.conf: ServerAlias www.walden.cloud
/etc/apache2/sites-available/walden.cloud.conf:RewriteCond %{SERVER_NAME} =www.walden.cloud [OR]
/etc/apache2/sites-available/walden.cloud.conf:RewriteCond %{SERVER_NAME} =walden.cloud
/etc/apache2/sites-available/000-default.conf:RewriteCond %{SERVER_NAME} =www.walden.cloud [OR]
/etc/apache2/sites-available/000-default.conf:RewriteCond %{SERVER_NAME} =walden.cloud

sudo apache2ctl configtest
Syntax OK

I also tried the rename to 0000- but it didnt worked to.

Thank you very much for your time so far i am very very thankful for every idea! So if u or anyone have one let me know.

I will need to see all your conf, if you pass me your /etc/apache2/ dir I could reproduce it in a virtual machine to know what is going on.

tar pzcvf /tmp/apache2-walden.tar.gz /etc/apache2/

And upload it somewhere or put it somewhere on your server where I can download it… or contact me via private message.

Mhh i cant find the Private Message to send a link.
Can u send me one because i think new users are not allowed to do so.

Hi @rwefan,

The problem is in your couchpotato.conf file:

Change this:

<VirtualHost couchpotato.walden.cloud:80>

to this:

<VirtualHost *:80>

Reload apache:

systemctl reload apache2

And the redirection should work again.

U wont belive it.
It still not works.
I really dont understand that…

Okay Edit says: had to do it for the nextcloud.conf too. Now my Subdomains stop working but renew is fine now!

Hi @rwefan,

Yes sorry, I disabled nextcloud.conf when I tested it and I forgot to comment that it was in the same situation as couchpotato.conf.

It’s great that you get your cert renewed but I don’t understand how these changes made your subdomains stop working. I don’t know if you have an internal dns server or you are using the hosts file to resolve couchpotato and nextcloud subdomains but none of them are resolvable from internet.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.