[SOLVED] AuthorizationError: Incomplete authorizations when trying to create certonly

Hello,

I’m facing an issue when I try to run this command:

./letsencrypt-auto certonly -a manual -d domain.tld --server https://acme-v01.api.letsencrypt.org/directory --agree-dev-preview -v --debug

I push the challenge on the server and the expected url that must be accessible is accessible without problem, but I get the Incomplete authorizations error.

Here is the result of the curl command on the expected url:

curl -i ‘http://domain.tld/.well-known/acme-challenge/RAPP8EB6n8pBtt2WxY2-YXucLwD2YfZBW7pcKMP9nnA’

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 18 Nov 2015 21:17:03 GMT
Content-Type: text/plain
Content-Length: 89
Last-Modified: Wed, 18 Nov 2015 21:16:38 GMT
Connection: keep-alive
ETag: "564ceab6-59"
Content-Type: text/plain
Accept-Ranges: bytes

RAPP8EB6n8pBtt2WxY2-YXucLwD2YfZBW7pcKMP9nnA.5Zltx0i79C-y5azN6eX–FJYEjllkjxLhI2MeOsXEw0

What can cause this error ? I have tried to run the letsencrypt command from my desktop behind a box and from a vps server with full internet access.

Any help would be appreciated.
Let me know,
Best regards,
Nico

Hello,

Any idea regarding this problem ? Let me know if it is not so clear, maybe my English sounds a little bit French because I am.

Let me know,
Many thanks,
Nico

Could you post the entire output of letsencrypt-auto and all relevant log files from /var/log/letsencrypt?

Hello pfg,

Here is the log of the request. Sorry for the spam, it is a bit long:

2015-11-20 10:09:43,163:DEBUG:letsencrypt.cli:Root logging level set at 20
2015-11-20 10:09:43,163:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2015-11-20 10:09:43,173:DEBUG:letsencrypt.cli:letsencrypt version: 0.0.0.dev20151114
2015-11-20 10:09:43,173:DEBUG:letsencrypt.cli:Arguments: [’-a’, ‘manual’, ‘-d’, ‘domain.tld’, ‘–server’, ‘https://acme-v01.api.letsencrypt.org/directory’, ‘–agree-dev-preview’, ‘-v’, ‘–debug’]
2015-11-20 10:09:43,173:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2015-11-20 10:09:43,179:DEBUG:letsencrypt.cli:Requested authenticator manual and installer None
2015-11-20 10:09:43,188:DEBUG:letsencrypt.display.ops:Single candidate plugin: * manual
Description: Manually configure an HTTP server
Interfaces: IAuthenticator, IPlugin
Entry point: manual = letsencrypt.plugins.manual:Authenticator
Initialized: <letsencrypt.plugins.manual.Authenticator object at 0x7f498c3b0f50>
Prep: True
2015-11-20 10:09:43,188:DEBUG:letsencrypt.cli:Selected authenticator <letsencrypt.plugins.manual.Authenticator object at 0x7f498c3b0f50> and installer None
2015-11-20 10:09:43,204:DEBUG:letsencrypt.cli:Picked account: <Account(1c84adce1d04875e678ed72cc7a29f20)>
2015-11-20 10:09:43,205:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory. args: (), kwargs: {}
2015-11-20 10:09:43,208:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2015-11-20 10:09:43,474:DEBUG:requests.packages.urllib3.connectionpool:“GET /directory HTTP/1.1” 200 263
2015-11-20 10:09:43,477:DEBUG:root:Received <Response [200]>. Headers: {‘Content-Length’: ‘263’, ‘Expires’: ‘Fri, 20 Nov 2015 10:09:43 GMT’, ‘Strict-Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Fri, 20 Nov 2015 10:09:43 GMT’, ‘X-Frame-Options’: ‘DENY’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘WIhhRKwYLLGv2hwn29Jg9T8iBIutHEGfbAu0mQXnS_g’}. Content: '{“new-authz”:“https://acme-v01.api.letsencrypt.org/acme/new-authz",“new-cert”:“https://acme-v01.api.letsencrypt.org/acme/new-cert”,“new-reg”:“https://acme-v01.api.letsencrypt.org/acme/new-reg”,“revoke-cert”:"https://acme-v01.api.letsencrypt.org/acme/revoke-cert”}'
2015-11-20 10:09:43,478:DEBUG:acme.client:Received response <Response [200]> (headers: {‘Content-Length’: ‘263’, ‘Expires’: ‘Fri, 20 Nov 2015 10:09:43 GMT’, ‘Strict-Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Fri, 20 Nov 2015 10:09:43 GMT’, ‘X-Frame-Options’: ‘DENY’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘WIhhRKwYLLGv2hwn29Jg9T8iBIutHEGfbAu0mQXnS_g’}): ‘{“new-authz”:“https://acme-v01.api.letsencrypt.org/acme/new-authz",“new-cert”:“https://acme-v01.api.letsencrypt.org/acme/new-cert”,“new-reg”:“https://acme-v01.api.letsencrypt.org/acme/new-reg”,“revoke-cert”:"https://acme-v01.api.letsencrypt.org/acme/revoke-cert”}‘
2015-11-20 10:09:43,658:INFO:letsencrypt.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0015_key-letsencrypt.pem
2015-11-20 10:09:43,673:INFO:letsencrypt.crypto_util:Creating CSR: /etc/letsencrypt/csr/0015_csr-letsencrypt.pem
2015-11-20 10:09:43,682:DEBUG:letsencrypt.client:CSR: CSR(file=’/etc/letsencrypt/csr/0015_csr-letsencrypt.pem’, data=‘0\x82\x02\x840\x82\x01l\x02\x01\x000\x161\x140\x12\x06\x03U\x04\x03\x0c\x0bdomain.tld0\x82\x01"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\x00\xed\x85}\x91\tN\x14\xe4\xe0\xe1\xe4\x8f\xf9\xfc\x15\x90l\xef\xb0\xa5\xf7\xaf\xafD\xd0L\x07\xe2\xfcq\x188KcH\xa1\t\xcd\xcd\xce\x18\xb6\x19B.\x91S\xe4P\x81\x872\x82\xf1\x92\x17\x86-\n\x83\xf5\x1a\x8dy\xe6k\xe6\xb5\x1e=@\xaa\xb8\x86\xa8\x98\xe1N\xda\xa6G8\xb6\xe1\t<\xdc\xf1M\x18k\xb4\xc6\xb8\xa8|\xcc\x98c\xb9\x15\xa1\x80\xd6*v.\xa1\x15#*}\xd5z\xe9\x95\xe8]\x98[\x7f\x15-\xa8!J.\xdf+\x89\x0e\x02\xf9t\xae\xb2~\x10Z\xf8\x96\xf6\xebsZ\xcc|R\x8d\xf6M\xedj\x93\xfca\x03)\xc9f\xd9\xe2K\xc6\xefU\xbfhAS~\xe7\xa1W\xbf4\xa6\x88\xb2\x8a\x15\xbd6[\x8e\xcb\xb5k\x17P3,<\xbe\x15\x95v\xe4\x147V\x88\xc1\xecz\xfe\x18\x0cI>\xed\x03\x1bJr\xfa\xd5<qF\xeewD<u\x06\xc2;j\xab\x9f-\xf3O\xe6\x1a\xc4\xf8C?\x80y\xcd"\x95\x9d\x02\xde\xaf\x82l\x0b\x81\x02\x03\x01\x00\x01\xa0)0’\x06\t\x86H\x86\xf7\r\x01\t\x0e1\x1a0\x180\x16\x06\x03U\x1d\x11\x04\x0f0\r\x82\x0bdomain.tld0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00i\x8d\xca\xa9\x95&K+H\xdb\x8f%\xb9I\xfcb\xd8\xfd\xf5\xbd\x03\xd5\x95\xcc\x04\x14V~\xe0\xe7\xec\xe8b1m\x07\x14\xea?\x0bZ\x1aDt\xfd\xa6\xb3eHI\xc1S\xf7\xda\xd2R\xc8\xb5^\x88\x14E\xb6\x0f\xf1+1\x03\xf9\x1f\x82|\x97,\xf8hj\x17\xf6\xbeM\xf1\xd9ZE\x8d\r\xf8\x03\xd31\n7\x9a\xf1\xa8\x0e\x10\xa5\xf8\x17\xcde\x1byeJ\x9b\x81\x7f\x10\xab\xf8x\xf37\xe7\x8e$s%\xde&’|{\x01\x82=\xa6\xf2\xe7h\xdb\n9,B\xac\x80\x9d\x0fT\x9f4\xb1a\x98\xa6\xf2\xb6\xfc\xf0\xf5\x8a\x9f\x075\x88\xb3G8\xdcJr\xe6\xb6w~\xf0W\x82w\xc0\x80\xfap\xd0\xc3\t\xc4)m\xf0\xf5\x1a\xd4r\xcd\xcdp\x14\xc2 \xd2\x9e\xa7\xc5\xe6\x1f\xd8\x92\xb3$t\xd8\xc7_\x96\xa1)\xadDk\x85\x14\x0c\x19\x95\x13:\xec\x9ak23ld\xa7\x15\x82<m\xb2\xbe\xef{\xc7a\x11%1\xa1\xcd\x19\xf3\x91\x96o(W\xc3’, form=‘der’), domains: [‘domain.tld’]
2015-11-20 10:09:43,682:DEBUG:root:Requesting fresh nonce
2015-11-20 10:09:43,682:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {}
2015-11-20 10:09:43,684:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2015-11-20 10:09:44,172:DEBUG:requests.packages.urllib3.connectionpool:“HEAD /acme/new-authz HTTP/1.1” 405 0
2015-11-20 10:09:44,175:DEBUG:root:Received <Response [405]>. Headers: {‘Content-Length’: ‘0’, ‘Pragma’: ‘no-cache’, ‘Expires’: ‘Fri, 20 Nov 2015 10:09:44 GMT’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Allow’: ‘POST’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Fri, 20 Nov 2015 10:09:44 GMT’, ‘Content-Type’: ‘application/problem+json’, ‘Replay-Nonce’: ‘bBNZLCnmoZMdHaEpWkFaDlJq28s2mTF2wqu62oxldDk’}. Content: ''
2015-11-20 10:09:44,176:DEBUG:acme.client:Storing nonce: 'l\x13Y,)\xe6\xa1\x93\x1d\x1d\xa1)ZAZ\x0eRj\xdb\xcb6\x991v\xc2\xab\xba\xda\x8cet9’
2015-11-20 10:09:44,177:DEBUG:acme.jose.json_util:Omitted empty fields: expires=None, challenges=None, status=None, combinations=None
2015-11-20 10:09:44,177:DEBUG:acme.client:Serialized JSON: {“identifier”: {“type”: “dns”, “value”: “domain.tld”}, “resource”: “new-authz”}
2015-11-20 10:09:44,179:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), kid=None, jwk=None, x5t=None, x5tS256=None, cty=None, x5u=None, typ=None, alg=None, jku=None
2015-11-20 10:09:44,183:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), kid=None, nonce=None, x5tS256=None, cty=None, x5t=None, x5u=None, typ=None, jku=None
2015-11-20 10:09:44,183:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {‘data’: ‘{“header”: {“alg”: “RS256”, “jwk”: {“e”: “AQAB”, “kty”: “RSA”, “n”: “x4UWcl8IdlXVFKvOxGc3h-L1BZ_qpiC7PP5DabvxYS2MAt7CGF-IvkJFVOYpUwpLxVPncPuQcygKzWQOVfp4IHFLZqIxQkRc5reN9ptZgf_Luiv0jCXsuw75ZYlceH4bt7e_0b4vMpqZvMr2qzfc9cTaVNgD_EnHPL-HluV1Aeyyr8oV6sOR0LZr1HItz9yZfrucdeLKgHr-8KnUNEEUiryDZpbWn8idiCZpfGeQYy-z52mZr59l8jh_aUwgI_tTZmEsNP_BSY8-zRRI7dCKNVsA6uAcghOzs8Qsd2ADSOcFDXtTIlFuVE2z9warU_2IBi0PVbkOM_LqX9gcmH26mQ”}}, “protected”: “eyJub25jZSI6ICJiQk5aTENubW9aTWRIYUVwV2tGYURsSnEyOHMybVRGMndxdTYyb3hsZERrIn0”, “payload”: “eyJpZGVudGlmaWVyIjogeyJ0eXBlIjogImRucyIsICJ2YWx1ZSI6ICJsb2lzb24uaW5mbyJ9LCAicmVzb3VyY2UiOiAibmV3LWF1dGh6In0”, “signature”: “qZNX_mMkwD46larNJfMum6KgqeVZkHSWTmFElCrRreUXqp7zSSc0koMA8I2wdMzqB83UI-BtaET2bWLgvJBjbl7F6jKgOSBH8kh0FwWWxi0HX8E75pOQkNTWDwV-Az1D227Rnb8ItNcQtCgB4WcoVcsxIsA8L_HdoAJ1YwJrqXHyCPI3H0SEmywqiLqIvAn83a8wOJeMkJGqif7KKIzKYFVLqYLt3kM9QvpWj-SrW1SZLTVtMPj5wOmbPvB-coqaS_hkk0wX5d3ciMP6JnB6BN_cPz8HEFM-xGrsX3tcnXRUwgONeOtgq03qCA2fYS8NlSNJ9vTYR3ySmc3J0uhhWw”}’}
2015-11-20 10:09:44,184:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2015-11-20 10:09:44,411:DEBUG:requests.packages.urllib3.connectionpool:“POST /acme/new-authz HTTP/1.1” 201 562
2015-11-20 10:09:44,414:DEBUG:root:Received <Response [201]>. Headers: {‘Content-Length’: ‘562’, ‘Expires’: ‘Fri, 20 Nov 2015 10:09:44 GMT’, ‘Strict-Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Link’: ‘https://acme-v01.api.letsencrypt.org/acme/new-cert;rel=“next”’, ‘Location’: ‘https://acme-v01.api.letsencrypt.org/acme/authz/jTXy0g4YuiUqgOXXIpQlXUI0yaor1AG1pgs9XO8CWPA’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Fri, 20 Nov 2015 10:09:44 GMT’, ‘X-Frame-Options’: ‘DENY’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘9FwRHivnsk4spbrUo42ARXSGHu28Ba6ri8AsO1cIWIU’}. Content: '{“identifier”:{“type”:“dns”,“value”:“domain.tld”},“status”:“pending”,“expires”:“2015-11-27T10:09:44.745486499Z”,“challenges”:[{“type”:“http-01”,“status”:“pending”,“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/jTXy0g4YuiUqgOXXIpQlXUI0yaor1AG1pgs9XO8CWPA/436299",“token”:“ml70WjfnCxPjQgAfLdgP9lyk0BhzIXHtcXfS1BX2z20”},{“type”:“tls-sni-01”,“status”:“pending”,“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/jTXy0g4YuiUqgOXXIpQlXUI0yaor1AG1pgs9XO8CWPA/436300”,“token”:“V_oA5uMoYCSW6kes3JA2h_fOz6rsTx4trdbA624HwJI”}],"combinations”:[[0],[1]]}'
2015-11-20 10:09:44,415:DEBUG:acme.client:Storing nonce: '\xf4\\x11\x1e+\xe7\xb2N,\xa5\xba\xd4\xa3\x8d\x80Et\x86\x1e\xed\xbc\x05\xae\xab\x8b\xc0,;W\x08X\x85’
2015-11-20 10:09:44,415:DEBUG:acme.client:Received response <Response [201]> (headers: {‘Content-Length’: ‘562’, ‘Expires’: ‘Fri, 20 Nov 2015 10:09:44 GMT’, ‘Strict-Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Link’: ‘https://acme-v01.api.letsencrypt.org/acme/new-cert;rel=“next”’, ‘Location’: ‘https://acme-v01.api.letsencrypt.org/acme/authz/jTXy0g4YuiUqgOXXIpQlXUI0yaor1AG1pgs9XO8CWPA’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Fri, 20 Nov 2015 10:09:44 GMT’, ‘X-Frame-Options’: ‘DENY’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘9FwRHivnsk4spbrUo42ARXSGHu28Ba6ri8AsO1cIWIU’}): ‘{“identifier”:{“type”:“dns”,“value”:“domain.tld”},“status”:“pending”,“expires”:“2015-11-27T10:09:44.745486499Z”,“challenges”:[{“type”:“http-01”,“status”:“pending”,“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/jTXy0g4YuiUqgOXXIpQlXUI0yaor1AG1pgs9XO8CWPA/436299",“token”:“ml70WjfnCxPjQgAfLdgP9lyk0BhzIXHtcXfS1BX2z20”},{“type”:“tls-sni-01”,“status”:“pending”,“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/jTXy0g4YuiUqgOXXIpQlXUI0yaor1AG1pgs9XO8CWPA/436300”,“token”:“V_oA5uMoYCSW6kes3JA2h_fOz6rsTx4trdbA624HwJI”}],"combinations”:[[0],[1]]}‘
2015-11-20 10:09:44,417:INFO:letsencrypt.auth_handler:Performing the following challenges:
2015-11-20 10:09:44,427:INFO:letsencrypt.auth_handler:http-01 challenge for domain.tld
2015-11-20 10:14:37,586:DEBUG:acme.challenges:Verifying http-01 at http://domain.tld/.well-known/acme-challenge/ml70WjfnCxPjQgAfLdgP9lyk0BhzIXHtcXfS1BX2z20…
2015-11-20 10:14:37,587:INFO:requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): domain.tld
2015-11-20 10:14:37,621:DEBUG:requests.packages.urllib3.connectionpool:“GET /.well-known/acme-challenge/ml70WjfnCxPjQgAfLdgP9lyk0BhzIXHtcXfS1BX2z20 HTTP/1.1” 200 88
2015-11-20 10:14:37,622:DEBUG:acme.challenges:Received <Response [200]>: ml70WjfnCxPjQgAfLdgP9lyk0BhzIXHtcXfS1BX2z20.5Zltx0i79C-y5azN6eX–FJYEjllkjxLhI2MeOsXEw0
. Headers: {‘Content-Length’: ‘88’, ‘Accept-Ranges’: ‘bytes’, ‘Server’: ‘nginx’, ‘Last-Modified’: ‘Fri, 20 Nov 2015 10:10:08 GMT’, ‘Connection’: ‘keep-alive’, ‘ETag’: ‘“564ef180-58”’, ‘Date’: ‘Fri, 20 Nov 2015 10:14:38 GMT’, ‘Content-Type’: ‘text/plain’}
2015-11-20 10:14:37,623:DEBUG:acme.challenges:Key authorization from response (u’ml70WjfnCxPjQgAfLdgP9lyk0BhzIXHtcXfS1BX2z20.5Zltx0i79C-y5azN6eX–FJYEjllkjxLhI2MeOsXEw0’) doesn’t match HTTP response (u’ml70WjfnCxPjQgAfLdgP9lyk0BhzIXHtcXfS1BX2z20.5Zltx0i79C-y5azN6eX–FJYEjllkjxLhI2MeOsXEw0\n’)
2015-11-20 10:14:37,623:ERROR:letsencrypt.plugins.manual:Self-verify of challenge failed, authorization abandoned.
2015-11-20 10:14:37,634:INFO:letsencrypt.auth_handler:Waiting for verification…
2015-11-20 10:14:37,642:INFO:letsencrypt.auth_handler:Cleaning up challenges
2015-11-20 10:14:37,652:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
File “/root/.local/share/letsencrypt/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py”, line 1187, in main
return args.func(args, config, plugins)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py”, line 497, in obtain_cert
_auth_from_domains(le_client, config, domains)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py”, line 326, in _auth_from_domains
lineage = le_client.obtain_and_enroll_certificate(domains)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py”, line 254, in obtain_and_enroll_certificate
certr, chain, key, _ = self.obtain_certificate(domains)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py”, line 237, in obtain_certificate
return self._obtain_certificate(domains, csr) + (key, csr)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py”, line 195, in _obtain_certificate
authzr = self.auth_handler.get_authorizations(domains)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/auth_handler.py”, line 87, in get_authorizations
self.verify_authzr_complete()
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/auth_handler.py”, line 298, in verify_authzr_complete
raise errors.AuthorizationError(“Incomplete authorizations”)
AuthorizationError: Incomplete authorizations

Let me know,
Thanks,
Nico

There's a line break at the end of your challenge file. Some text editors automatically append trailing line breaks when you save a file.

I would recommend creating the file like this:
echo -n "challenge_string" > ".well-known/acme-challenge/challenge_file"

Got it ! It works !

Very good news. Maybe this usefull information can be set to the documentation? or in the letsencrypt client?

Many thanks pfg !

Best regards,
Nico

The authorization is also abandoned when the content type is not exactly text/plain - this may prove to be a PITA when pages are generated by app servers.

2015-11-21 17:59:50,208:DEBUG:acme.challenges:Received <Response [200]>: sbUsGPYH3O3XDk2x1Rkw3BC5hFsdP7Bz41t5iaMWGU4.GjGX4-3ANAgwv9Oo8bWgigOBDXw9_JfCZrGl0O5eAls. Headers: {‘Content-Length’: ‘107’, ‘Content-Encoding’: ‘gzip’, ‘Accept-Ranges’: ‘bytes’, ‘Vary’: ‘Accept-Encoding’, ‘Keep-Alive’: ‘timeout=15, max=100’, ‘Server’: ‘Zope/(Zope 2.10.8-final, python 2.4.6, linux3) ZServer/1.1’, ‘Last-Modified’: ‘Sat, 21 Nov 2015 17:59:45 GMT’, ‘Connection’: ‘Keep-Alive’, ‘Date’: ‘Sat, 21 Nov 2015 17:59:50 GMT’, ‘Content-Type’: ‘text/plain; charset=utf-8’}
2015-11-21 17:59:50,208:DEBUG:acme.challenges:Wrong Content-Type: found ‘text/plain; charset=utf-8’, expected 'text/plain’
2015-11-21 17:59:50,209:ERROR:letsencrypt.plugins.manual:Self-verify of challenge failed, authorization abandoned.

This looks better:

IMPORTANT NOTES:

• Congratulations! Your certificate and chain have been saved at
  /etc/letsencrypt/live/domain.tld/fullchain.pem. Your cert will
  expire on 2016-02-19. To obtain a new version of the certificate in
  the future, simply run Let’s Encrypt again.

To make this happen, I edited $home/.local/share/letsencrypt/lib/python2.7/site-packages/acme/challenges.py replacing lines 269-273 as follows:

        found_ct = http_response.headers.get(
            "Content-Type", None)
        if not chall.CONTENT_TYPE in found_ct:
            logger.debug("Wrong Content-Type: found %r, expected %r",
                         found_ct, chall.CONTENT_TYPE)

This fixes an error in 269 where chall.CONTENT_TYPE was being supplied as the default value when no Content-Type header is present (seems silly to me)
and checks if the value of chall.CONTENT_TYPE is present in the content header returned by the server