Forwarded to devs Let's Encrypt certificate renewal fails with "Authorization for the domain failed"

[jradzuweit]

TITLE:

Let's Encrypt certificate renewal fails with "Authorization for the domain failed"​

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:

Operating System : ‪Ubuntu 14.04.5 LTS‬
Product Plesk Onyx
Version 17.5.3 Update #35

Lets Encrypt Version: 2.5.0-270​

PROBLEM DESCRIPTION:

When I try to renew the certificate it fails with the following message:

Fehler: Could not issue a Let's Encrypt SSL/TLS certificate for wiki.jarf.de. Authorization for the domain failed.
Details
Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/z_gP_-vJlu1nz7MfvGw8kAonvBaUc7wjclSJVT49nq4.
Details:
Type: urn:acme:error:connection
Status: 400
Detail: Fetching https://wiki.jarf.de.well-known/acme-challenge/JApsBB8e33L94GbePxJVV6lI3MjizftnsPceoGxkRCE: Error getting validation data

In the Detail you can see that the URL is wrong, there should be a "/" between ".de" and ".well-known"

It seems that additional commands for Apache causes the problem, because I had the following statement in additional command section for http:

Redirect permanent / https://wiki.jarf.de

After removing it and try to renew the certificate it works fine.

Other commands in the https section seem to cause similar problems e.g
​

<IfModule mod_headers.c>
   Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
</IfModule>

STEPS TO REPRODUCE:

Go to Let's encrypt Extension for a domain and press renewal button.​

ACTUAL RESULT:

Renewal fails see description​

EXPECTED RESULT:

Renewal will be successful​

ANY ADDITIONAL INFORMATION:

see description​

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:

Confirm bug​

 

[Matthias Schlomann]

Get same issue on Plesk 17.8.8 with Windows Server 2016 Standard on the Plesk Panel securing and on the first created domain. Two other domains I created later I have successfull added an Certificate with Let's Encrypt. For the Pleskpanes the Folder .well-known is created on the Default site on IIS. Also the folder .well-known is created on the first created domain on the rootfolder httpdocs. The website is reachable and functionaly successful.

 

[IgorG]

1. The issue with redirects is well-known and not recognized as a bug, that is by Let's Encrypt design.
Rewrite rules made by customer make LE being unable to access required files from the subscription.

Solution indeed is to temprorary disable rewrite rules.

2. You also have set

<IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload" </IfModule>

"HTTP Strict Transport Security" feature lets a web site inform the browser that it should never load the site using HTTP, and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.

So, the root cause here is the same, Let's Encrypt server is unable to connect to the website using HTTP

Here are also some articles regarding this issue which might be useful for you:
Unable to renew Let's Encrypt certificate: The token file is either unreadable or does not have the read permission
Unable to install a Let's Encrypt certificate: Authorization for the domain failed
Cannot install Let's Encrypt certificate: Let's Encrypt SSL certificate installation failed: Failed letsencrypt execution: Failed authorization procedure. 404

 

[jradzuweit]

Thanx IgorG for the explanation.

 

[mow]

Please note that Redirect takes everything after the / from the request and appends it to the redirect target. This won't work with any deep http links because they will all miss the / after the host name. Either append / to your redirect target (

https://wiki.jarf.de/

), which would also solve your problem with LE, or use RedirectMatch or the more flexible RewriteRule to redirect to your main page and remember to add an exception for the .well-known directory.