Client lacks sufficient authorization apache reverse proxy with tomcat9

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: backoffice.agentiallianz.it

I ran this command: sudo certbot renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/backoffice.agentiallianz.it.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Attempting to renew cert (backoffice.agentiallianz.it) from /etc/letsencrypt/renewal/backoffice.agentiallianz.it.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/backoffice.agentiallianz.it/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/backoffice.agentiallianz.it/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

My web server is (include version): Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

I am not able to renew the contract which is now expired. Please I need urgent help. Thank you

1 Like

Hi @deanstef

that's only an one-hour-limit.

Wait, then try it again (one time), then share the exact error message.

1 Like

Hi @JuergenAuer you are right, my apologise. Here the correct error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/backoffice.agentiallianz.it.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for backoffice.agentiallianz.it
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (backoffice.agentiallianz.it) from /etc/letsencrypt/renewal/backoffice.agentiallianz.it.conf produced an unexpected error: Failed authorization procedure. backoffice.agentiallianz.it (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://backoffice.agentiallianz.it/login [213.183.146.149]: "<!DOCTYPE html>\n<html lang=\"it\">\n<head>\n  <meta charset=\"utf-8\" />\n         \n  <title>AAA - Login</title>\n\n  <link rel=\"styleshe". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/backoffice.agentiallianz.it/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/backoffice.agentiallianz.it/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: backoffice.agentiallianz.it
   Type:   unauthorized
   Detail: Invalid response from
   https://backoffice.agentiallianz.it/login [213.183.146.149]:
   "<!DOCTYPE html>\n<html lang=\"it\">\n<head>\n  <meta
   charset=\"utf-8\" />\n         \n  <title>AAA - Login</title>\n\n
   <link rel=\"styleshe"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
1 Like

There

is your error.

The login hasn't the required validation file. So remove that redirect or remove the redirect if the path starts with /.well-known/acme-challenge.

Read

1 Like

Thanks @JuergenAuer . My webapp automatically redirects / to /login . Probably that’s why I am not able to renew the contract. Is there a workaround for that?

I don’t want to change my webapp structure

I solved my problem by using this command. Since I am using tomcat as application server and apache as reverse proxy for ssl, I first had to stop the apache server to enable let’s encrypt on port :80 and then certonly --standalone

$ systemctl stop apache2
$ certbot certonly --standalone -d <my-domain>

cheers!

1 Like

Then it should be possible to create a location definition of /.well-known/acme-challenge and run Certbot with the root of that definition as --webroot.

Then you don't need to stop your running website.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.