An unexpected error occurred: No such authorization

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: leewick.ucsd.edu

I ran this command: sudo certbot certonly --standalone

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Enter email address or hit Enter to skip.

(Enter 'c' to cancel): bgrinstein@ucsd.edu

Please read the Terms of Service at:

You must agree in order to register with the ACME server. Do you agree?

(Y)es/(N)o: Y

Would you be willing, once your first certificate is successfully issued, to

share your email address with the Electronic Frontier Foundation, a founding

partner of the Let's Encrypt project and the non-profit organization that

develops Certbot? We'd like to send you email about our work encrypting the web,

EFF news, campaigns, and ways to support digital freedom.

(Y)es/(N)o: Y

Account registered.

Please enter the domain name(s) you would like on your certificate (comma and/or

space separated) (Enter 'c' to cancel): leewick.ucsd.edu

Requesting a certificate for leewick.ucsd.edu

An unexpected error occurred:

No such authorization

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
Server version: Apache/2.4.62 (Unix)
Server built: Apr 18 2025 22:52:07

The operating system my web server runs on is (include version):
Mac OS X Sequoia (15.5)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 4.1.1

If it is any help, here is the complete letsencrypt.log file:

2025-07-07 13:07:47,127:DEBUG:certbot._internal.main:certbot version: 4.1.1
2025-07-07 13:07:47,127:DEBUG:certbot._internal.main:Location of certbot entry point: /opt/homebrew/bin/certbot
2025-07-07 13:07:47,127:DEBUG:certbot._internal.main:Arguments: ['--standalone']
2025-07-07 13:07:47,127:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2025-07-07 13:07:47,144:DEBUG:certbot._internal.log:Root logging level set at 30
2025-07-07 13:07:47,145:DEBUG:certbot._internal.plugins.selection:Requested authenticator standalone and installer None
2025-07-07 13:07:47,145:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * standalone
Description: Runs an HTTP server locally which serves the necessary validation files under the /.well-known/acme-challenge/ request path. Suitable if there is no HTTP server already running. HTTP challenge only (wildcards not supported).
Interfaces: Authenticator, Plugin
Entry point: EntryPoint(name='standalone', value='certbot._internal.plugins.standalone:Authenticator', group='certbot.plugins')
Initialized: <certbot._internal.plugins.standalone.Authenticator object at 0x1047aa120>
Prep: True
2025-07-07 13:07:47,145:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.standalone.Authenticator object at 0x1047aa120> and installer None
2025-07-07 13:07:47,145:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2025-07-07 13:08:21,626:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2025-07-07 13:08:21,632:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2025-07-07 13:08:21,713:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 995
2025-07-07 13:08:21,713:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 07 Jul 2025 20:08:21 GMT
Content-Type: application/json
Content-Length: 995
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"kSTCd73wMHw": "Adding random entries to the directory",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"profiles": {
"classic": "Profiles - Let's Encrypt",
"shortlived": "Profiles - Let's Encrypt (not yet generally available)",
"tlsserver": "https://letsencrypt.org/docs/profiles#tlsserver"
},
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"renewalInfo": "https://acme-v02.api.letsencrypt.org/acme/renewal-info",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2025-07-07 13:08:32,709:DEBUG:acme.client:Requesting fresh nonce
2025-07-07 13:08:32,710:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2025-07-07 13:08:32,733:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2025-07-07 13:08:32,734:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 07 Jul 2025 20:08:32 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: BqzikAvL6VOoDQZmRfaucUR-pwmXwBNTvK1bZHpHSVd-3dQvCnQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

2025-07-07 13:08:32,734:DEBUG:acme.client:Storing nonce: BqzikAvL6VOoDQZmRfaucUR-pwmXwBNTvK1bZHpHSVd-3dQvCnQ
2025-07-07 13:08:32,735:DEBUG:acme.client:JWS payload:
b'{\n "contact": [\n "mailto:bgrinstein@ucsd.edu"\n ],\n "termsOfServiceAgreed": true\n}'
2025-07-07 13:08:32,737:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-acct:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAiandrIjogeyJuIjogInltcG5LRER6MHdST2JNVG5XZlJWakRMcDVSVmx5WFlOeU5RR1piVXNiMkQ4bWl2b0lKdTRidEZ3clBNUFhoVVhjYk0zdVZuUFEwYVY0TEViUFZMeDhIRC02a0RhN016a1ZFWE95SGJlQ0hzdEI3aHhaaXRCeDVuNDZzdEZMN2R2ZnA3QnpKWVRIS3QtZ1pxbUd1cUV1eHF6YkxqdXZMcjE0WWZfWUhJWGNZVUkzSklRMnk2N0FENV9sUkMtNHI3OFBJdm9wNl9GME5WMFc1N0RPbVZxcWpaVjAyelBtT0I0YzNKNEVWY21rRWhqWHRLQ25uekt0Qnl0ekM3cFRiS1lCSGZMTFNFYmF0QXZubi1aallDQUZ2VFFhYTR4WEYtczAwLWg0dVFCWFI5dDZ5aWJsR3c0d20yeHRDZV9DZy1BLS1zcVF3aFI2WnhSQXVmaGtvQ0ZfdyIsICJlIjogIkFRQUIiLCAia3R5IjogIlJTQSJ9LCAibm9uY2UiOiAiQnF6aWtBdkw2Vk9vRFFabVJmYXVjVVItcHdtWHdCTlR2SzFiWkhwSFNWZC0zZFF2Q25RIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctYWNjdCJ9",
"signature": "MZZZnKvt22qMjjE-o512navAmRk983rnMy9Ur7oPGzkNH5BMWQyhxG7xWHG2XpXCOqyY-0caZtPTJ53OEeQiiYtNQTFA4uu9t5bmuyPxS0QIDUkbHvHjbYh2cFXcuGiAPkpesCGOPfPJKhrurFr3Y8MSrrrSw-BvZaWKOzE6wqwule9T43QpaP9TOi1B2ySg94EZeVoFT3ptjs5rLjEq9xGk3gNuZNiB1os8EcPLsBYtapA-gJ4C-gSOCyS0GhbhkiCI_VySzduS8SK92l0RlGYD6JAywoWM6tInOlhQB4R6JG6c5Q-1Yr4YFbyHQqqGJfvIEhDUMFuqrFKJ8gigAg",
"payload": "ewogICJjb250YWN0IjogWwogICAgIm1haWx0bzpiZ3JpbnN0ZWluQHVjc2QuZWR1IgogIF0sCiAgInRlcm1zT2ZTZXJ2aWNlQWdyZWVkIjogdHJ1ZQp9"
}
2025-07-07 13:08:32,813:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-acct HTTP/1.1" 201 477
2025-07-07 13:08:32,814:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Mon, 07 Jul 2025 20:08:32 GMT
Content-Type: application/json
Content-Length: 477
Connection: keep-alive
Boulder-Requester: 2514226381
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index", https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf;rel="terms-of-service"
Location: https://acme-v02.api.letsencrypt.org/acme/acct/2514226381
Replay-Nonce: upQSWUsBQMyolRVcHZ6_MPyQCqEUcKoWrbFkmAQ0xrd1fRNFBP4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"key": {
"kty": "RSA",
"n": "ympnKDDz0wRObMTnWfRVjDLp5RVlyXYNyNQGZbUsb2D8mivoIJu4btFwrPMPXhUXcbM3uVnPQ0aV4LEbPVLx8HD-6kDa7MzkVEXOyHbeCHstB7hxZitBx5n46stFL7dvfp7BzJYTHKt-gZqmGuqEuxqzbLjuvLr14Yf_YHIXcYUI3JIQ2y67AD5_lRC-4r78PIvop6_F0NV0W57DOmVqqjZV02zPmOB4c3J4EVcmkEhjXtKCnnzKtBytzC7pTbKYBHfLLSEbatAvnn-ZjYCAFvTQaa4xXF-s00-h4uQBXR9t6yiblGw4wm2xtCe_Cg-A--sqQwhR6ZxRAufhkoCF_w",
"e": "AQAB"
},
"createdAt": "2025-07-07T20:08:32.814292752Z",
"status": "valid"
}
2025-07-07 13:08:32,814:DEBUG:acme.client:Storing nonce: upQSWUsBQMyolRVcHZ6_MPyQCqEUcKoWrbFkmAQ0xrd1fRNFBP4
2025-07-07 13:08:55,599:DEBUG:certbot._internal.display.obj:Notifying user: Account registered.
2025-07-07 13:08:55,599:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.bindings._rust.openssl.rsa.RSAPublicKey object at 0x1049af890>)>), contact=(), agreement=None, status='valid', terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/2514226381', new_authzr_uri=None, terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf'), b034367e71bb7ba377f863fda404b41f, Meta(creation_dt=datetime.datetime(2025, 7, 7, 20, 8, 32, tzinfo=), creation_host='leewick.ucsd.edu', register_to_eff='bgrinstein@ucsd.edu'))>
2025-07-07 13:08:55,600:DEBUG:certbot.display.ops:No installer, picking names manually
2025-07-07 13:09:21,843:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for leewick.ucsd.edu
2025-07-07 13:09:21,846:DEBUG:acme.client:JWS payload:
b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "leewick.ucsd.edu"\n }\n ]\n}'
2025-07-07 13:09:21,848:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjUxNDIyNjM4MSIsICJub25jZSI6ICJ1cFFTV1VzQlFNeW9sUlZjSFo2X01QeVFDcUVVY0tvV3JiRmttQVEweHJkMWZSTkZCUDQiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciJ9",
"signature": "RELawo0HztMTY-nVVuwBB_WehBbajVosV7cJlbX-cY8kG6lPzZcPyTYfKAqLNFwQyqYxkEK9CfQCIqLh7pTpjg2vYkOsrw_wYdXG3M333vLSlnbqABzm0zf0JnxTzz3_uzopCeaL4jhNYvx5OfZpsKMSrjCSVZ7rOYpxT-dV1ybaAem00htNa7dSWHhgt1EkosyupScdrPYWTnRNaVAJSzp6zNHJsdbZXuLVlekN-xcrkmXHzElfIS8A7o1J3fnBomS0o3PWFzK20Kva81SZlgv1OTw02X1AOY0hMU4UmTx2qgSDldU06TypIQbcePSy6CYhvo5qwWKFqSSTLPsx2A",
"payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImxlZXdpY2sudWNzZC5lZHUiCiAgICB9CiAgXQp9"
}
2025-07-07 13:09:22,058:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 350
2025-07-07 13:09:22,059:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Mon, 07 Jul 2025 20:09:22 GMT
Content-Type: application/json
Content-Length: 350
Connection: keep-alive
Boulder-Requester: 2514226381
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/2514226381/403842015491
Replay-Nonce: upQSWUsBikihnQq0IrKw7b5wHg1KaVSI_HSjWtIz9YFKIQCJZzM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"status": "pending",
"expires": "2025-07-14T20:09:21Z",
"identifiers": [
{
"type": "dns",
"value": "leewick.ucsd.edu"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz/2514226381/548960298921"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/2514226381/403842015491"
}
2025-07-07 13:09:22,059:DEBUG:acme.client:Storing nonce: upQSWUsBikihnQq0IrKw7b5wHg1KaVSI_HSjWtIz9YFKIQCJZzM
2025-07-07 13:09:22,061:DEBUG:acme.client:JWS payload:
b''
2025-07-07 13:09:22,064:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/2514226381/548960298921:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjUxNDIyNjM4MSIsICJub25jZSI6ICJ1cFFTV1VzQmlraWhuUXEwSXJLdzdiNXdIZzFLYVZTSV9IU2pXdEl6OVlGS0lRQ0paek0iLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LzI1MTQyMjYzODEvNTQ4OTYwMjk4OTIxIn0",
"signature": "DRw8yrDT4qjNZzpMhi-oa_7q3fivMWrwhUfFD6HKbptzlNwsOwuHN3unLXWBtGo-ahw39SMh68spw0M6RPQfjSGMtmqbSUHI5kze4HiwWEffrZc2bocNSGyxP94o2AWYjfqSaDLbF6XaDtez-KmOtRUU-bdSMRh8u_b9A-KkfxmqENRqhaoFGH0Ss_2P8JeSPsa3Fj7yJwLSwTcwxh7JkFztF36-27WkuO4p7cGfVKVp7JiBLgMZVbSKSrv6C67C2QCiUtBAUojSnCHJtBxIZOL4GyGeNZdhTFdMZbkQMdx1NxldjNJjDw1DuobtWaeSS41ILzBisq-t67znYDjnYg",
"payload": ""
}
2025-07-07 13:09:22,088:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz/2514226381/548960298921 HTTP/1.1" 404 106
2025-07-07 13:09:22,088:DEBUG:acme.client:Received response:
HTTP 404
Server: nginx
Date: Mon, 07 Jul 2025 20:09:22 GMT
Content-Type: application/problem+json
Content-Length: 106
Connection: keep-alive
Boulder-Requester: 2514226381
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: BqzikAvLoCiRq1yqUG_jz8vN4ABJGsav585dRW7ncQzXnZPpWuY

{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "No such authorization",
"status": 404
}
2025-07-07 13:09:22,089:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/opt/homebrew/bin/certbot", line 8, in
sys.exit(main())
~~~~^^
File "/opt/homebrew/Cellar/certbot/4.1.1_1/libexec/lib/python3.13/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
~~~~~~~~~~~~~~~~~~^^^^^^^^^^
File "/opt/homebrew/Cellar/certbot/4.1.1_1/libexec/lib/python3.13/site-packages/certbot/_internal/main.py", line 1879, in main
return config.func(config, plugins)
~~~~~~~~~~~^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/certbot/4.1.1_1/libexec/lib/python3.13/site-packages/certbot/_internal/main.py", line 1585, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/opt/homebrew/Cellar/certbot/4.1.1_1/libexec/lib/python3.13/site-packages/certbot/_internal/main.py", line 143, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/opt/homebrew/Cellar/certbot/4.1.1_1/libexec/lib/python3.13/site-packages/certbot/_internal/client.py", line 524, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^
File "/opt/homebrew/Cellar/certbot/4.1.1_1/libexec/lib/python3.13/site-packages/certbot/_internal/client.py", line 425, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/opt/homebrew/Cellar/certbot/4.1.1_1/libexec/lib/python3.13/site-packages/certbot/_internal/client.py", line 485, in _get_order_and_authorizations
orderr = self.acme.new_order(csr_pem, profile=profile)
File "/opt/homebrew/Cellar/certbot/4.1.1_1/libexec/lib/python3.13/site-packages/acme/client.py", line 152, in new_order
authorizations.append(self._authzr_from_response(self._post_as_get(url), uri=url))
~~~~~~~~~~~~~~~~~^^^^^
File "/opt/homebrew/Cellar/certbot/4.1.1_1/libexec/lib/python3.13/site-packages/acme/client.py", line 405, in _post_as_get
return self._post(*new_args, **kwargs)
~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/certbot/4.1.1_1/libexec/lib/python3.13/site-packages/acme/client.py", line 466, in _post
return self.net.post(*args, **kwargs)
~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/certbot/4.1.1_1/libexec/lib/python3.13/site-packages/acme/client.py", line 840, in post
return self._post_once(*args, **kwargs)
~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/certbot/4.1.1_1/libexec/lib/python3.13/site-packages/acme/client.py", line 855, in _post_once
response = self._check_response(response, content_type=content_type)
File "/opt/homebrew/Cellar/certbot/4.1.1_1/libexec/lib/python3.13/site-packages/acme/client.py", line 704, in _check_response
raise messages.Error.from_json(jobj)
acme.messages.Error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: No such authorization
2025-07-07 13:09:22,094:ERROR:certbot._internal.log:An unexpected error occurred:
2025-07-07 13:09:22,095:ERROR:certbot._internal.log:No such authorization

Well, that's an unusual one. Are you getting this consistently, or did it just happen once? If it was just once, my best guess is that you hit the rare fluke that the staff calls "the 404 bug" where their systems aren't as in-sync as they're supposed to be, and retrying the same thing again should probably work.

Maybe the 404 bug but more likely because your Apache replied to the challenge from the Let's Encrypt server and not the --standalone server setup by Certbot.

Certbot should warn when it cannot get exclusive use of port 80 that it needs for --standalone. But, on some systems that warning does not happen.

Right now your Apache server replies to HTTP requests: See: Let's Debug

Have you tried just using the --apache option? If you want just a cert and you do not want Certbot modifying your Apache config use

sudo certbot certonly --apache ...

Actually, the logs show that nginx replied, which makes this even more confusing.

Same concerns as you shared above, now just more complicated!

Where do you see that? I don't recall seeing response headers of the challenge server in the authz or challenge records.

I only see nginx replies for the LE API per usual.

You're correct. I got confused by some log lines and plugin detection above.

I had not tried again, but sure enough, following your suggestion... it worked the next time

Did you stop Apache before trying --standalone that second time?

If so, you'll need to do that before each cert renewal as well. I see you still have an Apache server replying to HTTP on port 80. Using the --apache option allows renewals without having to stop Apache

Yes, I did stop Apache before trying, and then restarted.

Thanks for the tip about using --apache next time around