Renew Letsencrypt SSL in Ubuntu Linux and fix failed authorization procedure


When i tried to renew SSL certificate of Letsencrypt, using ” sudo letsencrypt renew ” i found caught error. It’s said “produced an unexpected error: Failed authorization procedure.”

I took me a minute and realized that letsencrypt check on authorization acme-challenge on HTTPS instead of HTTP.
Where this is because i forced all traffic into HTTPS and i haven’t setup the acme-challenge for port 443 (which i put in port 80).
Yes, the easy solution is copy the acme-challenge configuration to your port 443 in NGINX.

For full understanding, here are the logs:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
sudo letsencrypt renew

——————————————————————————-
Processing /etc/letsencrypt/renewal/yodiaditya.com.conf
——————————————————————————-
2019-09-24 05:09:35,886:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/yodiaditya.com.conf produced an unexpected error: Failed authorization procedure. yodiaditya.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://www.yodiaditya.com/.well-known/acme-challenge/ek23rE1VgNeCCgmN25AsZvUUjUaEq4swxjX4sOyhb3k [13.228.15.1]: "<!DOCTYPE html>\n<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US">\n<head>\n  <meta charset="UTF-8" />\n  <meta name="viewpor". Skipping.

——————————————————————————-
Processing /etc/letsencrypt/renewal/www.yodiaditya.com.conf
——————————————————————————-
2019-09-24 05:09:40,613:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/www.yodiaditya.com.conf produced an unexpected error: Failed authorization procedure. www.yodiaditya.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://www.yodiaditya.com/.well-known/acme-challenge/DUFLVpW6oNRiDJmS2_ctHSziTfpPn8laYb_dJCp1eUA [13.228.15.1]: "<!DOCTYPE html>\n<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US">\n<head>\n  <meta charset="UTF-8" />\n  <meta name="viewpor". Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/yodiaditya.com/fullchain.pem (failure)
  /etc/letsencrypt/live/www.yodiaditya.com/fullchain.pem (failure)
2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
server {
 – The following errors were reported by the server:
server {

   Domain: www.yodiaditya.com
   Type:   unauthorized
   Detail: Invalid response from
   https://www.yodiaditya.com/.well-known/acme-challenge/DUFLVpW6oNRiUA
   [13.228.15.1]: "<!DOCTYPE html>\n<html
   xmlns="http://www.w3.org/1999/xhtml" lang="en-US">\n<head>\n
   <meta charset="UTF-8" />\n  <meta name="viewpor"
server {

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.
server {
 – The following errors were reported by the server:
server {

   Domain: yodiaditya.com
server {
   Type:   unauthorized
   Detail: Invalid response from
   https://www.yodiaditya.com/.well-known/acme-challenge/ek23rE1VgNeCOyhb3k
   [13.228.15.1]: "<!DOCTYPE html>\n<html
   xmlns="http://www.w3.org/1999/xhtml" lang="en-US">\n<head>\n
   <meta charset="UTF-8" />\n  <meta name="viewpor"

   To fix these errors, please make sure that your domain name was
server {
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

Here are the steps to fix this issue.

1. Put .well-known in SSL 443 because now it’s running via HTTPS and enforce all HTTP into HTTPS in NGINX

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
server {
    server_name www.yodiaditya.com yodiaditya.com;
    listen 80;

    return 301 https://www.yodiaditya.com$request_uri;

    location ~ /\.well-known/acme-challenge/ {
                allow all;
                root /var/www/letsencrypt;
                try_files $uri =404;
                break;
    }
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name www.yodiaditya.com;
    ssl on;

    location ~ /\.well-known/acme-challenge/ {
         allow all;
         root /var/www/letsencrypt;
         try_files $uri =404;
         break;
    }

2. Make the folder writable for letsencrypt (if the issue still exists)

3. Reload NGINX service by ” sudo service nginx reload ” and execute renew SSL letsencrypt by ” sudo letsencrypt renew ”

Now it’s done!


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.