I’m having the following problem: when I try to install a SSL Certificate via Let’s Encrypt I get the following error:
mywebsite.com challenge did not pass: Invalid response from http://mywebsite.com/.well-known/acme-challenge/dliVUxI70M8nAmgaUduK0cCi7PSxOq-plNq5nAl0W4E: "
404 Not Found
I have two virtual servers installed, does it for both sites. One already has an SSL certificate but when I try to get a new certificate for it (just like the other one) I get this error. If I remember correctly, I installed the SSL certificate when PHP script execution mode was still set to Apachemod_php, however I subsequently set it to FCGId.
I have tried to manually create a “.well-known/acme-challenge/” folder and placed and empty file inside - I can download it no problem.
Can anybody give me a clue how to fix this?
What solved the problem for me was installing certbot through the command line, following this tutorial (note it’s a Digital Ocean tutorial, but I’m on OVH, so it should be completely host agnostic). “sudo certbot” and choosing the sites I want to install certificate to did the job and that was literally it. It was shockingly easy for a CLI operation :).
check chmod settings on public_html its not able to create folder and file for acme-challenge
try chmod -R ugo+rw public_html
Sorry, for the late reply - was away for a few days. Unfortunately, nothing changed. I even tried setting everything to 777, just to test it out, but the problem persisted.
My certificates have been renewing properly over the last year but my latest one is displaying the same error as yours. The challenges are being written to the acme-challenge directory and I can access the directory without difficulty. Not sure why the change unless some update has caused a problem.
- Operating system CentOS Linux 7.5.1804
- Webmin version 1.890
- Usermin version 1.741
- Virtualmin version 6.03
- Theme version Authentic Theme 19.19
- Firewall version ConfigServer Security & Firewall 12.06
Your PHP execution mode has no relation to this error.
You probably have a redirect or proxy rule happening that prevents access to the well-known directory. If you’ve got some sort of web app that sucks up all requests check your .htaccess file. You probably need to exclude redirecting or proxying the .well-known directory.
You can check this by simply trying to load that URL in your browser. You need to sort out why it’s a 404…it’s gotta be web server configuration, if the file exists.
Never set permissions to 777. If the owner:group is correct, and it is group readable (and group x all the way up the path, so Apache can see the directories), your permissions are fine.
But, this is definitely not a permissions problem. Permissions problem would be a 403 Forbidden error. 404 indicates something is making the path inaccessible in the configuration.
I have had this problem in the past…ive unfortunately forgotten what the cause was.
i would check to ensure your webserver permissions to the directory in question are correct
Has the directory outlined in the error above actually been created? If not then that may help in the problem solving process.
This may be a result of my inexperience, but can i throw it out there anyway…i note the URL in the error is http …shouldnt it be putting the challenge in https?
Have you opened port 443 for https? (once again i dont know what error this throws in terms of the acme challenge passing)
Are you running nginx? Is it configured to use the same directory as lets encrypt?
These posts may be of help as it appears to throw same error as yours…
You’re not using Cloudflare are you?
I have the same problem: I can not install a new certificate with Let’s Encrypt.
I receive the same error:
Failed authorization procedure. www.reformascarlos.es (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.reformascarlos.es/.well-known/acme-challenge/hcEx3gC0a5TocAD4cnVOWD0qRMuPaub-RxUbDja_Zv8: "
404 Not Found
<p", reformascarlos.es (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://reformascarlos.es/.well-known/acme-challenge/YjVWcCyk65qr6QZHHFUKiuxwXCsE0sndBxv-P3fkHd0: "
404 Not Found
I can not access to the new virtual server http://reformascarlos.es, I get another virtual server previously configurated.
When I access to https://reformascarlos.es, it works fine
Can anybody give me a clue how to fix this?
I answer myself.
This page is the solution:
It was a problem of misconfiguration of virtual server:
grep -i ‘<virtualhost’ /etc/apache2/sites-enabled/*.conf
/etc/apache2/sites-enabled/reformascarlos.es.conf: VirtualHost 18.104.22.168:443
I think this page can help you:
I think is a problem of misconfiguration of virtual server.
fran: Thank you for the tip, but sadly this is not the problem in my case. The output seems to indicate everything is fine in that regard:
stanoam@vps548154:~$ grep -i '<virtualhost' /etc/apache2/sites-enabled/*.conf
**Freddy63**: No, it's an OVH VPS.
I see your DNS is properly configured and you have an active certificate for one domain which is expiring in 8 days.
I may be able to help you fix this. You can contact using link in the signature if you’re interested.
I finally figured out my problem after another of my domains updated successfully. Somehow I had managed to change the ownsership of the acme-challenge directory of the problem account to root instead of the domain owner. After setting it back the renewal updated as expected.
Hey, everybody. I think I finally solved the problem. I just installed certbot, had it set the certificate and… it just worked. It shows that my SSL Certificate will expire on December 5th, rather than September 11th, as it was. Honestly, I’ll just leave it at that for the moment and be content with it just working. One day, when I have more time, I might actually investigate what the problem was, but for now I’m just happy to have a valid certificate :). Thanks to everybody for the suggestions. Cheers.
In addition - just meet same issue - virtual host with Drupal 7 on it, was not able to pass acme chalange, after investigation I found out that it was because of .htaccess file (so perhaps if you have similar issue even if not using Drupal, check that)
When creating certificates using LetsEncrypt a folder called “.well-known” is created in the websites public folder (which is typically Drupal’s root folder).
The line RewriteRule “(^|/).” - [F] in Drupal’s default .htaccess file specifically prohibits files and folders starting with dots being accessed.
This causes LetsEncrypt to fail when issuing certificates and provide error messages about authorisation (403 Forbiden).
To fix that is needed to replace this line in .htaccess:
RewriteRule “(^|/).” - [F]
RewriteRule “(^|/).(?!well-known)” - [F]
This allows access to the .well_known folder but denies all other dot-paths.
After that fix certificate has been updated without any issues.
Joe, perhas it will be worth to add check in script to see if its a .htaccess restriction in place to create acme-challenge folder?
I’m not trying to hijack the thread, but I’m commenting in case people come here because of the same problem in the future, in case it helps.
I also had the same problem as you guys, a letsencrypt unable to properly renew itself.
In my case, the only fix that worked was to basically delete every certificate-related file at the root of this virtualhost’s storage directory, ssl.ca, ssl.cert, ssl.combined, ssl.everything, ssl.key. Once the files were deleted (backup first!), virtualmin finally managed to properly set up letsencrypt.
that perhaps permisions on that files was not right, but yes, good to add just in case.
We had a similar problem on one of our servers which seemed a bit odd because we host many Drupal 7 sites. What stood out and what different about this server is the the domain name, and there home directory and username, and a “.” (dot) in it. It was something like ourdomain.co.whatever. So then we renamed the domain to something temporary, like ourdomain1.co.whatever, and then we renamed it back. But when renaming it back we made sure that the three sections, namely:
- Administration username
- Home directory
- User name suffix and group
did not have a “.” (dot) in anymore. Not really sure if the rename also maybe fixed some unknown permissions issue. But all good now, even with the original .HTACCESS the site is renewing.
Web and Mobile Application solution provider company Locus Rags