Authorization Error on Azure Ubuntu VM


#1

Hello,
I’m setting up a VM on Azure to run Jupyterhub and using Letsencrypt for the SSL certificate. I’m following the tutorial here and just need to get this thing up and running. Everything went fine until ~ min 18. I ran:

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto certonly --standalone -d XXXXX.cloudapp.net

The last command produces:
“An unexpected error ocurred:
Error creating new authz
Please see the logfiles in /var/log/letsencrypt for more details.”

Running:
Ubuntu 16.04.2 LTS xenial

First time I’ve ever attempted anything like this (or really even used Linux for that matter), so I’m just trying to figure things out as I go along. I’d appreciate any help to get this resolved. Thanks!


#2

hi @hubbs5

you really should fill out the relevant components

My operating system is (include version):

My web server is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

Using git clone is not a recommended method

Review install methods here (ubuntu and apache) : https://certbot.eff.org/#ubuntuxenial-apache

You should also post the log content as it help narrow down what the issue is

Andrei


#3

You can see what files exist in /var/log/letsencrypt by running ls /var/log/letsencrypt, and view the contents of individual ones with cat (or interactively with less, which is less useful for posting them here).


#4

Ok, thanks for some direction on getting to the files! From what I can tell looking into them, this is where the issue arises:

File "/home/u755275/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 570, in _check_response raise messages.Error.from_json(jobj) Error: urn:acme:error:rejectedIdentifier :: Error creating new authz

I also looked at the link that @ahaw021 shared and ran the commands there:

sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install python-certbot-apache

and then tried the commands I ran before and some other permutations but all result in the same error with the same message in the log file.

My OS:
Ubuntu 16.04.02 LTS xenial
Web server:
Not sure where to find this
Hosting Provider:
Microsoft Azure
I can login to root.


#5

Hi I am also getting this error. I am using CentOS7 cloud hosted solution with linode.com.

I cannot find anything to solve this issue on the net. Please can we get some resolution to this problem.

I am running the following command to setup my cert:

letsencrypt-auto certonly --standalone -d example.com

(I am not specifying the actual domain above)
I want to produce the certificate to use with webserver: glassfish server 4.1.1.

This produces:

017-04-24 18:23:41,426:DEBUG:acme.client:Received response:
HTTP 400
content-length: 106
boulder-request-id: Ya8ifD2DlJCarbT020x-30Em-sp42r0AWke7nCcwWuc
expires: Mon, 24 Apr 2017 18:23:41 GMT
server: nginx
cache-control: max-age=0, no-cache, no-store
connection: close
pragma: no-cache
boulder-requester: 13222372
date: Mon, 24 Apr 2017 18:23:41 GMT
content-type: application/problem+json
replay-nonce: TYnoBZ3ZRQP18-jiQpXhilgqPVY-CXH5P1MVIvDUJQw

{
  "type": "urn:acme:error:rejectedIdentifier",
  "detail": "Error creating new authz",
  "status": 400
}

2017-04-24 18:23:41,427:DEBUG:acme.client:Storing nonce: TYnoBZ3ZRQP18-jiQpXhilgqPVY-CXH5P1MVIvDUJQw
2017-04-24 18:23:41,430:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
  File "/bin/letsencrypt", line 9, in <module>
    load_entry_point('certbot==0.12.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 896, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 692, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 92, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 294, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 265, in obtain_certificate
    self.config.allow_subset_of_names)
  File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 67, in get_authorizations
    domain, self.account.regr.new_authzr_uri)
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 228, in request_domain_challenges
    typ=messages.IDENTIFIER_FQDN, value=domain), new_authzr_uri)
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 208, in request_challenges
    new_authz)
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 686, in post
    return self._post_once(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 699, in _post_once
    return self._check_response(response, content_type=content_type)
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 586, in _check_response
    raise messages.Error.from_json(jobj)
Error: urn:acme:error:rejectedIdentifier :: Error creating new authz

#6

@cpu, do you know what can cause urn:acme:error:rejectedIdentifier on the CA side?


#7

AFAIK this only happens for the case where the identifier matched to a domain we won’t issue for by policy.

@xerocool84 For your case in particular I was able to find your failing new-authz request in the server logs to determine which domain name was being rejected. Since you explicitly did not share the domain I won’t either, but I can confirm that my answer to @schoen applies in your case.


#8

As a follow-up, there is a Boulder bug that was preventing the full detail message from being included here. It should have returned a slightly more obvious detailed error message "Error creating new authz :: Policy forbids issuing for name" instead of just "Error creating new authz".

I have a fix in the works: https://github.com/letsencrypt/boulder/pull/2704


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.