Cerbot The client lacks sufficient authorization :: Invalid response


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
watch.swagbucks.com

I ran this command:
certbot --debug-challenges -v

It produced this output:

Domain: watch.swagbucks.com

Type: unauthorized

Detail: Invalid response from http://watch.swagbucks.com/.well-known/acme-challenge/sbssSkw4idOEyKzlb8lQ0-HXdEL6y9LS5oJ-SIVDS0I: “<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=“white”>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>”

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.

Encountered exception:

Traceback (most recent call last):

File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 82, in handle_authorizations

self._respond(aauthzrs, resp, best_effort)

File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 161, in _respond

self._poll_challenges(aauthzrs, chall_update, best_effort)

File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 232, in _poll_challenges

raise errors.FailedChallenges(all_failed_achalls)

certbot.errors.FailedChallenges: Failed authorization procedure. watch.swagbucks.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://watch.swagbucks.com/.well-known/acme-challenge/sbssSkw4idOEyKzlb8lQ0-HXdEL6y9LS5oJ-SIVDS0I: “<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=“white”>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>”

Calling registered functions

Cleaning up challenges

Exiting abnormally:

Traceback (most recent call last):

File “/usr/bin/certbot”, line 11, in <module>

load_entry_point(‘certbot==0.28.0’, ‘console_scripts’, ‘certbot’)()

File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1340, in main

return config.func(config, plugins)

File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1094, in run

certname, lineage)

File “/usr/lib/python3/dist-packages/certbot/main.py”, line 121, in _get_and_save_cert

lineage = le_client.obtain_and_enroll_certificate(domains, certname)

File “/usr/lib/python3/dist-packages/certbot/client.py”, line 392, in obtain_and_enroll_certificate

cert, chain, key, _ = self.obtain_certificate(domains)

File “/usr/lib/python3/dist-packages/certbot/client.py”, line 335, in obtain_certificate

orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)

File “/usr/lib/python3/dist-packages/certbot/client.py”, line 371, in _get_order_and_authorizations

authzr = self.auth_handler.handle_authorizations(orderr, best_effort)

File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 82, in handle_authorizations

self._respond(aauthzrs, resp, best_effort)

File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 161, in _respond

self._poll_challenges(aauthzrs, chall_update, best_effort)

File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 232, in _poll_challenges

raise errors.FailedChallenges(all_failed_achalls)

certbot.errors.FailedChallenges: Failed authorization procedure. watch.swagbucks.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://watch.swagbucks.com/.well-known/acme-challenge/sbssSkw4idOEyKzlb8lQ0-HXdEL6y9LS5oJ-SIVDS0I: “<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=“white”>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>”

Failed authorization procedure. watch.swagbucks.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://watch.swagbucks.com/.well-known/acme-challenge/sbssSkw4idOEyKzlb8lQ0-HXdEL6y9LS5oJ-SIVDS0I: “<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=“white”>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>”

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: watch.swagbucks.com

Type: unauthorized

Detail: Invalid response from

http://watch.swagbucks.com/.well-known/acme-challenge/sbssSkw4idOEyKzlb8lQ0-HXdEL6y9LS5oJ-SIVDS0I:

"<html>\r\n<head><title>404 Not Found</title></head>\r\n<body

bgcolor=“white”>\r\n<center><h1>404 Not

Found</h1></center>\r\n<hr><center>"

To fix these errors, please make sure that your domain name was

entered correctly and the DNS A/AAAA record(s) for that domain

contain(s) the right IP address.
My web server is (include version):

The operating system my web server runs on is (include version):
Ubuntu 16.04, nginx

My hosting provider, if applicable, is:
Rackspace

I can login to a root shell on my machine (yes or no, or I don’t know):
yes, ran as root

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.28.0

Additional Info
I created a file called 123456789 and if you navigate there, you can hit it:
http://watch.swagbucks.com/.well-known/acme-challenages/12345689

The nginx error file says:
2019/01/29 17:19:08 [error] 110957#110957: *445801790 open() “/srv/www/watch.swagbucks.com/.well-known/acme-challenge/sbssSkw4idOEyKzlb8lQ0-HXdEL6y9LS5oJ-SIVDS0I:” failed (2: No such file or directory), client: 64.71.168.194, server: watch.swagbucks.com, request: “HEAD /.well-known/acme-challenge/sbssSkw4idOEyKzlb8lQ0-HXdEL6y9LS5oJ-SIVDS0I: HTTP/1.1”, host: “watch.swagbucks.com


#2

The http request was looking for this file location:

[if you don’t have too many domains/configs]
Please show:

grep -Eri '/srv/www/watch.swagbucks.com|root|virtualh|listen|rewrite|return' /etc/nginx

If unable to locate, you can still use --webroot option (since you know exactly where it will look).
If so, please show:
cerbot certificates
[to get started with that method]


#3

Result:

**listen** 80;

**rewrite** ^/(.*) $scheme://$host/$1 permanent;

**root** **/srv/www/watch.swagbucks.com** ;

**rewrite** ^/ncrave/(.*)$ /$1 last;

From the config:

        if ($request_uri ~* "\/\/") {
                rewrite ^/(.*)      $scheme://$host/$1    permanent;
        }
        location /.well-known {
                root /srv/www/watch.swagbucks.com;
        }

There’s a location entry for ‘/’ but it does a proxy-pass

Running: certbot certificates produces

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

No certs found.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

#4

Some lines did not display.
Please edit post and add three backticks above it (first line) and three below it (last line).
image

```
[post]
```


#5

done and adding extra characters so it’s 20 long


#6

Can’t really understand it 100% but from what I can…

This may be confusing it:

Try as:
location /.well-known/acme-challenge {
root /srv/www/watch.swagbucks.com;


#7

This file fails:
[did you delete it]


#8

You misspelled it - you’re missing the ‘7’ and misspelled ‘challenges’

http://watch.swagbucks.com/.well-known/acme-challenge/123456789

that URL works


#9

That makes two of us!


#10

Yes, I did go back and correct it. I don’t know why the copy and paste didn’t work…


#11

I tried the new location like you suggested and that didn’t work either:

2019/01/29 18:57:21 [error] 1742#1742: *447164073 open() "/srv/www/watch.swagbucks.com/.well-known/acme-challenge/wn2hrUHN9rzPibGC7840Gi2Qt7QSfDe1h0Z4xKj3yQM" failed (2: No such file or directory), client: 66.133.109.36, server: watch.swagbucks.com, request: "GET /.well-known/acme-challenge/wn2hrUHN9rzPibGC7840Gi2Qt7QSfDe1h0Z4xKj3yQM HTTP/1.1", host: "watch.swagbucks.com"


#12

This is a contradiction:
A.

B.

A fails while B is successful!
This makes no sense to me.

We have two options:

  1. We can dig into what is actually being done by certbot (increase verbosity in logs and search there)
  2. Try using --webroot option (which should work since B works)

Your call.


#13

This did work:
certbot certonly --webroot -w /srv/www/watch.swagbucks.com/ -d watch.swagbucks.com

any idea why this works but the other way didn’t?

Also, since this didn’t update the config file, do I just add the following:

    ssl_certificate /etc/letsencrypt/live/watch.swagbucks.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/watch.swagbucks.com.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

i.e., similar to other configs or don’t include the last two lines?


#14

Or you could let certbot do it.
It didn’t do anything because “certonly” means: Cert Only.
So it just got the cert and nothing else.
But it probably updated the renewal.conf though and that will do certonly on renewals.
[not recommended]

Try it without certonly; like:
certbot renew --webroot -w /srv/www/watch.swagbucks.com/ --cert-name watch.swagbucks.com --force-renewal


#15

Do you know if you were using --webroot before as well?


#16

No, I don’t believe I used it before. Prior to yesterday, all that was required was to type this at the command line:

certbot --nginx

I tried that this time, it didn’t work so I dug through this forum and found what was suggested before. I tried testing it at letsdebug.com and creating the file and placing it at the folder

FYI, the 123456789 file won’t work right now as I have it back behind the load-balancer