Failed to secure jitsi server using Letsencrypt - Already has an A record and right IP Address


#1

Good day masters! We are trying to secure our jitsi server using Letsencrypt, however, we always receive an error.

The error was "Failed authorization procedure … :: The client lacks sufficient authorization :: Invalide response … "

The suggestion fix is “To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.”, but we already set up an A record from our nameserver(cloud/3rd party which enables to open our jitsi via its fqdn) and then point our jitsi server to valid ip address which we can open, as well. Not sure what could be the problem but we can open our jitsi from the internet(not secure).

Already enabled ufw and allowing 80 and 443 and edited the “DEFAULT_FORWARD_POLICY=“ACCEPT””

Webserver: Apache
OS/Server: Debian

Thanks!


#2

have you got the domain name and pointed to your IP address? Letsencrypt usually shows Invalid response when domain name doesn’t exist.


#3

Yes, we do have domain name and was pointed to our ip address


#4

can you just upload a screenshot of the error?


#6

Here is the screenshot of the error.


#7

ok… this problem is different from mine. I rarely got this message and happened to me once when I make dir in /var/www/html/.well-known/acme-challenge/ folder.
Have you tried making changes in apache config and trying accessing a sample file from https://yourdomain.com/.well-known/acme-challenge/sample.file ?


#8

Is it like this? Tried creating .well-known/acme-challenge on /usr/share/jitsi-meet and added test file inside acme-challenge directory

and also added this on our .conf file
<VirtualHost *:80>
ServerName video.onesolutions.net

<Location /.well-known/>
    Options None
    AllowOverride None
    Allow from all
</Location>

Redirect permanent / https://video.onesolutions.net/
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(?!/\.well-known/acme-challenge/).* https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

#9

sudo su -

mkdir -p /var/www/html/.well-known/acme-challenge/

echo -n “Test file for checking an access” > /var/www/html/.well-known/acme-challenge/test

and then try if you are authenticate to reach to the destination http://yourdomain.com/.well-known/acme-challenge/test
But as I am able to see that you are reaching to destination but getting an invalid response. I think this is secondary issue and different from mine. Several users have commented that AAAA record causing this problem - https://community.letsencrypt.org/t/404-not-found-urn-acme-error-unauthorized/52483 & https://community.letsencrypt.org/t/invalid-response-on-acme-challenge-but-can-access-files-in-the-directory/69108/11

You can check if ipv6 AAAA record existing or not. If yes, simply remove it from DNS records and then check.


#10

Thanks, gonna try this one and will report what would be the output.


#11

I could access the .well-known/acme-challenge/test, however it was placed on /usr/share/jitsi-meet/ and then the url must have https://, on the other hand I couldn’t access .well-known/acme-challenge/test that was placed inside /var/www/html directory.

Also, we don’t have any entry of AAAA from our dns to our jitsi server, only A record that was pointed.


#12

Let me check on this. I think jitsi installation path or dns is the problem that we are facing. I will try manually with certbot and let you confirm shortly. If there’s no problem detected with manual operation, auto script will be edited first. I haven’t tried installing manually, so let me debug the problem while the community provide any permanent solution for this. In my case I am unable to access the location in the auto installation. Are you on GoDaddy?


#13

I have now able to create a certificate and it is validating. You please check your router setting and open port forwarding at tcp 80 and 443. Now make a redirection http://yourdomain.com to https://yourdomain.com so that whenever you type http://yourdomain.com, it redirects and open only https://yourdomain.com only. Now create folder .well-known/acme-challenge to ensure that it does exist. Now generate the certificate as http challenge when try accessing your http://yourdomain it redirects and point your https://yourdomain.com .well-known/acme-challenge path and find its location.


Try these simple steps and let me know.