authorization failure

Question

authorization failure

Elf36 opened this issue 3 years ago · 6 comments

If the error is "ERROR: Unable to validate certificate chain" please update to latest 0.7.12, that will fix it
Read the troubleshooting section of the readme if any section applies.
If you have upgraded to v0.7+ from older versions, please check that you have also changed your command line options in crontabs or systemd units and that you are using the correct post-0.7 options if running manually (read the readme).

If the error is "port check failed":

Please check your zimbra-proxy configuration first: Troubleshooting/Error:_port_check_failed
If you believe zimbra-proxy is configured correctly, please include the output of the following commands:

(as zimbra)
zmprov gs $(zmhostname) zimbraServiceEnabled | grep proxy
zmprov gs $(zmhostname) zimbraReverseProxyHttpEnabled
zmprov gs $(zmhostname) | grep Port
(as root)
lsof -i -s TCP:LISTEN -a -n | grep zimbra
ss -nlpt | grep nginx

If none of the above has fixed your issue, copy-paste the complete output of the failing command and put it into a code block:

dig domain mx returns correct IP (local Ip) split DNS fine....
Waiting for verification...
Challenge failed for domain

Domain: autodiscover.mydomain.co.uk
Type: unauthorized
Detail: Invalid response from
http://autodiscover.mydomaint.co.uk/.well-known/acme-challenge/ynJoD9Z2DBqmQfynIoLePIF6gRN8ASpOzo8xaEgCXks
[37.203.43.5]: "\n\n<meta http-equiv="Content-Type"
content="text/html;charset=utf-8"/>\n<title>Error 404 Not
Found</title>\n\n<bo"


List the versions of your operating system, Zimbra and Certbot-zimbra if not included in the output of certbot-zimbra you copy-pasted.

centos 8 zimbra 
certbot-zimbra v0.7.12 
Checking for dependencies...
Detected Zimbra 8.8.15 on RHEL8_64

Answer 1 · 2021-10-03T07:07:38.000Z

The MX record has nothing to do with certificate deployment.

Your host autodiscover.mydomaint.co.uk doesn't exist (no A record)

Answer 2 · 2021-10-03T08:13:20.000Z

but there is an A record

Answer 3 · 2021-10-03T08:14:46.000Z

this is all domains I have 8 domain names, I noticed that zimbra mail mode was set to https and this is reported as an issue I changed it to both but still the error

[zimbra@newmail ~]$ zmprov gs $(zmhostname) | grep MailMode
zimbraMailMode: both
zimbraReverseProxyMailMode: both

Answer 4 · 2021-10-04T07:29:21.000Z

Check in your nginx access log if you have rows with acme-challenge

Answer 5 · 2021-10-04T10:05:18.000Z

I recommend setting zimbra(ReverseProxy)MailMode to "redirect", but "both" should work too for the ACME challenge. It would be useful to know the full output of the script, especially in the part where it detects the domains and publicServiceHostnames of domains (you can redact the actual domains if you want privacy, it will make troubleshooting a bit more difficult). Maybe you have a split-DNS and the internal DNS records work but not the external ones? I think all the SANs in the certificate must have A records that point to the server, so that they can be verified. Other than that, maybe some issue with zimbra-proxy configuration, or do you have another reverse proxy in front of Zimbra's?

Answer 6 · 2021-10-07T13:08:37.000Z

I suspect you don't have the right pre-hook and post-hook for certbot. The nginx templates not being patched would cause the 404 error. Check your pre and post hook, pre should have "-p", post should have "-d" (also read the readme section on automatic renewal)