Hi all. First of all I’m not here just to complain, I’ve done my research and my work and I’ve reached a conclusion, that’s what I want to share with you.
Well, I’m using letsencrypt-auto in CentOs with Python2.6 in order to get a free certificate for a domain that’s beyond my computer scope, so I use the manual mode specifying a CSR (Certificate Signing Request) as follows.
./letsencrypt-auto certonly --authenticator manual --email firstname.lastname@example.org --csr signreq.der --text --debug
The error that I always get Is -> WARNING:letsencrypt.plugins.manual:Self-verify of challenge failed… The client lacks sufficient authorization :: Error parsing key authorization file
Now, I’m very sure that I’ve created the challenge file successfully since I can go to the URL and see the challenge content there. What I’ve realised is that when I CURL the challenge URL It tells my that’s forbidden (Error 403), thus I need to set the User-Agent to Mozilla’s and also fill the main cookie. With those parameters filled I’m able to see the challenge content via CURL.
Proofs of CURL with/without Cookie & User-Agent:
Without -> command: curl -v http://xxx.xxx.xxx/.well-known/acme-challenge/ujox7fUMV6Dk6DsCJILDxYopIVR41fJmzOM5x5L2mVw
GET /.well-known/acme-challenge/ujox7fUMV6Dk6DsCJILDxYopIVR41fJmzOM5x5L2mVw HTTP/1.1
< HTTP/1.1 403 Forbidden
With UAgent and Cookie -> command: curl -v http://xxx.xxx.xxx/.well-known/acme-challenge/ujox7fUMV6Dk6DsCJILDxYopIVR41fJmzOM5x5L2mVw --cookie “__test=a3dc21f75aca2595302ecaea9948b2a0” -H “User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0”
As you see first command doesn’t specify neither cookies nor User-Agent so it throws 403 forbidden error, but the second complies with User-Agent and Cookies so it prints the challenge (that token below “…HEADERS…”.
So here’s my approach, letsencrypt-auto doesn’t validate the challenge because my website gives an error 403 (Forbidden) since letsencrypt-auto doesn’t handle cookies and user-agent correctly. I’ve seen over there that --user-agent parameter is available in the input, but I couldn’t make it work.
I just wanted to know what you people think about this issue, if you have suffered also from this or just I’m missing something I can’t see? Well at this point I think that’s letsencrypt’s fault since it doesn’t handle all the aforementioned stuff.
Thanks for your patience and support! Have a nice day!