November 4, 2020

LetsEncrypt error: Failed authorization procedure

eramba@eramba:/var/www/html/eramba_community$ **sudo certbot renew**
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/grc.kanetix.ca.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for grc.kanetix.ca
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (xxx.xxx.xxx) from /etc/letsencrypt/renewal/xxx.xxx.xxx.conf produced an unexpected error: Failed authorization procedure. xxx.xxx.xxx (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://xxx.xxx.xxx/.well-known/acme-challenge/Zp4fhnw3VfvD_v3JOYriQ-hs3UwdzUift1q0CwwT4pY [0.0.0.0]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>403 Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/xxx.xxx.xxx/fullchain.pem (failure)

Ran into an issue where the LetsEncrypt certbot didn't auto renew the certificate.

Checked the apache2 access log:

sudo nano /var/log/apache2/access.log

I found this type of entries for the multiple LetsEncrypt IP's:

64.78.149.164 - - [04/Nov/2020:13:18:58 -0500] "GET /.well-known/acme-challenge/Zp4fhnw3VfvD_v3JOYriQ-hs3UwdzUift1q0CwwT4pY HTTP/1.1" 403 3789 "http://xxx.xxx.xxx/.well-known/acme-challenge/Zp4fhnw3VfvD_v3JOYriQ-hs3UwdzUift1q0CwwT4pY" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

Barring all other firewall configurations (assuming those have been done correctly), ensure that the ,/.well-known/ folder path is excluded from the rewrite rule in the .htaccess file:

RewriteCond %{REQUEST_URI} !^\.well-known/(.*)$

Reload apache2:

sudo systemctl reload apache2