A site for solving at least some of your technical problems...
A site for solving at least some of your technical problems...
Today I had a problem with letsencrypt. I did not want to give me the certificate as it could not verify the domain name I was trying to get a certificate for.
Looking into why I would get the error:
The client lacks sufficient authorization
I only found references to mainly stupid answers. Especially, answers that would tell you to create a directory under the .well-known folder as in:
http://example.org/.well-known/acme-challenge/test
Then make sure you could access "test" by going to that URL.
Sure enough that worked just fine. But it has nothing to do with letsencrypt problems because the way they allow that folder to work is not like that!
What letsencrypt does is add two includes in your corresponding virtual host definition:
<VirtualHost *:80> Include /etc/apache2/le_http_01_challenge_pre.conf ...your code... Include /etc/apache2/le_http_01_challenge_post.conf </VirtualHost>
In order to see the challenge file and the changes to your virtual host, add the "--debug-challenges" command line option. At some point the certbot script stops and asks you to hit enter. Once you do hit the enter key, it will finish up the verification process. But while stuck that way in the script, your settings are modified by letsencrypt and you can look at them (you shouldn't edit anything at that point, though.)
As we can see in the "pre" script:
RewriteEngine on RewriteRule ^/\.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ /var/lib/letsencrypt/http_challenges/$1 [END]
The .well-known/acme-challenge/... file is handled by redirecting accesses to /var/lib/letsencrypt/http_challenges/... and NOT your installation folder. In other words, doing the test as shown above is totally useless.
For documentation, the "post" script looks like this:
<Directory /var/lib/letsencrypt/http_challenges> Require all granted </Directory> <Location /.well-known/acme-challenge> Require all granted </Location>
As we can see, these two instruct the system to grant all privileges on the acme and challenge directories. So again, the check we are asked to perform above has nothing to do with anything (well, unless you have some form of proxy-ing, something that will prevent the letsencrypt setup from taking hold, etc.)
In my case, the script would go on and say that it would make a backup of many configuration files but not the one with the very domain I had problem with.
Creating backup of /etc/apache2/sites-enabled/000-m2osw.com.conf
In other words, it would copy like 7 configuration files where it would add the Include instructions but the very one where it was required did not get modified at all. So the Include were missing from the file where it is required.
My old installation was the culprit. The fact is that I had many old configuration files which I had named something like:
linux.m2osw.com
When the newer Apache2 convention (at least under Ubuntu) is to have:
linux.m2osw.com.conf
Without the .conf, somehow, letsencrypt ignores my file.
So... I went ahead and renamed all my files to include the .conf and updated the IncludeOptional from apache2.conf as follow:
IncludeOptional sites-enabled/*.conf
The old include looked like an ugly pattern:
IncludeOptional sites-enabled/[^#!.]*
and it worked in the old days, but now that was being ignored by letsencrypt.
It's not a bad thing to have renamed all my configuration files anyway. I think it's much better to have them with .conf than my old convension.
If you still have problems, make sure to check your Apache2 logs and the letsencrypt logs. That last one is found here on Ubuntu:
sudo less /var/log/letsencrypt/letsencrypt.log
The letsencrypt logs are protected so you will need sudo to look at them. You may have additional files (.1, .2, etc.)
And for more information, use the "-v" (verbose) flag of certbot as in:
certbot -v ...
Expect a lot of output when you use the -v option.
To install certbot on your Ubuntu computer do:
sudo apt-get install certbot sudo apt-get install python3-certbot-apache sudo apt-get install python3-certbot-nginx
If you have just apache or nginx you can install just one of them, you don't need both.
Here is the full message that I'd get when an error would occur:
$ sudo certbot --apache certonly -d example.org Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Obtaining a new certificate Performing the following challenges: http-01 challenge for example.org Waiting for verification... Cleaning up challenges Failed authorization procedure. example.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://example.org/.well-known/acme- challenge/SemSXp5MwbH1gq0FJ9TW88X0bhsYWC9suRkz_vsFxOs: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n <html><head>\n<title>403 Forbidden</title>\n</head><body> \n<h1>Forbidden</h1>\n<p" IMPORTANT NOTES: - The following errors were reported by the server: Domain: apartments.snapwebsites.org Type: unauthorized Detail: Invalid response from http://example.org/.well-known /acme-challenge/SemSXp5MwbH1gq0FJ9TW88X0bhsYWC9suRkz_vsFxOs: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>403 Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p" To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
Obviously, my domain name was not example.org. I use that here because the exact name is not relevant here.
Recent Posts on The Linux Page: