letsencrypt fails - invalid response to acme challenge

Trying to set up for multiple subdomains, but I get this output; What to do ?

Failed authorization procedure. mail.domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mail.domain.com/.well-known/acme-challenge/xxx [ip]: 404, www.domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.domain.com/.well-known/acme-challenge/xxx [ip]: 401, domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain.com/.well-known/acme-challenge/xxx [ip]: 401, host.domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://host.domain.com/.well-known/acme-challenge/xxx [ip]: 404
IMPORTANT NOTES:

Note: When I go to sub.domain.com I get a forbidden error. Not sure why? Where can I disable that (temporarily)

Well I removed the htaccess and that seems to have helped but now the result is 404 for the two subdomains (www subdomain works correctly). What might be the reason?

So subdomains other than www still do not work.

I even created a subserver but that doesn’t seem to remove the 404 errors… Still stuck.

You may have to go into your domain management and set A records for your subdomains/subservers (if you haven’t yet) so that when users’ type in the sub domain address in a web browser, it takes them to your server where the sub domain/server is hosted.

You domain management should be most likely with the company you registered your domain with. There you should find options in managing your domain, etc.

Those a records (or cname) exist. The 404 not found is on my server and in my server logs, so the request reaches my server.

You’r server is not allowing letsencrypt to write on your public_html
Error 404 is generated when letsencrypt can’t locate the challenge folder or the challenge file

We are having the same problem here:

We are running a python site on that account in

/home/customer/python-site

and we proxy bypass in Apache2 to

/home/customer/domains/domain.com/public_html

the folder .well-known get created correctly after pressing “request certificate” in Virtualmin / Server Configuration / Manage SSL Certificate / Let’s encrypt (TAB)

— The output is:

Requesting a certificate for domain.com, www.domain.com from Let’s Encrypt …
… request failed :
Checking for new version…
Requesting root privileges to run certbot…
//.local/share/letsencrypt/bin/letsencrypt certonly -a webroot -d domain.com -d www.domain.com --webroot-path /home/customer/domains/domain.com/public_html --duplicate --config /tmp/.webmin/733029_809_1_letsencrypt.cgi
Failed authorization procedure. www.domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.domain.com/.well-known/acme-challenge/_6ivUIGXxKM-A2m5H2xYLvT73DN0F3egULFf-3IhEtQ: "



<me", domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain.com/.well-known/acme-challenge/8UQHT5gaMR9baApOBtAZeTtb5BiElfVN8MewrVal96g: "



<me"
IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.domain.com
    Type: unauthorized
    Detail: Invalid response from http://www.domain.com/.well-
    known/acme-challenge/_6ivUIGXxKM-A2m5H2xYLvT73DN0F3egULFf-3IhEtQ: "



    <me"

    Domain: domain.com
    Type: unauthorized
    Detail: Invalid response from http://domain.com/.well-known
    /acme-challenge/8UQHT5gaMR9baApOBtAZeTtb5BiElfVN8MewrVal96g: "



    <me"

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.


The site has DNS A Records with the correct IP Adress as IPv4 and IPv6


Our Apache2 configuration looks like that:

<VirtualHost *:80>

SuexecUserGroup "#1064" "#1061"

ServerAdmin webmaster@domain.com
ServerName domain.com
ServerAlias www.domain.com

DocumentRoot /home/customer/domains/domain.com/public_html

ErrorLog /var/log/virtualmin/domain.com_error_log
LogLevel warn
CustomLog /var/log/virtualmin/domain.com_access_log combined

ScriptAlias /cgi-bin/ /home/customer/domains/domain.com/cgi-bin/

DirectoryIndex index.html index.htm index.php index.php4 index.php5

ProxyPass /.well-known !
Alias /.well-known "/home/customer/domains/domain.com/public_html/.well-known"

<Directory /home/customer/domains/domain.com/public_html>

	Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI

	order allow,deny
	allow from all
	AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch

	Require all granted

	AddDefaultCharset Off
	Header set Content-Type "text/plain"

	AddType application/x-httpd-php .php

	AddHandler fcgid-script .php
	AddHandler fcgid-script .php5
	FCGIWrapper /home/afb/domains/autofahrbrik.de/fcgi-bin/php5.fcgi .php
	FCGIWrapper /home/afb/domains/autofahrbrik.de/fcgi-bin/php5.fcgi .php5

</Directory>

<Directory /home/customer/domains/domain.com/cgi-bin>

	allow from all
	AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch

	Require all granted

</Directory>

<IfModule mod_rewrite.c>

	RewriteEngine On

	# Permanent redirect (301 HTTP) if no canonical domain name
	RewriteCond %{HTTP_HOST} !^domain.com
	RewriteRule ^/(.*)$ http://domain.com/$1 [R=301,NE,L]

	# Redirect 301 to HTTPS
	RewriteCond %{HTTPS} !=on
	RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,NE,L]

</IfModule>

RemoveHandler .php
RemoveHandler .php5

FcgidMaxRequestLen 1073741824

<Location "/" >
	Order deny,allow
	Deny from all
	Allow from all
</Location>

<Location /git>

	DAV on

	AuthType Basic
	AuthName domain.com
	AuthUserFile /home/customer/domains/domain.com/etc/git.basic.passwd

	Require valid-user
	Satisfy All

	RedirectMatch ^/git$ http://domain.com/git/gitweb.cgi
	RedirectMatch ^/git/$ http://domain.com/git/gitweb.cgi

	RewriteEngine off

	AddHandler cgi-script .cgi

</Location>

<VirtualHost 123.456.789.12:443>

SuexecUserGroup "#1064" "#1061"

ServerAdmin webmaster@domain.com
ServerName domain.com
ServerAlias www.domain.com

DocumentRoot /home/customer/domains/domain.com/public_html

ErrorLog /var/log/virtualmin/domain.com_error_log
LogLevel warn
CustomLog /var/log/virtualmin/domain.com_access_log combined

ScriptAlias /cgi-bin/ /home/customer/domains/domain.com/cgi-bin/

DirectoryIndex index.html index.htm index.php index.php4 index.php5

<Directory /home/customer/domains/domain.com/public_html>

	Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI

	allow from all
	AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch

	Require all granted

	AddType application/x-httpd-php .php

	AddHandler fcgid-script .php
	AddHandler fcgid-script .php5
	FCGIWrapper /home/customer/domains/domain.com/fcgi-bin/php5.fcgi .php
	FCGIWrapper /home/customer/domains/domain.com/fcgi-bin/php5.fcgi .php5

</Directory>
<Directory /home/customer/domains/domain.com/cgi-bin>

	allow from all
	AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
	Require all granted

</Directory>

SSLEngine 				on
SSLProtocol           	all -SSLv2 -SSLv3
SSLCipherSuite        	ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /home/customer/ssl_certificates/domain.com/cert.pem
SSLCertificateKeyFile /home/customer/ssl_certificates/domain.com/privkey.pem

RequestHeader set X-Forwarded-Proto "https"

<IfModule mod_rewrite.c>
	RewriteEngine On

	# Permanent redirect (301 HTTP) if no canonical domain name
	RewriteCond %{HTTP_HOST} !^domain.com
	RewriteRule ^/(.*)$ https://domain.com/$1 [R=301,NE,L]
</IfModule>

RemoveHandler .php
RemoveHandler .php5

FcgidMaxRequestLen 1073741824

<Location "/" >
	Order deny,allow
	Deny from all
	Allow from all
</Location>

<Location "/web/database" >
	Order deny,allow
	Deny from all
	Allow from 61.0.241.245 192.168.122.0/24 127.0.0.0/255.0.0.0 ::1/128
</Location>

<Location "/website/info" >
	Order deny,allow
	Deny from all
	Allow from 61.0.241.245 192.168.122.0/24 127.0.0.0/255.0.0.0 ::1/128
</Location>

<Location /git>

	DAV on
	AuthType Basic
	AuthName domain.com
	AuthUserFile /home/customer/domains/domain.com/etc/git.basic.passwd
	Require valid-user
	Satisfy All

	RedirectMatch ^/git$ http://domain.com/git/gitweb.cgi
	RedirectMatch ^/git/$ http://domain.com/git/gitweb.cgi
	RewriteEngine off

	AddHandler cgi-script .cgi

</Location>

# Comment to disable proxy
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /longpolling/        http://localhost:9701/longpolling/ retry=0
ProxyPassReverse /longpolling/ http://localhost:9701/longpolling/ retry=0
ProxyPass /                    http://localhost:9700/ retry=0
ProxyPassReverse /             http://localhost:9700/ retry=0

Any help with this issue would appreciated!

Thanks Andi