I having an issue when I am trying to request SSL certificate. Kindly refer to the details as below:
============Web-based validation failed :==========================================
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ##DOMAINNAME##
Using the webroot path /home/root/public_html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. sgres-ai.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 141.136.47.74: Invalid response from http://##DOMAINNAME##/.well-known/acme-challenge/QNf-MalIKRqJam6TL94k5uexuuWYf8LHjtcSJ7dHNrw: 400
IMPORTANT NOTES:
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
============DNS-based validation failed :============================================
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for ##DOMAINNAME##
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. ##DOMAINNAME## (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.##DOMAINNAME##.com - check that a DNS record exists for this domain
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: ##DOMAINNAME##
Type: None
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.##DOMAINNAME##.com - check that a DNS record exists for
this domain
====================================================================
Do anyone know what is the solution on it? Appreciate for the help.
It looks like the domain “sgres-ai.com” is setup with strict “http” to “https” redirection, however for Let’s Encrypt to do it’s validation it needs to be able to access the “.well-known” directory with “http”.
It’s likely you have a “.htaccess” file at the root of your website causing the forced redirection. If you do you’ll need to add a line to exclude the redirection of the “.well-known” folder.
However, if you use a “.htaccess” file to force redirection, it’ll override this directive which is intended to skip “.well-known” folder from the rule.
However, the error message prompted when I am requesting SSL certificate from Let’s Encrypt.
Requesting a certificate for ##DomainName## from Let’s Encrypt …
… request failed :
Web-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for sgres-ai.com
Using the webroot path /home/slab/public_html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. ##DomainName## (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 141.136.47.74: Invalid response from http://##DomainName## /.well-known/acme-challenge/32P5vVYrBDGS-R1LNRcnMtXewDPBH_IzzXElqa0VLns: 400
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: ##DomainName##
Type: unauthorized
Detail: ##IP Address##: Invalid response from
http://##DomainName## /.well-known/acme-challenge/32P5vVYrBDGS-R1LNRcnMtXewDPBH_IzzXElqa0VLns:
400
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
===============================================
DNS-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/
Please see the logfiles in /var/log/letsencrypt for more details.
Requesting a certificate for sgres-ai.com from Let’s Encrypt …
… request failed :
Web-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for sgres-ai.com
Using the webroot path /home/slab/public_html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. sgres-ai.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: ##IP Address##: Invalid response from http://sgres-ai.com/.well-known/acme-challenge/kWSHqziVHOdLv0DwV_ZqzdOBFXwR37gyXyf3I8x5VW0: 400
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: sgres-ai.com
Type: unauthorized
Detail: ##IP Address##: Invalid response from
http://sgres-ai.com/.well-known/acme-challenge/kWSHqziVHOdLv0DwV_ZqzdOBFXwR37gyXyf3I8x5VW0:
400
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
DNS-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for sgres-ai.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. sgres-ai.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.sgres-ai.com - check that a DNS record exists for this domain
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: sgres-ai.com
Type: None
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.sgres-ai.com - check that a DNS record exists for
this domain
It’s always the same three possible problems (DNS, redirect/proxy rules, requesting certs for names that aren’t setup…which is just a DNS problem again, so really only two), and it’s always easy to troubleshoot which one you have.
Put a file in /home/domainname/public_html/.well-known
Can you view that file in your browser (via http not https)? If not, you need to fix it.
If you can, are you sure you aren’t requesting certs for names you do not have A records for? Virtualmin automatically creates some extra names, and if you haven’t delegated DNS to the Virtualmin server, and you haven’t created those names yourself, you should not be requesting a cert for them.
Edit: Also, this has been discussed here (and on the Let’s Encrypt forums) a lot. Searching the forums for this error will return many, many, other discussions about it, including several where I go more in-depth in how Let’s Encrypt can fail…but, it’s really dead simple. It can only ever be a few things, and figuring out which of the two or three possible problems you have only takes a few seconds. Once you know the problem, it should be easy to solve.