Certbot certonly: Failed authorization procedure // The client lacks sufficient authorization


#1

Hi,

By running the following command:

sudo certbot certonly --dry-run --keep-until-expiring --webroot -w /data/www/docs/www.grimstveit.no -d grimstveit.no -d www.grimstveit.no

… I get the following output (with negative result):

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for grimstveit.no
http-01 challenge for www.grimstveit.no
Using the webroot path /data/www/docs/www.grimstveit.no for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. grimstveit.no (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://51.174.231.115:443/.well-known/acme-challenge/KV4IqbNYkSmVrUU1h5rsXVm3DJjpFRkpqGKSzpjnfQA [51.174.231.115]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>400 Bad Request</title>\n</head><body>\n<h1>Bad Request</h1", www.grimstveit.no (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://51.174.231.115:443/.well-known/acme-challenge/ZtaMES5RyOgQyoIYF-Jh3JK6lnvOsAsxACKjlQYM6Hs [51.174.231.115]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>400 Bad Request</title>\n</head><body>\n<h1>Bad Request</h1"
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: grimstveit.no
   Type:   unauthorized
   Detail: Invalid response from
   http://51.174.231.115:443/.well-known/acme-challenge/KV4IqbNYkSmVrUU1h5rsXVm3DJjpFRkpqGKSzpjnfQA
   [51.174.231.115]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>400 Bad
   Request</title>\n</head><body>\n<h1>Bad Request</h1"

   Domain: www.grimstveit.no
   Type:   unauthorized
   Detail: Invalid response from
   http://51.174.231.115:443/.well-known/acme-challenge/ZtaMES5RyOgQyoIYF-Jh3JK6lnvOsAsxACKjlQYM6Hs
   [51.174.231.115]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>400 Bad
   Request</title>\n</head><body>\n<h1>Bad Request</h1"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Accessing https://grimstveit.no/.well-known/acme-challenge/file works as planned, so I cannot see exactly what is wrong… Any clues? Running FreeBSD 11.2-p5 w/latest Apache/PHP built locally from ports.

Thank you in advance for your help setting up this fabulous piece of software. Keep up the great work!


#2

I think Let’s Encrypt broke their staging server.

I saw an issue on Boulder earlier that they were rewriting the HTTP dialer logic. It is probably a bug (wrong protocol being chosen) introduced in that changeset. https://github.com/letsencrypt/boulder/pull/3939

@jsha

@jakobbg you should be able to proceed by just removing --dry-run, since it is only a problem with staging.


#3

Great, then my setup is working. Did a “force renew” run, and everything worked as planned. Awesome, thanks for the quick follow-up!


#4

The feature flag that broke the HTTP-01 HTTP->HTTPS redirects was reverted this morning. ~10:00AM EST.