Urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http

#1

Hello,
Ive got problem when i try to get Lets Encrypt cert.
./letsencrypt-auto --apache --agree-tos --redirect --hsts --email kontakt.@gmail.com -d mail..pl

Results:
Requesting to rerun ./letsencrypt-auto with root privileges…
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.kosmetykifm.pl
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. mail.kosmetykifm.pl (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mail.kosmetykifm.pl/.well-known/acme-challenge/A3uYAzaL3m9hoJdyinxLu-5L2evfAL3thPkyNQNHh_k: “\n<html class=“no-js” lang=“pl-PL” itemscope=“itemscope” itemtype=“http://schema.org/WebPage”>\n\n <meta char”

IMPORTANT NOTES:

What to do? Thanks for help!

#2

Hi @danielh

Letsencrypt wants a file saved under /.well-known/acme-challenge/.

But: There are two redirects:

D:\temp>download http://mail.kosmetykifm.pl/.well-known/acme-challenge/A3uYAzaL3m9hoJdyinxLu-5L2evfAL3thPkyNQNHh_k -h
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 282
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 30 Sep 2018 18:05:03 GMT
Location: https://mail.kosmetykifm.pl/.well-known/acme-challenge/A3uYAzaL3m9hoJdyinxLu-5L2evfAL3thPkyNQNHh_k
Server: Apache

Status: 302 Redirect

135,21 milliseconds
0,14 seconds

This (http -> https) isn’t a problem. The certificate is incorrect (SSL_ERROR_BAD_CERT_DOMAIN, only valid for fmmobile.kosmetykifm.pl). But incorrect certificates are ignored.

But then:

D:\temp>download https://mail.kosmetykifm.pl/.well-known/acme-challenge/A3uYAzaL3m9hoJdyinxLu-5L2evfAL3thPkyNQNHh_k -h
SSL error: RemoteCertificateNameMismatch
Referrer-Policy:
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Date: Sun, 30 Sep 2018 18:08:13 GMT
Location: https://kosmetykifm.pl/wp-signup.php?new=mail
Server: Apache

Status: 302 Redirect

328,02 milliseconds
0,33 seconds

There is a second redirect to https://kosmetykifm.pl/wp-signup.php?new=mail - there is no validation file.

So you should find this redirect and deactivate it if the path starts with /.well-known/acme-challenge/

#3

Ok I fixed these redirection, but there is still problem :confused:

#4

Yes, the next redirect :wink:

D:\temp>download https://mail.kosmetykifm.pl/.well-known/acme-challenge/A3uYAzaL3m9hoJdyinxLu-5L2evfAL3thPkyNQNHh_k -h
SSL error: RemoteCertificateNameMismatch
Referrer-Policy:
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Date: Sun, 30 Sep 2018 18:43:02 GMT
Location: https://kosmetykifm.pl
Server: Apache

Status: 302 Redirect

315,30 milliseconds
0,32 seconds

#5

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: mail.kosmetykifm.pl
    Type: connection
    Detail: Fetching
    https://mail.kosmetykifm.pl/.well-known/acme-challenge/jiRKnSoIX1j0PSS2tMYG2gFYDaFKs9f03ICEhQKKPEE:
    Error getting validation data

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

any ideas how to fix that? thanks!

#6

There is again a redirect. Now empty:

D:\temp>download https://mail.kosmetykifm.pl/.well-known/acme-challenge/A3uYAzaL3m9hoJdyinxLu-5L2evfAL3thPkyNQNHh_k -h
SSL error: RemoteCertificateNameMismatch
Referrer-Policy:
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Date: Sun, 30 Sep 2018 19:20:43 GMT
Location:
Server: Apache

Status: 302 Redirect

A redirect sends no real content.

#7

Ive got wordpress multisite i checked redirection and excluded “mail.kosmetykifm.pl” from multisite in htaccess, but there is still
IMPORTANT NOTES:

dont know what to do :confused:

Failing acme challenge when installing certificate for Tomcat
#8

You have again an empty redirect:

D:\temp>download https://mail.kosmetykifm.pl/.well-known/acme-challenge/A3uYAzaL3m9hoJdyinxLu-5L2evfAL3thPkyNQNHh_k -h
SSL error: RemoteCertificateNameMismatch
Referrer-Policy:
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Date: Mon, 01 Oct 2018 08:32:27 GMT
Location:
Server: Apache

Status: 302 Redirect

There are different solutions to exclude a directory. Check Google - .htaccess exclude directory redirect

RewriteRule ^/.well-known/ - [L] as first rule.

Or

RewriteCond %{REQUEST_URI} !^/.well-known/

If you have a multisite wordpress, it’s unclear what’t the best solution.

#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.