letsencrypt fails - invalid response to acme challenge

8 posts / 0 new
Topic locked
Last post
#1 Thu, 03/31/2016 - 03:39
simber

letsencrypt fails - invalid response to acme challenge

Trying to set up for multiple subdomains, but I get this output; What to do ?

Failed authorization procedure. mail.domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mail.domain.com/.well-known/acme-challenge/xxx [ip]: 404, www.domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.domain.com/.well-known/acme-challenge/xxx [ip]: 401, domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain.com/.well-known/acme-challenge/xxx [ip]: 401, host.domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://host.domain.com/.well-known/acme-challenge/xxx [ip]: 404
IMPORTANT NOTES:
- The following errors were reported by the server:

   Domain: mail.domain.com
   Type:   unauthorized
   Detail: Invalid response from http://mail.domain.com/.well-known
   /acme-challenge/xxx
   [ip]: 404

   Domain: www.domain.com
   Type:   unauthorized
   Detail: Invalid response from http://www.domain.com/.well-known
   /acme-challenge/xxx
   [ip]: 401

   Domain: domain.com
   Type:   unauthorized
   Detail: Invalid response from http://domain.com/.well-known/acme-
   challenge/xxx
   [ip]: 401

   Domain: host.domain.com
   Type:   unauthorized
   Detail: Invalid response from http://host.domain.com/.well-known
   /acme-challenge/xxx
   [ip]: 404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.
Thu, 03/31/2016 - 03:42
simber

Note: When I go to sub.domain.com I get a forbidden error. Not sure why? Where can I disable that (temporarily)

Thu, 03/31/2016 - 03:49
simber

Well I removed the htaccess and that seems to have helped but now the result is 404 for the two subdomains (www subdomain works correctly). What might be the reason?

So subdomains other than www still do not work.

Thu, 03/31/2016 - 03:53
simber

I even created a subserver but that doesn't seem to remove the 404 errors.. Still stuck.

Thu, 03/31/2016 - 13:53
DonX

You may have to go into your domain management and set A records for your subdomains/subservers (if you haven't yet) so that when users' type in the sub domain address in a web browser, it takes them to your server where the sub domain/server is hosted.

You domain management should be most likely with the company you registered your domain with. There you should find options in managing your domain, etc.

Fri, 04/01/2016 - 02:19
simber

Those a records (or cname) exist. The 404 not found is on my server and in my server logs, so the request reaches my server.

Sat, 05/21/2016 - 01:32
coderinthebox

You'r server is not allowing letsencrypt to write on your public_html Error 404 is generated when letsencrypt can't locate the challenge folder or the challenge file

Visit me at coderinthebox.com

Tue, 05/24/2016 - 00:04
lisandi

We are having the same problem here:

We are running a python site on that account in

/home/customer/python-site

and we proxy bypass in Apache2 to

/home/customer/domains/domain.com/public_html

the folder .well-known get created correctly after pressing "request certificate" in Virtualmin / Server Configuration / Manage SSL Certificate / Let's encrypt (TAB)

--- The output is:

Requesting a certificate for domain.com, www.domain.com from Let's Encrypt ..
.. request failed :
Checking for new version...
Requesting root privileges to run certbot...
   //.local/share/letsencrypt/bin/letsencrypt certonly -a webroot -d domain.com -d www.domain.com --webroot-path /home/customer/domains/domain.com/public_html --duplicate --config /tmp/.webmin/733029_809_1_letsencrypt.cgi
Failed authorization procedure. www.domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.domain.com/.well-known/acme-challenge/_6ivUIGXxKM-A2m5H2xYLvT73DN0F3egULFf-3IhEtQ: "
    <!DOCTYPE html>
    <html lang="en-US" data-oe-company-name="Company Name">
        <head>
            <me", domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain.com/.well-known/acme-challenge/8UQHT5gaMR9baApOBtAZeTtb5BiElfVN8MewrVal96g: "
    <!DOCTYPE html>
    <html lang="en-US" data-oe-company-name="Company Name">
        <head>
            <me"
IMPORTANT NOTES:
- The following errors were reported by the server:

   Domain: www.domain.com
   Type:   unauthorized
   Detail: Invalid response from http://www.domain.com/.well-
   known/acme-challenge/_6ivUIGXxKM-A2m5H2xYLvT73DN0F3egULFf-3IhEtQ: "
       <!DOCTYPE html>
       <html lang="en-US" data-oe-company-name="Company Name">
           <head>
               <me"

   Domain: domain.com
   Type:   unauthorized
   Detail: Invalid response from http://domain.com/.well-known
   /acme-challenge/8UQHT5gaMR9baApOBtAZeTtb5BiElfVN8MewrVal96g: "
       <!DOCTYPE html>
       <html lang="en-US" data-oe-company-name="Company Name">
           <head>
               <me"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

The site has DNS A Records with the correct IP Adress as IPv4 and IPv6

Our Apache2 configuration looks like that:

SuexecUserGroup "#1064" "#1061"

ServerAdmin webmaster@domain.com
ServerName domain.com
ServerAlias www.domain.com

DocumentRoot /home/customer/domains/domain.com/public_html

ErrorLog /var/log/virtualmin/domain.com_error_log
LogLevel warn
CustomLog /var/log/virtualmin/domain.com_access_log combined

ScriptAlias /cgi-bin/ /home/customer/domains/domain.com/cgi-bin/

DirectoryIndex index.html index.htm index.php index.php4 index.php5

ProxyPass /.well-known !
Alias /.well-known "/home/customer/domains/domain.com/public_html/.well-known"

<Directory /home/customer/domains/domain.com/public_html>

    Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI

    order allow,deny
    allow from all
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch

    Require all granted

    AddDefaultCharset Off
    Header set Content-Type "text/plain"

    AddType application/x-httpd-php .php

    AddHandler fcgid-script .php
    AddHandler fcgid-script .php5
    FCGIWrapper /home/afb/domains/autofahrbrik.de/fcgi-bin/php5.fcgi .php
    FCGIWrapper /home/afb/domains/autofahrbrik.de/fcgi-bin/php5.fcgi .php5

</Directory>

<Directory /home/customer/domains/domain.com/cgi-bin>

    allow from all
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch

    Require all granted

</Directory>

<IfModule mod_rewrite.c>

    RewriteEngine On

    # Permanent redirect (301 HTTP) if no canonical domain name
    RewriteCond %{HTTP_HOST} !^domain.com
    RewriteRule ^/(.*)$ http://domain.com/$1 [R=301,NE,L]

    # Redirect 301 to HTTPS
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,NE,L]

</IfModule>

RemoveHandler .php
RemoveHandler .php5

FcgidMaxRequestLen 1073741824

<Location "/" >
    Order deny,allow
    Deny from all
    Allow from all
</Location>

<Location /git>

    DAV on

    AuthType Basic
    AuthName domain.com
    AuthUserFile /home/customer/domains/domain.com/etc/git.basic.passwd

    Require valid-user
    Satisfy All

    RedirectMatch ^/git$ http://domain.com/git/gitweb.cgi
    RedirectMatch ^/git/$ http://domain.com/git/gitweb.cgi

    RewriteEngine off

    AddHandler cgi-script .cgi

</Location>


SuexecUserGroup "#1064" "#1061"

ServerAdmin webmaster@domain.com
ServerName domain.com
ServerAlias www.domain.com

DocumentRoot /home/customer/domains/domain.com/public_html

ErrorLog /var/log/virtualmin/domain.com_error_log
LogLevel warn
CustomLog /var/log/virtualmin/domain.com_access_log combined

ScriptAlias /cgi-bin/ /home/customer/domains/domain.com/cgi-bin/

DirectoryIndex index.html index.htm index.php index.php4 index.php5

<Directory /home/customer/domains/domain.com/public_html>

    Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI

    allow from all
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch

    Require all granted

    AddType application/x-httpd-php .php

    AddHandler fcgid-script .php
    AddHandler fcgid-script .php5
    FCGIWrapper /home/customer/domains/domain.com/fcgi-bin/php5.fcgi .php
    FCGIWrapper /home/customer/domains/domain.com/fcgi-bin/php5.fcgi .php5

</Directory>
<Directory /home/customer/domains/domain.com/cgi-bin>

    allow from all
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    Require all granted

</Directory>

SSLEngine               on
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /home/customer/ssl_certificates/domain.com/cert.pem
SSLCertificateKeyFile /home/customer/ssl_certificates/domain.com/privkey.pem

RequestHeader set X-Forwarded-Proto "https"

<IfModule mod_rewrite.c>
    RewriteEngine On

    # Permanent redirect (301 HTTP) if no canonical domain name
    RewriteCond %{HTTP_HOST} !^domain.com
    RewriteRule ^/(.*)$ https://domain.com/$1 [R=301,NE,L]
</IfModule>

RemoveHandler .php
RemoveHandler .php5

FcgidMaxRequestLen 1073741824

<Location "/" >
    Order deny,allow
    Deny from all
    Allow from all
</Location>

<Location "/web/database" >
    Order deny,allow
    Deny from all
    Allow from 61.0.241.245 192.168.122.0/24 127.0.0.0/255.0.0.0 ::1/128
</Location>

<Location "/website/info" >
    Order deny,allow
    Deny from all
    Allow from 61.0.241.245 192.168.122.0/24 127.0.0.0/255.0.0.0 ::1/128
</Location>

<Location /git>

    DAV on
    AuthType Basic
    AuthName domain.com
    AuthUserFile /home/customer/domains/domain.com/etc/git.basic.passwd
    Require valid-user
    Satisfy All

    RedirectMatch ^/git$ http://domain.com/git/gitweb.cgi
    RedirectMatch ^/git/$ http://domain.com/git/gitweb.cgi
    RewriteEngine off

    AddHandler cgi-script .cgi

</Location>

# Comment to disable proxy
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /longpolling/        http://localhost:9701/longpolling/ retry=0
ProxyPassReverse /longpolling/ http://localhost:9701/longpolling/ retry=0
ProxyPass /                    http://localhost:9700/ retry=0
ProxyPassReverse /             http://localhost:9700/ retry=0

Any help with this issue would appreciated!

Thanks Andi

Topic locked