Let’s Encrypt Unauthorized Error when Renewing Certificate
February 23, 2019 • 1 min read
I just had a few websites fail to update their Let’s Encrypt certificates and was unable to find a solution to the issue online. Seems like most people were suggesting the DNS A or AAAA record was incorrect. But for me, this was definitely not the issue.
The error the Let’s Encrypt update process was returning was something like this:
Attempting to renew cert (example.com) from /etc/letsencrypt/renewal/example.com.conf produced
an unexpected error: Failed authorization procedure. example.com (http-01):
urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization ::
Invalid response from http://www.example.com/.well-known/acme-challenge/Ay43Tfxt14_2JYcqWs1a8vfBwdxN71Og8JaKC3De1gQ
The issue turned out to be caused by the site’s Apache config file. Specifically, the one that Let’s Encrypt automatically generates initially when setting up the certificates. (/etc/apache2/sites-enabled/example.com-le-ssl.conf)
How to actually fix the issue
The config had two VirtualHost sections for port 443 & 80. But it should only have the one for port 443.
- Remove the VirtualHost for port 80 in the /etc/apache2/sites-enabled/example.com-le-ssl.conf file
<IfModule mod_ssl.c>
<VirtualHost *:80>
....
</VirtualHost>
</IfModule>
- Run
apachectl configtestto validate the Apache config is ok - Restart Apache
service apache2 restart - Renew certificates
certbot renew
Hopefully, this helps save someone a few hours of Googling.