Requesting a certificate for ##DOMAINNAME## from Let's Encrypt .. .. request failed :

Hello All,

I having an issue when I am trying to request SSL certificate. Kindly refer to the details as below:

============Web-based validation failed :==========================================
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ##DOMAINNAME##
Using the webroot path /home/root/public_html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. sgres-ai.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 141.136.47.74: Invalid response from http://##DOMAINNAME##/.well-known/acme-challenge/QNf-MalIKRqJam6TL94k5uexuuWYf8LHjtcSJ7dHNrw: 400
IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: ##DOMAINNAME##
    Type: unauthorized
    Detail: 141.136.47.74: Invalid response from
    http://##DOMAINNAME##/.well-known/acme-challenge/QNf-MalIKRqJam6TL94k5uexuuWYf8LHjtcSJ7dHNrw:
    400

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

============DNS-based validation failed :============================================
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for ##DOMAINNAME##
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. ##DOMAINNAME## (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.##DOMAINNAME##.com - check that a DNS record exists for this domain
IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: ##DOMAINNAME##
    Type: None
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.##DOMAINNAME##.com - check that a DNS record exists for
    this domain
    ====================================================================

Do anyone know what is the solution on it? Appreciate for the help.

Thanks.

@cheeguan.koh,

Is the domain already pointing at the server, and resolving?

Hello @tpnsolutions , Yes. The domain is already point to the server IP address.

@cheeguan.koh,

It looks like the domain “sgres-ai.com” is setup with strict “http” to “https” redirection, however for Let’s Encrypt to do it’s validation it needs to be able to access the “.well-known” directory with “http”.

It’s likely you have a “.htaccess” file at the root of your website causing the forced redirection. If you do you’ll need to add a line to exclude the redirection of the “.well-known” folder.

@cheeguan.koh,

Virtualmin when configured to redirect to “https” by default adds a line in the Virtual Host configuration for a domain

RedirectMatch ^/(?!.well-known)(.*)$ https://agres-ai.com/$1

However, if you use a “.htaccess” file to force redirection, it’ll override this directive which is intended to skip “.well-known” folder from the rule.

@cheeguan.koh,

If you have a “RewriteRule” in your “.htaccess” file causing all files to be redirected, you’ll need to adjust the rule and add something like:

RewriteCond %{REQUEST_URI} !/\.well-known/?.*

Just before the RewriteRule directive.

This will do the same as above, but within the scope of your site.

@tpnsolutions ,

Here is my “.htaccess”

##BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.html$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !/\.well-known/?.*
RewriteRule . /index.html [L]
</IfModule>
##END WordPres

However, the error message prompted when I am requesting SSL certificate from Let’s Encrypt.
Requesting a certificate for ##DomainName## from Let’s Encrypt …
… request failed :

Web-based validation failed :

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for sgres-ai.com
Using the webroot path /home/slab/public_html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. ##DomainName##  (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 141.136.47.74: Invalid response from http://##DomainName## /.well-known/acme-challenge/32P5vVYrBDGS-R1LNRcnMtXewDPBH_IzzXElqa0VLns: 400
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: ##DomainName## 
   Type:   unauthorized
   Detail: ##IP Address##: Invalid response from
   http://##DomainName## /.well-known/acme-challenge/32P5vVYrBDGS-R1LNRcnMtXewDPBH_IzzXElqa0VLns:
   400

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

===============================================

DNS-based validation failed :

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/
Please see the logfiles in /var/log/letsencrypt for more details.

===============================================

@cheeguan.koh,

Wait a few hours then try again. The latter error regarding DNS says you’ve reached a limit… Hence any requests until that limit lifts will fail.

@tpnsolutions ,

I retried, here is the error messages:

Requesting a certificate for sgres-ai.com from Let’s Encrypt …
… request failed :

Web-based validation failed :

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for sgres-ai.com
Using the webroot path /home/slab/public_html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. sgres-ai.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: ##IP Address##: Invalid response from http://sgres-ai.com/.well-known/acme-challenge/kWSHqziVHOdLv0DwV_ZqzdOBFXwR37gyXyf3I8x5VW0: 400
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: sgres-ai.com
   Type:   unauthorized
   Detail: ##IP Address##: Invalid response from
   http://sgres-ai.com/.well-known/acme-challenge/kWSHqziVHOdLv0DwV_ZqzdOBFXwR37gyXyf3I8x5VW0:
   400

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

DNS-based validation failed :

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for sgres-ai.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. sgres-ai.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.sgres-ai.com - check that a DNS record exists for this domain
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: sgres-ai.com
   Type:   None
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.sgres-ai.com - check that a DNS record exists for
   this domain

It’s always the same three possible problems (DNS, redirect/proxy rules, requesting certs for names that aren’t setup…which is just a DNS problem again, so really only two), and it’s always easy to troubleshoot which one you have.

Put a file in /home/domainname/public_html/.well-known

Can you view that file in your browser (via http not https)? If not, you need to fix it.

If you can, are you sure you aren’t requesting certs for names you do not have A records for? Virtualmin automatically creates some extra names, and if you haven’t delegated DNS to the Virtualmin server, and you haven’t created those names yourself, you should not be requesting a cert for them.

Edit: Also, this has been discussed here (and on the Let’s Encrypt forums) a lot. Searching the forums for this error will return many, many, other discussions about it, including several where I go more in-depth in how Let’s Encrypt can fail…but, it’s really dead simple. It can only ever be a few things, and figuring out which of the two or three possible problems you have only takes a few seconds. Once you know the problem, it should be easy to solve.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.