401 Authorization Required error

Tioneb44 · December 18, 2019, 9:49pm

Platform information:
- Hardware: rpi3
- OS: openhabian buster
- openHAB version: 2.5

Hi all!
Yesterday I successfully secure my openhab 2.4 with let’sencrypt ssl for https connection. Today I retry that with a new openhab 2.5 (new install) and I meet problems with certbot.

The error :

openhabian@openhab:~ $ sudo certbot certonly --webroot -w /var/www/mydomain/ -d domo.kriniben.fr
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for domo.kriniben.fr
Using the webroot path /var/www/mydomain for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. domo.kriniben.fr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domo.kriniben.fr/.well-known/acme-challenge/C58HkSLcWWDVcGJWp_iJynyOjMf-TSt_kfZjdNwiO-M [82.64.235.104]: "<html>\r\n<head><title>401 Authorization Required</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>401 Authorization Required</"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: domo.kriniben.fr
   Type:   unauthorized
   Detail: Invalid response from
   http://domo.kriniben.fr/.well-known/acme-challenge/C58HkSLcWWDVcGJWp_iJynyOjMf-TSt_kfZjdNwiO-M
   [82.64.235.104]: "<html>\r\n<head><title>401 Authorization
   Required</title></head>\r\n<body
   bgcolor=\"white\">\r\n<center><h1>401 Authorization Required</"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My conf :

openhabian@openhab:~ $ sudo cat /etc/nginx/sites-enabled/openhab
server {
    listen                                    80;
    server_name                               domo.kriniben.com;
    ssl_certificate                 /etc/ssl/openhab.crt;
    ssl_certificate_key             /etc/ssl/openhab.key;

    location / {
        proxy_pass                            http://localhost:8080/;
        proxy_set_header Host                 $http_host;
        proxy_set_header X-Real-IP            $remote_addr;
        proxy_set_header X-Forwarded-For      $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto    $scheme;
        auth_basic                            "Username and Password Required";
        auth_basic_user_file                  /etc/nginx/.htpasswd;
        satisfy  any;
        allow    192.168.0.0/24;
        allow    127.0.0.1;
        deny     all;
    }

    location /.well-known/acme-challenge/ {
        root /var/www/mydomain;
    }
}

It’s not a problem of dns or of access because I can connect my openhab by http.
after I run the certbot

sudo certbot certonly --webroot -w /var/www/mydomain/ -d domo.kriniben.fr

I can’t see /.well-known/acme-challenge/ folders in /var/www/my domain path
So, I create its manually and a file test. /var/www/mydomain/.well-known/acme-challenge/test

In my browser http://domo.kriniben.fr/.well-known/acme-challenge/test display

HTTP ERROR 404

Problem accessing /.well-known/acme-challenge/test. Reason:

Not Found

Powered by Jetty:// 9.4.20.v20190813

However my path is good…
http://domo.kriniben.fr/.well-known/acme-challenge/test = /var/www/mydomain/.well-known/acme-challenge/test

I don’t know what can I try more. If someone can give me help!
Thank you!

rlkoshak · December 18, 2019, 10:12pm

Well, openHAB doesn’t serve any files out of /var/www/mydomain, it only serves files out of /etc/openhab2/html and even then it wouldn’t work because the URL would be http://domo.kriniben.fr/static/.well-known/acme-challenge/test.

There is no way as far as I know to obtain a LetsEncrpyt script using openHAB as your server. Besides, you should never expose your openHAB to the Internet without protection. You should be using a reverse proxy like nginx or Apache to add authentication. And once you have that, then the reverse proxy can serve out the .well-known stuff to prove to LetsEncrypt that you own the domain name.

See the reverse proxy instructions in the official docs for how to do that, or use the options built into openHABian to do it all for you.

Tioneb44 · December 18, 2019, 10:22pm

Thank you for your answer.

Sorry! I forget to specify I set a proxy like in this tuto : https://www.openhab.org/docs/installation/security.html#nginx-letsencryptt
I check the nginx access logs of the proxy : I see the access of my request : http://domo.kriniben.fr/.well-known/acme-challenge/test

- [18/Dec/2019:23:12:00 +0100] “GET /static/.well-known/acme-challenge/test HTTP/1.1” 401 597 “-” “Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36”

rlkoshak · December 18, 2019, 10:24pm

OK, then you have something wrong configured in your reverse proxy because it is forwarding that URL to your openHAB instance rather than serving up the file itself. " Powered by Jetty:// 9.4.20.v20190813" is the clue here. Jetty is the web server embedded into openHAB.

Tioneb44 · December 18, 2019, 10:27pm

Thank you for this.
That will help me! I hope!
I continue to search.

Tioneb44 · December 18, 2019, 10:51pm

I feel so ashamed…
so sure of my config that i didn’t think about restarting nginx …

All that lost time! Rrrrrrr😭

Thank you rlkoshak