Cannot renew - The client lacks sufficient authorization - 404 on a file

kinwolfqc · June 12, 2016, 1:48pm

I took a look at the many other problem that seem related, but none seemed to apply.

I configured letsencrypt about a month back on ubuntu 14.04 and all went well. Now when I am trying to renew it, it fails with this message:

sudo /opt/letsencrypt/letsencrypt-auto renew

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/daleeaglesham.com.conf
-------------------------------------------------------------------------------
2016-06-12 09:39:48,106:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/daleeaglesham.com.conf produced an unexpected error: Failed authorization procedure. www.daleeaglesham.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.daleeaglesham.com/.well-known/acme-challenge/kzjpRp50H2rYR2qQZWYZBNfbrtsrsjm6fmEKjeww4-M: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>". Skipping.

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/glutenetnous.com.conf
-------------------------------------------------------------------------------

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/glutenetnous.com/fullchain.pem (skipped)
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/daleeaglesham.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.daleeaglesham.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.daleeaglesham.com/.well-known/acme-challenge/kzjpRp50H2rYR2qQZWYZBNfbrtsrsjm6fmEKjeww4-M:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

I put a file in /.well-known/acme-challenge/ and I can access it no problem in the web browser.

This is from the access log after running the renew process:

66.133.109.36 - - [12/Jun/2016:10:54:50 -0400] "GET /.well-known/acme-challenge/tKXqlaVj5QNMfCLAliHwHTiGAS7ZSNg3kW59lBfbppg HTTP/1.1" 301 185 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [12/Jun/2016:10:54:50 -0400] "GET /.well-known/acme-challenge/BlX02psJsdnMaRcT2pmA_JlV0Sv8R9iT55AqjEiJBBM HTTP/1.1" 301 185 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [12/Jun/2016:10:54:50 -0400] "GET /.well-known/acme-challenge/tKXqlaVj5QNMfCLAliHwHTiGAS7ZSNg3kW59lBfbppg HTTP/1.1" 200 87 "http://daleeaglesham.com/.well-known/acme-challenge/tKXqlaVj5QNMfCLAliHwHTiGAS7ZSNg3kW59lBfbpplBfbppg" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [12/Jun/2016:10:54:50 -0400] "GET /.well-known/acme-challenge/BlX02psJsdnMaRcT2pmA_JlV0Sv8R9iT55AqjEiJBBM HTTP/1.1" 404 162 "http://www.daleeaglesham.com/.well-known/acme-challenge/BlX02psJsdnMaRcT2pmA_JlV0Sv8R9iT55AqjT55AqjEiJBBM" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

Any help ?

tialaramex · June 12, 2016, 4:25pm

The ACME server is successful in verifying the challenge on daleeaglesham.com but not www.daleeaglesham.com, for both it gets a 301 redirect (to an HTTPS version of the server?) But for the latter after the redirect it gets a 404.

Something must be different between these two, although they’re presumably both provided by the same server.

certbot has a verbose mode (maybe -v?) which could give more diagnostics. So please try (once) by hand with this verbose mode turned on and report what that says, unless the hint that the two names behave differently was enough for you to figure it out.

kinwolfqc · June 12, 2016, 5:16pm

Thanks for the reply, and the clue.

Yes, the redirect where to the ssl version of the website.

Both www and non-www point to the same place. The only diff is that, in the nginx config, the non-www block listen to port 80 before redirecting to https, while www did not listen to port 80. It always worked fine for the website, but it seemed to cause a problem for the renewal.

So I now changed the server-block config for www to also listen to port 80 and it’s now working properly.

Huge thanks!

system · July 12, 2016, 5:16pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.