Cannot renew because client lacks sufficient authorization

curt · March 28, 2016, 6:19pm

I’ve successfully retrieved a certificate a while back with:

$ ./letsencrypt-auto certonly --webroot -w /example.com/public_html -d example.com –d www.example.com

Now, I’m trying to renew with:

$ ./letsencrypt-auto certonly --webroot --renew-by-default -d example.com -d www.example.com

However, I get the following error:

The client lacks sufficient authorization :: Invalid response from http://www.example.com/.well-known/acme-challenge/NWCHmOrnegSe7KSHATT5ZPTTHjz9VtmK3pf7HfeVi7s

My site is running Wordpress and I don’t know if this is affecting it. I have the following in .htaccess :

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

I commented out the following lines:

# RewriteCond %{REQUEST_FILENAME} !-f
# RewriteCond %{REQUEST_FILENAME} !-d

But this did not fix the problem. My Letsencrypt renew still fails with same error.

I am using CloudFlare which redirects http to https

Can anyone provide a suggestion?

pfg · March 28, 2016, 6:27pm

You’ll want to uncomment those lines again - they tell the web server: “if that file or directory exists, serve it, otherwise redirect to index.php.”

Try putting a test file with some random content in public_html/.well-known/acme-challenge/ and try to request it via HTTP (using your browser or curl). Maybe that’ll show you what the issue is.

curt · March 28, 2016, 9:22pm

Thanks for your suggestion.

I commented out:

# RewriteRule ^index\.php$ - [L]
# RewriteCond %{REQUEST_FILENAME} !-f
# RewriteCond %{REQUEST_FILENAME} !-d
# RewriteRule . /index.php [L]

I put in public_html/.well-known/acme-challenge/test.html
I am able to access this from my browser. No errors.

Unfortunately, when I retried to renew the certificate, the problem persists. Any other suggestions?

pfg · March 28, 2016, 9:37pm

Would you mind sharing the domain so I can take a look at the response of your test file? PM would be okay too, if you don’t want to share it publicly (though you should know that all certificates issued by Let’s Encrypt are published to public Certificate Transparency log servers anyway ).

pfg · March 28, 2016, 10:52pm

For anyone else reading this thread or finding it via search:

It turned out to be an issue with one of the subdomains and CloudFlare in Full SSL (strict) mode. @curt had a valid certificate for his main domain, but not for one of his subdomains, which caused CloudFlare to show an “Invalid SSL Certificate” error page instead of serving the challenge token. Switching to Flexible SSL temporarily seems to have fixed this issue.

system · April 27, 2016, 10:52pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.