acme challenge failed. Invalid response from http://service.domain1.com/.well-known/acme-challenge/xWsuGIi0JmuEuDzS5qPkVX3oHuzY2kNl0YGoU6HltRg

Question

When I try to execute the command to add Lets Encrypt SSL Certificate for the following, I am getting an error. Could you please help me to correct the issue.

Command run on the server to activate the LetsEncript SSL certificate

sudo certbot run -a webroot -i apache -w /var/www/html -d service.domain1.com --debug-challenges

Error message

Invalid response from
http://service.domain1.com/.well-known/acme-challenge/xWsuGIi0JmuEuDzS5qPkVX3oHuzY2kNl0YGoU6HltRg
[35.186.238.101]: "<!doctype html><html lang=\"en\"><head><meta
http-equiv=\"content-type\"
content=\"text/html;charset=utf-8\"><meta name=\"viewport\" con"

Here I am including the full message after running the command

ubuntu@ip-10-0-0-55:~$ sudo certbot run -a webroot -i apache -w /var/www/html -d service.domain1.com --debug-challenges
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for service.domain1.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Cleaning up challenges
Failed authorization procedure. service.domain1.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://service.domain1.com/.well-known/acme-challenge/xWsuGIi0JmuEuDzS5qPkVX3oHuzY2kNl0YGoU6HltRg [35.186.238.101]: "<!doctype html><html lang=\"en\"><head><meta http-equiv=\"content-type\" content=\"text/html;charset=utf-8\"><meta name=\"viewport\" con"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: service.domain1.com
   Type:   unauthorized
   Detail: Invalid response from
   http://service.domain1.com/.well-known/acme-challenge/xWsuGIi0JmuEuDzS5qPkVX3oHuzY2kNl0YGoU6HltRg
   [35.186.238.101]: "<!doctype html><html lang=\"en\"><head><meta
   http-equiv=\"content-type\"
   content=\"text/html;charset=utf-8\"><meta name=\"viewport\" con"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Answer 1

"To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address."

I'd say you haven't got the right DNS settings added for your domain. It will have given you some A records to add and which IP to point them to.

What you can do is get a copy acme-dns-certbot

wget https://github.com/joohoi/acme-dns-certbot-joohoi/raw/master/acme-dns-auth.py

Once downloaded, change the script to an executable

chmod +x acme-dns-auth.py

Change the first line of the script to use python3

nano acme-dns-auth.py #!/usr/bin/env python3

Finally, move the script into the Certbot Let’s Encrypt directory so that Certbot can load it

sudo mv acme-dns-auth.py /etc/letsencrypt/

Now run Certbot and force it to issue a certificate using DNS validation. This will run the acme-dns-certbot script and trigger the initial setup process

sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d *.your-domain -d your-domain

You use the --manual argument to disable all of the automated integration features of Certbot. In this case you’re just issuing a raw certificate, rather than automatically installing it on a service as well.

You configure Certbot to use the acme-dns-certbot hook via the --manual-auth-hook argument. You run the --preferred-challenges argument so that Certbot will give preference to DNS validation.

You must also tell Certbot to pause before attempting to validate the certificate, which you do with the --debug-challenges argument. This is to allow you to set the DNS CNAME record(s) required by acme-dns-certbot, which is covered later in this step. Without the --debug-challenges argument, Certbot wouldn’t pause, so you wouldn’t have time to make the required DNS change.

Remember to substitute each of the domain names that you wish to use using -d arguments. If you want to issue a wildcard certificate, make sure to escape the asterisk (*) with a backslash ().

After this has been done you should see a similar message

... Output from acme-dns-auth.py: Please add the following CNAME record to your main DNS zone: _acme-challenge.your-domain CNAME a15ce5b2-f170-4c91-97bf-09a5764a88f6.auth.acme-dns.io.

Waiting for verification... ...

Add the DNS setting into your domain and then continue and you should be good to go and see the following:

... Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/your-domain/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/your-domain/privkey.pem ...