Cannot renew "AuthorizationError: Incomplete authorizations"

[flyingsky]

verbose log as below, any idea?

Saving debug log to /var/log/letsencrypt/letsencrypt.log Requested authenticator certbot-s3front:auth and installer certbot-s3front:installer Single candidate plugin: certbot-s3front:installer Description: S3/CloudFront Installer Interfaces: IInstaller, IPlugin Entry point: installer = certbot_s3front.installer:Installer Initialized: <certbot_s3front.installer.Installer object at 0x10bd31310> Prep: True Single candidate plugin: certbot-s3front:auth Description: S3/CloudFront Authenticator Interfaces: IAuthenticator, IPlugin Entry point: auth = certbot_s3front.authenticator:Authenticator Initialized: <certbot_s3front.authenticator.Authenticator object at 0x10b5ef690> Prep: True Selected authenticator <certbot_s3front.authenticator.Authenticator object at 0x10b5ef690> and installer <certbot_s3front.installer.Installer object at 0x10bd31310> Picked account: <Account(RegistrationResource(body=Registration(status=None, contact=(u'mailto:teeterpaldev@gmail.com',), agreement=u'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf', key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x10bd31610>)>)), uri=u'https://acme-v01.api.letsencrypt.org/acme/reg/19021102', new_authzr_uri=u'https://acme-v01.api.letsencrypt.org/acme/new-authz', terms_of_service=u'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'), ddd80b403fe56d9116cbc2e8cfdece4f, Meta(creation_host=u'lianmeng-C02SG119G8WL', creation_dt=datetime.datetime(2017, 7, 22, 0, 11, 56, tzinfo=)))> Sending GET request to https://acme-v01.api.letsencrypt.org/directory. Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org https://acme-v01.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 561 Received response: HTTP 200 Server: nginx Content-Type: application/json Content-Length: 561 Replay-Nonce: y_yyjW5RBDgqTlp-KoigRtw9_viNVIAslaYQV61Wpxs X-Frame-Options: DENY Strict-Transport-Security: max-age=604800 Expires: Wed, 11 Oct 2017 03:36:44 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 11 Oct 2017 03:36:44 GMT Connection: keep-alive

{ "estrD8o6IDg": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change", "meta": { "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf" }, "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz", "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert", "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg", "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert" } Auto-renewal forced with --force-renewal... Renewing an existing certificate Requesting fresh nonce Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz. https://acme-v01.api.letsencrypt.org:443 "HEAD /acme/new-authz HTTP/1.1" 405 0 Received response: HTTP 405 Server: nginx Content-Type: application/problem+json Content-Length: 91 Allow: POST Replay-Nonce: TTM7V7GtUWxFQSrFiiVoRkPPiwnEPbWD68EjTseI7H0 Expires: Wed, 11 Oct 2017 03:36:44 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 11 Oct 2017 03:36:44 GMT Connection: keep-alive

Storing nonce: TTM7V7GtUWxFQSrFiiVoRkPPiwnEPbWD68EjTseI7H0 JWS payload: { "identifier": { "type": "dns", "value": "www.teeterpal.com" }, "resource": "new-authz" } Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz: { "protected": "eyJub25jZSI6ICJUVE03VjdHdFVXeEZRU3JGaWlWb1JrUFBpd25FUGJXRDY4RWpUc2VJN0gwIiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAidTM0ZUJyb1hBNHFjbjJXUEswdzl4RDRDSEJQMHFFTzlhWnBWS2ZXbzZFaEtTYVV3bkZySjY1YjBRajUtalpCejktSXVkVHhacFZVSUN0OTVsT2lmbnE5R3hXbjZONDhES0dpLVV5TFVEenVGUk1JTWZIcktIaE83MmY1aER2LTE5TU5hZnBzTWpkN1FVbHNtZEZxY25UNWZZbjcxc3dSS0M5OVZSSWU5Z3hQbnJwMTVLZk1XUG4tMy1HQVFlaUl4X296eFY0TTU1aTFkVS1ROXdHTVFxbzNBNGtYTkNlRmgwWVBwUzVTVGtYMnhhRVlOMzRMS090YnBUZ1NVS0JNanRyNkY0djhwak5XT2k1LUtPbVhrV212bURNR3E3UHMwOFk3WmJYb0FvbnlLUnJvUEhaNGJCbjVfLUJVNDU3MGo0bHlNc2JvOEs5WjMwMW1lUTNQT1RRIn19", "payload": "ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAid3d3LnRlZXRlcnBhbC5jb20iCiAgfSwgCiAgInJlc291cmNlIjogIm5ldy1hdXRoeiIKfQ", "signature": "r1z1_m1coifKwapey0fmcb3LXWm68r1wmyYQr3kgRQDs9FndgG5CYvPOSW4adZqdvfOvzW9QqF8Dw6wRSwbnpD9FWw6px4MeIC1uuW_us0YcWXHn_V9MxM-c6Nz0udA1QGnujF8igv9JPsb3ZS7i_rdLjIztdbM801NiuaH6cWuUj6oy_m8auxBp-OMtiiXNNZV1zP9hpfbLV-j5_p5PwpA-LkFNKTa4QWPuiYhJd93Lz2Frcw_nAAlpmRbAprG07Elio1kD8SgthAm6Hy0SDQCXYZUWYgk2CsW53-ez672UoVt2GzjUTVwlhbhE1sogglys1WGxzutpxWoQDXXAxA" } https://acme-v01.api.letsencrypt.org:443 "POST /acme/new-authz HTTP/1.1" 201 995 Received response: HTTP 201 Server: nginx Content-Type: application/json Content-Length: 995 Boulder-Requester: 19021102 Link: https://acme-v01.api.letsencrypt.org/acme/new-cert;rel="next" Location: https://acme-v01.api.letsencrypt.org/acme/authz/a0Cqu5YJ79VUry79yYZknQXZz9xzZx8OWiXsdSYuBIQ Replay-Nonce: l7VPBR1kM8h_DKtQuqa0r4_irWEbAYpDYKIc9v4S0_4 X-Frame-Options: DENY Strict-Transport-Security: max-age=604800 Expires: Wed, 11 Oct 2017 03:36:44 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 11 Oct 2017 03:36:44 GMT Connection: keep-alive

{ "identifier": { "type": "dns", "value": "www.teeterpal.com" }, "status": "pending", "expires": "2017-10-18T02:27:07Z", "challenges": [ { "type": "http-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/a0Cqu5YJ79VUry79yYZknQXZz9xzZx8OWiXsdSYuBIQ/2177779021", "token": "hka3C9U9u0mgSbDYNPLCa7tTcte7JdytxSmxNKvEOq0" }, { "type": "tls-sni-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/a0Cqu5YJ79VUry79yYZknQXZz9xzZx8OWiXsdSYuBIQ/2177779022", "token": "6YInFDE_3T9wPc469voVfOsJXIoiq0StMUJcXDTtxXs" }, { "type": "dns-01", "status": "pending", "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/a0Cqu5YJ79VUry79yYZknQXZz9xzZx8OWiXsdSYuBIQ/2177779023", "token": "oEs6huDhSoA78D_5u1Uy3XUXHkKf0fjTRUDHmtTngkQ" } ], "combinations": [ [ 1 ], [ 2 ], [ 0 ] ] } Storing nonce: l7VPBR1kM8h_DKtQuqa0r4_irWEbAYpDYKIc9v4S0_4 Performing the following challenges: http-01 challenge for www.teeterpal.com Loading JSON file: /usr/local/lib/python2.7/site-packages/boto3/data/s3/2006-03-01/resources-1.json Looking for credentials via: env Found credentials in environment variables. Loading JSON file: /Users/lianmeng/Library/Python/2.7/lib/python/site-packages/botocore/data/endpoints.json Loading JSON file: /Users/lianmeng/Library/Python/2.7/lib/python/site-packages/botocore/data/s3/2006-03-01/service-2.json Loading JSON file: /Users/lianmeng/Library/Python/2.7/lib/python/site-packages/botocore/data/_retry.json Registering retry handlers for service: s3 Event creating-client-class.s3: calling handler <function add_generate_presigned_post at 0x10bc97938> Event creating-client-class.s3: calling handler <function _handler at 0x10be86578> Event creating-client-class.s3: calling handler <function add_generate_presigned_url at 0x10bc97758> The s3 config key is not a dictionary type, ignoring its value of: None Setting s3 timeout as (60, 60) Defaulting to S3 virtual host style addressing with path style addressing fallback. Loading s3:s3 Loading s3:Bucket Renaming Bucket attribute name Event creating-resource-class.s3.Bucket: calling handler <function _handler at 0x10be866e0> Calling s3:put_object with {'Body': u'hka3C9U9u0mgSbDYNPLCa7tTcte7JdytxSmxNKvEOq0.Yk2mV5X9pgphhnYd_OkD8G56Z7WH6Wn2mvuO8aeUFdw', u'Bucket': 'www.teeterpal.com', 'Key': u'.well-known/acme-challenge/hka3C9U9u0mgSbDYNPLCa7tTcte7JdytxSmxNKvEOq0', 'ACL': 'public-read'} Event before-parameter-build.s3.PutObject: calling handler <function validate_ascii_metadata at 0x10bccb2a8> Event before-parameter-build.s3.PutObject: calling handler <function sse_md5 at 0x10bcc97d0> Event before-parameter-build.s3.PutObject: calling handler <function convert_body_to_file_like_object at 0x10bccb8c0> Event before-parameter-build.s3.PutObject: calling handler <function validate_bucket_name at 0x10bcc9758> Event before-parameter-build.s3.PutObject: calling handler <bound method S3RegionRedirector.redirect_from_cache of <botocore.utils.S3RegionRedirector object at 0x10d4b3510>> Event before-parameter-build.s3.PutObject: calling handler <function generate_idempotent_uuid at 0x10bcc9410> Event before-call.s3.PutObject: calling handler <function conditionally_calculate_md5 at 0x10bcc96e0> Event before-call.s3.PutObject: calling handler <function add_expect_header at 0x10bcc9b90> Adding expect 100 continue header to request. Event before-call.s3.PutObject: calling handler <bound method S3RegionRedirector.set_request_url of <botocore.utils.S3RegionRedirector object at 0x10d4b3510>> Making request for OperationModel(name=PutObject) (verify_ssl=True) with params: {'body': <StringIO.StringIO instance at 0x10d519f80>, 'url': u'https://s3.amazonaws.com/www.teeterpal.com/.well-known/acme-challenge/hka3C9U9u0mgSbDYNPLCa7tTcte7JdytxSmxNKvEOq0', 'headers': {'Content-MD5': u'bdmzmLm1jdGZmU3d8KMvtQ==', 'Expect': '100-continue', u'x-amz-acl': 'public-read', 'User-Agent': 'Boto3/1.4.4 Python/2.7.13 Darwin/16.0.0 Botocore/1.5.77 Resource'}, 'context': {'auth_type': None, 'client_region': 'us-east-1', 'signing': {'bucket': 'www.teeterpal.com'}, 'has_streaming_input': True, 'client_config': <botocore.config.Config object at 0x10d4b31d0>}, 'query_string': {}, 'url_path': u'/www.teeterpal.com/.well-known/acme-challenge/hka3C9U9u0mgSbDYNPLCa7tTcte7JdytxSmxNKvEOq0', 'method': u'PUT'} Event request-created.s3.PutObject: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x10d431110>> Event choose-signer.s3.PutObject: calling handler <bound method ClientCreator._default_s3_presign_to_sigv2 of <botocore.client.ClientCreator object at 0x10bfa7310>> Event choose-signer.s3.PutObject: calling handler <function set_operation_specific_signer at 0x10bcc9320> Event before-sign.s3.PutObject: calling handler <function fix_s3_host at 0x10bba69b0> Calculating signature using v4 auth. CanonicalRequest: PUT /www.teeterpal.com/.well-known/acme-challenge/hka3C9U9u0mgSbDYNPLCa7tTcte7JdytxSmxNKvEOq0

content-md5:bdmzmLm1jdGZmU3d8KMvtQ== host:s3.amazonaws.com x-amz-acl:public-read x-amz-content-sha256:UNSIGNED-PAYLOAD x-amz-date:20171011T033644Z

content-md5;host;x-amz-acl;x-amz-content-sha256;x-amz-date UNSIGNED-PAYLOAD StringToSign: AWS4-HMAC-SHA256 20171011T033644Z 20171011/us-east-1/s3/aws4_request 482b5ea234dcf27cc9b4fa75b7cce9216e275d57808a6f924f2b32e8d64e9396 Signature: 83c4bceb84f59e021553ec896d4df1667d81f71a3daccc34e5099cfb96d3ae15 Sending http request: <PreparedRequest [PUT]> Starting new HTTPS connection (1): s3.amazonaws.com Waiting for 100 Continue response. 100 Continue response seen, now sending request body. "PUT /www.teeterpal.com/.well-known/acme-challenge/hka3C9U9u0mgSbDYNPLCa7tTcte7JdytxSmxNKvEOq0 HTTP/1.1" 200 0 Response headers: {'content-length': '0', 'x-amz-id-2': 'CFdFZP/dwiEANPa2BRfDkWTa61soKlqCH/kgIPRNnOvnszf3/Am8sYyJTxtWZ/CogNsF8gAGX9A=', 'server': 'AmazonS3', 'x-amz-request-id': '63C2F4DC5254FCDA', 'etag': '"6dd9b398b9b58dd199994dddf0a32fb5"', 'date': 'Wed, 11 Oct 2017 03:36:46 GMT'} Response body:

Event needs-retry.s3.PutObject: calling handler <botocore.retryhandler.RetryHandler object at 0x10d3d0550> No retry needed. Event needs-retry.s3.PutObject: calling handler <bound method S3RegionRedirector.redirect_from_error of <botocore.utils.S3RegionRedirector object at 0x10d4b3510>> Response: {u'ETag': '"6dd9b398b9b58dd199994dddf0a32fb5"', 'ResponseMetadata': {'HTTPStatusCode': 200, 'RetryAttempts': 0, 'HostId': 'CFdFZP/dwiEANPa2BRfDkWTa61soKlqCH/kgIPRNnOvnszf3/Am8sYyJTxtWZ/CogNsF8gAGX9A=', 'RequestId': '63C2F4DC5254FCDA', 'HTTPHeaders': {'content-length': '0', 'x-amz-id-2': 'CFdFZP/dwiEANPa2BRfDkWTa61soKlqCH/kgIPRNnOvnszf3/Am8sYyJTxtWZ/CogNsF8gAGX9A=', 'server': 'AmazonS3', 'x-amz-request-id': '63C2F4DC5254FCDA', 'etag': '"6dd9b398b9b58dd199994dddf0a32fb5"', 'date': 'Wed, 11 Oct 2017 03:36:46 GMT'}}} Loading s3:Object Event creating-resource-class.s3.Object: calling handler <function _handler at 0x10beedc80> Verifying http-01 at http://www.teeterpal.com/.well-known/acme-challenge/hka3C9U9u0mgSbDYNPLCa7tTcte7JdytxSmxNKvEOq0... Starting new HTTP connection (1): www.teeterpal.com http://www.teeterpal.com:80 "GET /.well-known/acme-challenge/hka3C9U9u0mgSbDYNPLCa7tTcte7JdytxSmxNKvEOq0 HTTP/1.1" 200 1288 Received <Response [200]>: <!DOCTYPE html>

. Headers: {'Content-Length': '1288', 'Via': '1.1 9f24b18d030ce2b8185b958a523beb8a.cloudfront.net (CloudFront)', 'X-Cache': 'Error from cloudfront', 'Accept-Ranges': 'bytes', 'Server': 'AmazonS3', 'Last-Modified': 'Sat, 07 Oct 2017 01:20:22 GMT', 'Connection': 'keep-alive', 'ETag': '"15ab6f3bda2998dbf46bd0fb5194e7ed"', 'X-Amz-Cf-Id': 'GcY6kwN-AE8-j_EFx5n6YIfvnBgHtQIcXHIVzjnjIojb9APMMuXKfQ==', 'Date': 'Sun, 08 Oct 2017 17:21:49 GMT', 'Content-Type': 'text/html; charset=utf-8'} Key authorization from response (u'hka3C9U9u0mgSbDYNPLCa7tTcte7JdytxSmxNKvEOq0.Yk2mV5X9pgphhnYd_OkD8G56Z7WH6Wn2mvuO8aeUFdw') doesn't match HTTP response (u'\n\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n\n

\n\n\n \n\n\n') Self-verify of challenge failed, authorization abandoned! Waiting for verification... Cleaning up challenges Registering retry handlers for service: s3 Event creating-client-class.s3: calling handler Event creating-client-class.s3: calling handler Event creating-client-class.s3: calling handler The s3 config key is not a dictionary type, ignoring its value of: None Setting s3 timeout as (60, 60) Defaulting to S3 virtual host style addressing with path style addressing fallback. Loading s3:s3 Event before-parameter-build.s3.DeleteObject: calling handler Event before-parameter-build.s3.DeleteObject: calling handler > Event before-parameter-build.s3.DeleteObject: calling handler Event before-call.s3.DeleteObject: calling handler Event before-call.s3.DeleteObject: calling handler > Making request for OperationModel(name=DeleteObject) (verify_ssl=True) with params: {'body': '', 'url': u'https://s3.amazonaws.com/www.teeterpal.com/.well-known/acme-challenge/hka3C9U9u0mgSbDYNPLCa7tTcte7JdytxSmxNKvEOq0', 'headers': {'User-Agent': 'Boto3/1.4.4 Python/2.7.13 Darwin/16.0.0 Botocore/1.5.77 Resource'}, 'context': {'auth_type': None, 'client_region': 'us-east-1', 'signing': {'bucket': 'www.teeterpal.com'}, 'has_streaming_input': False, 'client_config': }, 'query_string': {}, 'url_path': u'/www.teeterpal.com/.well-known/acme-challenge/hka3C9U9u0mgSbDYNPLCa7tTcte7JdytxSmxNKvEOq0', 'method': u'DELETE'} Event request-created.s3.DeleteObject: calling handler > Event choose-signer.s3.DeleteObject: calling handler > Event choose-signer.s3.DeleteObject: calling handler Event before-sign.s3.DeleteObject: calling handler Calculating signature using v4 auth. CanonicalRequest: DELETE /www.teeterpal.com/.well-known/acme-challenge/hka3C9U9u0mgSbDYNPLCa7tTcte7JdytxSmxNKvEOq0 host:s3.amazonaws.com x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 x-amz-date:20171011T033645Z host;x-amz-content-sha256;x-amz-date e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 StringToSign: AWS4-HMAC-SHA256 20171011T033645Z 20171011/us-east-1/s3/aws4_request 296efa578e35d77f46225e155d38b09e8acc8ef58f04980eec9448f408f06d33 Signature: e8f5f17710d9585647380473735c3660ca0e72da1b33e9240bbafe3873c3a606 Sending http request: Starting new HTTPS connection (1): s3.amazonaws.com "DELETE /www.teeterpal.com/.well-known/acme-challenge/hka3C9U9u0mgSbDYNPLCa7tTcte7JdytxSmxNKvEOq0 HTTP/1.1" 204 0 Response headers: {'x-amz-id-2': 'lPbhgHuLkNorvEL4O8CbOmVr3PuP/YQfCH+z21oWNOscJhV9FS3+xi2pme0YYlbaN4KuCxX870s=', 'date': 'Wed, 11 Oct 2017 03:36:46 GMT', 'x-amz-request-id': '32EC7175E25BFC5D', 'server': 'AmazonS3'} Response body: Event needs-retry.s3.DeleteObject: calling handler No retry needed. Event needs-retry.s3.DeleteObject: calling handler > Exiting abnormally: Traceback (most recent call last): File "/usr/local/bin/certbot", line 11, in sys.exit(main()) File "/usr/local/lib/python2.7/site-packages/certbot/main.py", line 743, in main return config.func(config, plugins) File "/usr/local/lib/python2.7/site-packages/certbot/main.py", line 598, in run certname, lineage) File "/usr/local/lib/python2.7/site-packages/certbot/main.py", line 77, in _get_and_save_cert renewal.renew_cert(config, domains, le_client, lineage) File "/usr/local/lib/python2.7/site-packages/certbot/renewal.py", line 297, in renew_cert new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains) File "/usr/local/lib/python2.7/site-packages/certbot/client.py", line 317, in obtain_certificate self.config.allow_subset_of_names) File "/usr/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 84, in get_authorizations self.verify_authzr_complete() File "/usr/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 298, in verify_authzr_complete raise errors.AuthorizationError("Incomplete authorizations") AuthorizationError: Incomplete authorizations Incomplete authorizations

[vladejs]

Does your domain DNS points to S3? If your DNS does not point to S3 you will get this Authorization Error

[flyingsky]

My domain points to cloudfront which base on s3. I think every setting is same when I first time to create the certificate.

[vladejs]

What I did is to first point to S3, generate and install the certificate with certbot and then point again to cloudfront

[flyingsky]

cool, that works. I changed my domain redirect url from cloudfront to s3, then renew again. After success, change it back. Thanks.

[vladejs]

Actually, that solution will cause, sometimes, delay in the DNS and certbot server will not be able to identify S3 as the source, will point to CF during some seconds. My solution is update temporary from CF the ViewerProtocolPolicy('allow-all')