Error when installing SSL cert during installation of new vhost

January 30, 2019 605 views
Apache DigitalOcean LAMP Stack Let's Encrypt Ubuntu 18.04

Hello, this is my first post so kindly let me know if I've left out any important/required information. I'm hoping the community is able to assist with an issue that has me stuck and stumped. I'm encountering the below "unauthorized" error when attempting to install a new lets encrypt SSL cert on a new vhost (let's call it mysite5.com) running on Ubuntu 18.04. This Droplet is currently and successfully hosting 6 other SSL letsencrypt vhosts.

I'm receiving the error when running :~$ sudo certbot --apache -d mysite5.com -d www.mysite5.com

There are 6 other existing vhosts on this Droplet (mysites1-4.com) that seem to be running without issues. Since this SSL error occurred during mysite5.com installation, I have installed 2 new sites (mysites6-7.com) without issue/errors. For unknown reason only mysite5.com is encountering problems at the step of using certbot to install letsencrypt SSL certs.

As far as I can tell, after retracing my steps many dozens of times, the mysite5.com vhost is setup correctly and identical as the other vhosts on this same Droplet; i.e. setup and configured vhost files; created and configured mysql db and user; downloaded, installed and configured wordpress in this new vhost directory; created and configured DNS (added two A records; @ and www).

One note that makes mysite5.com different than the other 6 vhosts.. mysite5.com has been running successfully on an old 16.04 Droplet (no vhosts or httpS) for a couple of years. I've removed the DNS and shutdown the 16.04 Droplet before adding the DNS to this new 18.04 vhost SSL Droplet.

All that said, here's the response/error I'm encountering for mysite5.com when running

:~$ sudo certbot -- apache -d mysite5.com -d www.mysite5.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mysite5.com
http-01 challenge for www.mysite5.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. mysite5.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mysite5.com/.well-known/acme-challenge/3EqtTg2dzsX3FAX77TRwTg-DXgelGoqHNqD-vvFXHCo: "<!DOCTYPE html>\n<html lang=\"en-US\">\n<head>\n \n <meta charset=\"UTF-8\"/>\n <link rel=\"profile\" href=\"http://gmpg.or", www.mysite5.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.mysite5.com/.well-known/acme-challenge/c8qgJtNnCLk721_kwQRNrp4xOwe1yvDxh0z20-YM-FE: "<!DOCTYPE html>\n<html lang=\"en-US\">\n<head>\n \n <meta charset=\"UTF-8\"/>\n <link rel=\"profile\" href=\"http://gmpg.or"

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: mysite5.com
Type: unauthorized
Detail: Invalid response from
http://mysite5.com/.well-known/acme-challenge/3EqtTg2dzsX3FAX77TRwTg-DXgelGoqHNqD-vvFXHCo:
"<!DOCTYPE html>\n<html lang=\"en-US\">\n<head>\n \n
<meta charset=\"UTF-8\"/>\n <link rel=\"profile\"
href=\"http://gmpg.or"

Domain: www.mysite5.com
Type: unauthorized
Detail: Invalid response from
http://www.mysite5.com/.well-known/acme-challenge/c8qgJtNnCLk721_kwQRNrp4xOwe1yvDxh0z20-YM-FE:
"<!DOCTYPE html>\n<html lang=\"en-US\">\n<head>\n \n
<meta charset=\"UTF-8\"/>\n <link rel=\"profile\"
href=\"http://gmpg.or"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain

contain(s) the right IP address.

What’s stumping me is that it’s saying “The client lacks sufficient authorization” yet this same client has no issues with the other vhosts/domains.

I’ve also checked firewall. UFW is allowing Apache Full and ports 80, 443.

What am I missing? Many thank you’s in advance!

PS. Maybe I need to remove this vhost and start over? I don't mind but my somewhat beginner skills have never attempted something like this. Any advise or direction on how to go about this would be helpful too.

1 Answer

I have the same mistake.
Did you find ?

I have this error on only one of the 8 domains registered with cerbot in one certificate.

I'm intrigued that the request is done on a link in http: //

Indeed, I have the impression, but I can be wrong, that I have this error since I switched to HSTS and that I immediately force the passage to https.
As a result, the request in http: // can be erased?

I read something similar, a person had a redirection in the apache conf, and, by removing the redirect, the certbot renewal worked. That's why I wonder if my HSTS configuration and my redirection that forces https can be in question.

If you could find, please share your solution, or, search track.
Thank you.

Have another answer? Share your knowledge.