AuthorizationError: Incomplete authorizations - Server says 403


#1

Hi, I’ve been trying to get the certificates since I got the beta, but as far as I have read I don’t see what’s missing.

./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory certonly

Make sure your web server displays the following content at http://www.octal.es/.well-known/acme-challenge/DZYKL2Pfx81MQ_Tal7pCmrstbhTWVfbu1bawCBHUl3c before continuing:

So, I edit the file and change its name in about 20 seconds (don’t really know if this affects), but I always get this error (with --debug)

Traceback (most recent call last):
File "/Users/Alvaro/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
sys.exit(main())
File "/Users/Alvaro/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/cli.py", line 1187, in main
return args.func(args, config, plugins)
File "/Users/Alvaro/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/cli.py", line 497, in obtain_cert
_auth_from_domains(le_client, config, domains)
File "/Users/Alvaro/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/cli.py", line 326, in _auth_from_domains
lineage = le_client.obtain_and_enroll_certificate(domains)
File "/Users/Alvaro/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/client.py", line 254, in obtain_and_enroll_certificate
certr, chain, key, _ = self.obtain_certificate(domains)
File "/Users/Alvaro/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/client.py", line 237, in obtain_certificate
return self._obtain_certificate(domains, csr) + (key, csr)
File "/Users/Alvaro/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/client.py", line 195, in _obtain_certificate
authzr = self.auth_handler.get_authorizations(domains)
File "/Users/Alvaro/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/auth_handler.py", line 87, in get_authorizations
self.verify_authzr_complete()
File "/Users/Alvaro/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/auth_handler.py", line 298, in verify_authzr_complete
raise errors.AuthorizationError("Incomplete authorizations")
AuthorizationError: Incomplete authorizations

Yes, the Content-Type is text/plain. ¿Is it possible to be related with the host?
I’m on Mac OS X 10.11.1 (El Capitan). (checked also on centos, same output)

thanks in advance, and apologies for my english.

PD: my /etc/letsencrypt/cli.ini


#2

I assume you have a webserver running, right?

Try to change your config to:

authenticator = webroot webroot-path = /your/webroot server = https://acme-v01.api.letsencrypt.org/directory renew-by-default agree-dev-preview

Then run:
./letsencrypt-auto -d www.yourdomain.com certonly

Saludos!


#3

it is, but not in my laptop. I mean, I thought webroot is meant to run in the server.


#4

yes, my answer was ment to run on the server


#5

Hello,

I had the same problem and it was because of charset is shown in the same line as Content-Type.

curl -i http://www.octal.es/.well-known/acme-challenge/DZYKL2Pfx81MQ_Tal7pCmrstbhTWVfbu1bawCBHUl3c
HTTP/1.1 404 Not Found
Date: Thu, 19 Nov 2015 22:51:07 GMT
Server: Apache
Content-Length: 268
Content-Type: text/html; charset=iso-8859-1

In your server, create a .htaccess file in dir .well-known with these directives an try again:

ForceType 'text/plain'
AddDefaultCharset Off

Un saludo,
sahsanu


#6

Yeah, I had tried this before, and somehow I forgot to uncomment this line, but the output is still the same.

http://www.octal.es/.well-known/acme-challenge/OHE6jwKpghF-t50f3WEvEKEEiQPjAbApIt5Gy0K_xSI

Is there any known issues related with the hosting company?, I’m about to ask them if there is something special in their config.


#7

Hi Octal,

From my side the file is retrieved with success with the right Content-Type:

curl -i http://www.octal.es/.well-known/acme-challenge/OHE6jwKpghF-t50f3WEvEKEEiQPjAbApIt5Gy0K_xSI
HTTP/1.1 200 OK
Date: Thu, 19 Nov 2015 23:28:53 GMT
Server: Apache
Last-Modified: Thu, 19 Nov 2015 23:16:37 GMT
ETag: "5de3dde-57-524ecf3589d00"
Accept-Ranges: bytes 
Content-Length: 87 
Content-type: text/plain 

OHE6jwKpghF-t50f3WEvEKEEiQPjAbApIt5Gy0K_xSI.tevJ-BpAhNQp1ZNED4L9sDmCPf7dDbOKqKVJlXXExrA

So seems ok in server side, maybe the problem is in your client side, did you get the last letsencrypt version?. Also, I can’t test the client on MacOS so no idea whether the problem is related to this SO :pensive:

Sorry, I’m running out of ideas.

Un saludo,
sahsanu


#8

Yep, lastest version, and just to ensure I tried the client on a CentOS machine, same output.

Edit:

Ooook, I have taken a look at /var/log/letsencrypt/letsencrypt.log, and everything seemed to be fine, until this:

2015-11-20 08:05:24,745:INFO:requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): www.octal.es
2015-11-20 08:05:24,904:DEBUG:requests.packages.urllib3.connectionpool:"GET /.well-known/acme-challenge/eH-egqNUxhJqn_6luaNC87zuTK5VXJNqcWrYGZo3pPk HTTP/1.1" 403 272
2015-11-20 08:05:24,907:DEBUG:acme.challenges:Received <Response [403]>: 
<!DOCTYPE     HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
        <title>403 Forbidden</title>
    </head><body>
    <h1>Forbidden</h1>
    <p>You don't have permission to access /.well-known/acme-challenge/eH-egqNUxhJqn_6luaNC87zuTK5VXJNqcWrYGZo3pPk
    on this server.</p>
    </body></html>
. Headers: {'Content-Length': '272', 'Keep-Alive': 'timeout=2, max=100', 'Server': 'Apache', 'Connection': 'Keep-Alive', 'Date': 'Fri, 20 Nov 2015 08:07:49 GMT', 'Content-Type': 'text/html; charset=iso-8859-1'}
2015-11-20 08:05:24,908:DEBUG:acme.challenges:Wrong Content-Type: found 'text/html; charset=iso-8859-1', expected 'text/plain'
2015-11-20 08:05:24,909:ERROR:letsencrypt.plugins.manual:Self-verify of challenge failed, 
authorization abandoned.

Edit2:

I asked the hosting if there is something wrong with their config, they say everything seems to be fine, any ideas?

Currently running some tests, maybe the links are offline.


#9

Hola Octal,

The error is pretty clear, no access to the challenge in your apache server, which is strange because I can access your challenge from different countries (Spain, France and England). Maybe your hosting company has some policy that is blocking the letsencrypt servers, take a look to your apache logs, maybe yo will get more info.

Un saludo,
sahsanu


#10

problem is the added charset header which needs to be disabled AuthorizationError: Incomplete authorizations - Server says 403


#11

Hi, are there an plan when to fix the charset issue ?
I think it should be fixed bevore 3.12


#12

Aaaand, of course it was…, moved www.octal.es to another hosting, this time, under my control, and made the process, pretty simple and worked at first try.

Just for the record, the hosting was dondominio.com, gonna report this, somehow they are blocking the client request.

Edit: dondominio.com has now solved the issue, it was related with mod_security.

thank you so much everyone.


#13

Hello eva2000,

In this case it was not the charset issue, well, maybe it was but Octal already solved it using a .htaccess file removing the default charset and forcing the content type to text/plain. The Content-Type you can see with text/html etc. is the forbidden page (403) served by apache not the challenge file that the user expected :wink:

Cheers,
sahsanu


#14

Hi,

Glad to see that you could finally get your certificate changing the hosting provider.

Un saludo,
sahsanu


#15

maybe old host disallowed .htaccess override and new host allows it so .htaccess worked ?


#16

Hello,

Because I have the same issue, i have read the sahsanu comment that suggest to take a look at web serveur logs. That’s what i’ve been done.

I can can see a 200 response code from the request sent by the python client. I have also the same result if i do a curl. So I guess there is a problem with the letsencrypt client.

Do you share my opinion ? and have some others suggestions to test ?

Let me know,
Best regards,
Nico


#17

No, the old host was working fine, I could get the challenge page with the right content-type and without charset (see the output in one of my previous posts). Also, I tried it from 3 different servers located in 3 different countries and all of them were working fine. Just in case it was a problem with the user agent that letsencrypt servers are using i tested it too with curl using parameter --user-agent “boulder (LetsEncrypt.org)” and all worked fine so seems that old host is blocking it per ip or another variable… who knows :wink:


#18

Ok, the only difference is that the web server is a nginx one:

curl -i ‘http://domain.tld/.well-known/acme-challenge/RAPP8EB6n8pBtt2WxY2-YXucLwD2YfZBW7pcKMP9nnA

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 20 Nov 2015 11:17:03 GMT
Content-Length: 89
Last-Modified: Wed, 20 Nov 2015 11:16:38 GMT
Connection: keep-alive
ETag: "564ceab6-59"
Content-Type: text/plain
Accept-Ranges: bytes

RAPP8EB6n8pBtt2WxY2-YXucLwD2YfZBW7pcKMP9nnA.5Zltx0i79C-y5azN6eX–FJYEjllkjxLhI2MeOsXEw0

So I don’t understand what is the issue :frowning:

Best regards,
Nico


#19

Hello nicocolt,

What is the exact command you are using to get the certificate?.

Use the --debug parameter when using letsencrypt-auto command and post the result. Also check the log file /var/log/letsencrypt/letsencrypt.log to see what is the exact error.

Cheers,
sahsanu


#20

Hello,

In order to have clear thread i have created yesterday a thread regarding the issue I have, here is the thread:

https://community.letsencrypt.org/t/authorizationerror-incomplete-authorizations-when-trying-to-create-certonly/4125

I will answer from this thread since pfg has already asked me the same log file :wink:

Best regards,
Nico