Urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: icecream.ixeo-conseil.com

I ran this command: certbot --apache

It produced this output:
Failed authorization procedure. icecream.ixeo-conseil.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://icecream.ixeo-conseil.com/.well-known/acme-challenge/3dm2MtJSflAQerN9WvpM9pIvU_xY7l-Ncrkzup41WRU [92.243.9.115]: “\n\n403 Forbidden\n\n

Forbidden

\n<p”

IMPORTANT NOTES:

My web server is (include version):
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2019-09-16T12:58:48
The operating system my web server runs on is (include version):
Ubuntu 18.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 0.31.0

I have created a directory and subdirectory .well-known/acme-challenge and put a file called 1234 with only “ok” inside. I have no problem in obtaining “ok” from icecream.ixeo-conseil.com/.well-known/acme-challenge/1234.
I tested the challenge after stopping the firewall ufw and fail2ban, without more success.
I have on the same server an OnlyOffice instance installed under docker. I did stop the container, but it didn’t change anything. I have also an instance of Odoo12, and if I disable its virtualhost, it does not change anything.
One weird thing is that while the web server is Apache 2.4, I have been obliged to add directives
Order allow,deny
Allow from all
to make the site reachable. It didn’t work with only the directive “Require all granted”.
I have read a lot of topics in the forum without finding the solution.
Any help?
Thanks,

1 Like

The only thing that I can think of (that you haven’t already covered), is that the test file “1234” and the actual challenge file differ… Most notably, the challenge file contains both a hyphen and an underscore.

Perhaps there is some sort of special handling involved that interferes with the access.
But that would be simple to test: Create a test file with an underscore and a hyphen in the name and see if you can access it from the Internet.

If not, you will have to check your configuration.

If so, then… maybe open two SSH windows and run the certbot validation in manual mode in one window and check in the other window how the file is created (permissions) and ensure that the file certbot creates can actually be accessed from the Internet (before it gets deleted).

edit: you might also want to look through the web server error.logs for any clues.

1 Like

Thank you for your answer.
Following your advice, I did change the name of the file 1234 using the very name used by certbot. I can see it on the url without problem.
I looked at the apache error.log, but there is nothing in it!
I tried also to grant access rights to the folder /.well-known/acme-challenge in a directive in my virtualhost. I didn’t change anything.
Here is my virtualhost file

<VirtualHost ipV4:80 [ipV6]:80>        
ServerName icecream.ixeo-conseil.com
        ServerAdmin address@mydomain.com
    DocumentRoot /srv/datainterne/creme_crm-2.1/
    <Directory />
            Options FollowSymLinks
            AllowOverride None
    </Directory>
    <Directory /srv/datainterne/creme_crm-2.1/>
            AllowOverride None
            Require all granted
            Order allow,deny
            Allow from all
    </Directory>
     <Directory /srv/datainterne/creme_crm-2.1/.well-known/acme-challenge/>
            Require all granted
     </Directory>
    ErrorLog ${APACHE_LOG_DIR}/error.log
    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel debug
    CustomLog ${APACHE_LOG_DIR}/access.log combined

In my DNS records, I have deleted the AAAA entry, as I have read in forum, it is sometimes source of troubles.
I try to upload a copy of the last entry of the letsencrypt log (it is rather long, I don’t know whether I can copy/paste in the post)
letsencrypt log 2020 02 26.txt (18.8 KB)

1 Like

There are some things in that log that do explain what is going on:

2020-02-26 09:39:29,808:DEBUG:certbot_apache.http_01:writing a pre config file with text:
         RewriteEngine on
        RewriteRule ^/\.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ /var/lib/letsencrypt/http_challenges/$1 [END]
2020-02-26 09:39:29,808:DEBUG:certbot_apache.http_01:writing a post config file with text:
         <Directory /var/lib/letsencrypt/http_challenges>
            Require all granted
        </Directory>
        <Location /.well-known/acme-challenge>
            Require all granted
        </Location>

I think you might need to use replace the --apache installer with:
--webroot -w /what/ever/your/document/root/is

Thanks a lot.
I did what you wrote.
The only point is that certbot ask for certonly parameter.
So I got the certificate.
I just need to modify manually my virtualhost to integrate the certificate. I am going to do so.
But, how did you find? Reading the log file is like Chinese for me!
Btw, I suppose that for renewing the certificate I will have to do the same thing…

1 Like

Oups, things are more complicated. The new site is ok with https and its new certificate.
On the server I have another virtualhost, with a reverse proxy. This second site is in error, as the certificate it presents is the certificate for the new site!
I tried to renew the certificate of this site, and I obtain the same error as previously.
My problem is that I don’t know how to apply your method with --webroot -w as I don’t really understand how to apply it in the case of a reverse proxy.
Here is my virtualhost for this site

<VirtualHost *:443>
ServerAdmin xxx@mydoamin.com
ServerName dodo.ixeo-conseil.com

<IfModule mod_rewrite.c>
   RewriteEngine On

   # Permanent redirect (301 HTTP) if no canonical domain name
   RewriteCond %{HTTP_HOST} !^dodo.ixeo-conseil.com
   RewriteRule ^/(.*)$ http://dodo.ixeo-conseil.com/$1 [R=301,NE,L]

   # Redirect 301 to HTTPS
Some rewrite rules in this file were disabled on your HTTPS site,
because they have the potential to create redirection loops.
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,NE,L]
</IfModule>
RewriteEngine On
   # Permanent redirect (301 HTTP) if no canonical domain name
   RewriteCond %{HTTP_HOST} !^dodo.ixeo-conseil.com
   RewriteRule ^/(.*)$ https://dodo.ixeo-conseil.com/$1 [R=301,NE,L]
   Order deny,allow
   Deny from all
   Allow from all
   Order deny,allow
   Deny from all
   Allow from 192.168.122.0/24 127.0.0.0/255.0.0.0 ::1/128
   Order deny,allow
   Deny from all
   Allow from 192.168.122.0/24 127.0.0.0/255.0.0.0 ::1/128
# Comment to disable proxy ajout deux lignes SSL
ProxyRequests Off
SSLProxyEngine on
SSLengine on
ProxyPreserveHost On
ProxyPass /longpolling/        http://localhost:8072/longpolling/ retry=0
ProxyPassReverse /longpolling/ http://localhost:8072/longpolling/ retry=0
ProxyPass /                    http://localhost:8069/ retry=0
ProxyPassReverse /             http://localhost:8069/ retry=0

ErrorLog /var/log/apache2/odoo.com.error.log
LogLevel warn
CustomLog /var/log/apache2/odoo.access.log combined

SSLCertificateFile /etc/letsencrypt/live/dodo.ixeo-conseil.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/dodo.ixeo-conseil.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

What should I take as a “document root” ?

Since it currently does only proxy, there is none.
You can fix that with a location /.well-known/acme-challenge/ section.
In there you can direct those particular requests to any local folder.
But… That can/should be done in the HTTP config [what is shown above is the HTTPS config].
Also: the redirect to HTTPS needs only to be in the HTTP config.

Thank you for your answer.
I have cleaned my virtualhosts.
I tried to generate the certificate after putting a location in the virtualhost of the HTTP config, but without success.
My main problem is that there seems to be interference between my two virtualhosts. If I activate the VH SSL for “icecream”, the other VH “dodo” use the certificate “icecream”, and I got an error message as the domain in the certificate doesn’t match the domain name.
I have tried to install a certificate with the two domains, but I got the same error message (unreachable).
I think I am going to ask for help from a professionnal. I am already far beyond my competencies…
Thanks again,

1 Like

This is somewhat “common” with Apache; as it tries to “run at any cost” - which usually means even if the configuration is “messy”.
So even though:

You might need to do some more (deep) cleaning.

Best of luck to you.
As always, this community is here to help with anything specifically related to LE.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.