Failed Authorisation Procedure. The client lacks sufficient authorization

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mail.eduardoarellano.com

I ran this command: sudo certbot --nginx certonly --preferred-challenges http -d mail.eduardoarellano.com --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mail.eduardoarellano.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. mail.eduardoarellano.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 37.187.22.237: Invalid response from http://mail.eduardoarellano.com/.well-known/acme-challenge/E9jfawM2dSWkp9svlQNHCh81Veh3LG_GWTIMguvO5Fg: 404

IMPORTANT NOTES:

My web server is (include version): Nginx

The operating system my web server runs on is (include version): Ubuntu 16.04.7 LTS (GNU/Linux 4.14.12-xxxx-std-ipv6-64 x86_64)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

Nginx conf file:

#upstream php_workers {
#server unix:/var/run/php-fpm.socket;
#}

#HTTP
server {
listen 80;
server_name mail.eduardoarellano.com;


	location ^/(?!\.well-known) {            # skip challenge requests
	  return 301 https://$host$request_uri;  # send all requests to HTTPS
	}# location

#root /var/www/html;
index index.php index.html index.htm;

location / {
    #root /var/www/html;
	root /var/www/;
}

# Normal PHP scripts
location ~ \.php$ {
    include fastcgi_params;
    fastcgi_pass php_workers;
}

# Redirect webmail/SOGo/iredadmin to HTTPS
location ~ ^/mail { rewrite ^ https://$host$request_uri?; }
location ~* ^/sogo { rewrite ^ https://$host/SOGo; }

location ~ ^/iredadmin { rewrite ^ https://$host$request_uri?; }

# Deny all attempts to access hidden files such as .htaccess.
location ~ /\. {
    deny all;
    access_log off;
    log_not_found off;
}

# Handling noisy favicon.ico messages
location = /favicon.ico {
    access_log off;
    log_not_found off;
}
}

#HTTPS
server {
listen 443;
server_name mail.eduardoarellano.com;

#ssl on;
  ssl_certificate         /etc/letsencrypt/live/mail.eduardoarellano.com/fullchain.pem;
  ssl_certificate_key     /etc/letsencrypt/live/mail.eduardoarellano.com/privkey.pem;
  ssl_trusted_certificate /etc/letsencrypt/live/mail.eduardoarellano.com/chain.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

index index.php index.html index.htm;

location / {
    #root /var/www/html;
	root /var/www;
}

# Deny all attempts to access hidden files such as .htaccess.
location ~ /\. {
    deny all;
    access_log off;
    log_not_found off;
}

# Handling noisy favicon.ico messages
location = ^/favicon.ico {
    access_log off;
    log_not_found off;
}

# Roundcube webmail
location ~ ^/mail(.*)\.php$ {
    include fastcgi_params;
    fastcgi_pass php_workers;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME /usr/share/apache2/roundcubemail$1.php;
}

location ~ ^/mail(.*) {
    alias /usr/share/apache2/roundcubemail$1;
    index index.php;
}

location ~ ^/mail/(bin|SQL|README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ { deny all; }

# Normal PHP scripts
location ~ \.php$ {
    include fastcgi_params;
    fastcgi_pass php_workers;
}

# iRedAdmin: static files under /iredadmin/static
location ~ ^/iredadmin/static/(.*)\.(png|jpg|gif|css|js) {
    alias /usr/share/apache2/iredadmin/static/$1.$2;
}

# iRedAdmin: Python scripts
location ~ ^/iredadmin(.*) {
    rewrite ^/iredadmin(/.*)$ $1 break;
    include uwsgi_params;
    uwsgi_pass unix:/var/run/uwsgi_iredadmin.socket;
    uwsgi_param UWSGI_CHDIR /usr/share/apache2/iredadmin;
    uwsgi_param UWSGI_SCRIPT iredadmin;
    uwsgi_param SCRIPT_NAME /iredadmin;
}
# iRedAdmin: redirect /iredadmin to /iredadmin/
location = /iredadmin {
    rewrite ^ /iredadmin/;
}

# SOGo
location ~ ^/sogo { rewrite ^ https://$host/SOGo; }
location ~ ^/SOGO { rewrite ^ https://$host/SOGo; }

# For IOS 7
location = /principals/ {
    rewrite ^ https://$server_name/SOGo/dav;
    allow all;
}

location ^~ /SOGo {
    proxy_pass http://127.0.0.1:20000;
    #proxy_redirect http://127.0.0.1:20000/SOGo/ /SOGo;
    # forward user's IP address
    #proxy_set_header X-Real-IP $remote_addr;
    #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #proxy_set_header Host $host;
    proxy_set_header x-webobjects-server-protocol HTTP/1.0;
    #proxy_set_header x-webobjects-remote-host 127.0.0.1;
    #proxy_set_header x-webobjects-server-name $server_name;
    #proxy_set_header x-webobjects-server-url $scheme://$host;
}

location ^~ /Microsoft-Server-ActiveSync {
    proxy_pass http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync;
    proxy_redirect http://127.0.0.1:20000/Microsoft-Server-ActiveSync /;
}

location ^~ /SOGo/Microsoft-Server-ActiveSync {
    proxy_pass http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync;
    proxy_redirect http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync /;
}

location /SOGo.woa/WebServerResources/ {
    alias /usr/lib/GNUstep/SOGo/WebServerResources/;
}
location /SOGo/WebServerResources/ {
    alias /usr/lib/GNUstep/SOGo/WebServerResources/;
}
location ^/SOGo/so/ControlPanel/Products/([^/]*)/Resources/(.*)$ {
    alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
}
}

So this has been working for years without problem until today. I have never encountered this error on any renewal up to today and I have not changed the conf file at all and I do not have an AAAA record in my dns record. My ip seems to be configured correctly

Any help would be much appreciated

You're using the nginx installer and showing nginx config but it's an Apache server that's responding, perhaps your external port 80 is mapping to the wrong server internally?

3 Likes

When authenticating via HTTP, you have to obtain the cert for "mail.eduardoarellano.com" from the server that responds to that IP.

Where does http://mail.eduardoarellano.com/ go?

Name:    mail.eduardoarellano.com
Address: 37.187.22.237
6 Likes

That is the correct ip and the domain points to the same.

so I tried to run certbot renew and got this result:

Attempting to renew cert (mail.eduardoarellano.com) from /etc/letsencrypt/renewal/mail.eduardoarellano.com.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.eduardoarellano.com/fullchain.pem (failure)

I guess you are using --standalone which will try to spin up a temporary http server to handle the http challenge. You would need to stop your existing webserver first otherwise it will hold onto port 80, alternatively you would need to use the webroot method etc to serve the challenge response directly through your existing web server software.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.