Failed authorization procedure. DNS A Record


#1

Hi, i get the following error-message:

Failed authorization procedure. exmaple.com (dvsni): unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge

IMPORTANT NOTES:
 - The following 'unauthorized' errors were reported by the server:

   Domains: exmaple.com
   Error: The client lacks sufficient authorization

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

Any idea, what i should change?

// Oliver


DNS PROBLEM: NXDOMAIN looking up A for <mydomain.com>
#2

Hi Oliver,

This is the way how Let’s Encrypt verifies that you are the owner of the server. In other words the IP address you are requesting the certificate from must match DNS (A type) record for the used domain in the request. I guess the 93.184.216.34 (example.com) address is not yours server address.

Hope it helps,

Piotr,


#3

maybe webrrot/manual mode helps, with that you have to put some text at a certain url of your webserver and press enter after you did that.


#4

I’m not positive but it seems that it’s not the way the LE developers see the world. I noticed that they tend to keep 90 days renewal period BUT with possibility of automated procedure. That’s why I think is a must to generate the certs at the server.

PZ


#5

well they want automation that is stuff i know but IT’S NOT POSIBLE for all the types of systems and servers there are to make a completely flawless automation without any errors. also m stuff isnt supported yet so I have to do manual…

also manual mode isnt the way LE devs want it but it works, I did that yesterday so I know.


#6

So does it mean that you were able to generate the cert on remote/other server? Can you share how?

PZ


#7

well they did share an IP, because it all runs at home so I am not sure whether it is perfect and other domains and/or subs are not in the list yet but essentially I used the command in the mail, appended by “-a manual”. then the pseudo-GUI opened, where iirc I first had to agree to the LE ToS, then it was asking for my mail address, I obviously entered it. at the next steo I had to list the domains comma seperated and then for each domain the following happened:

  • Confirm that logging of my RasPi’s IP for the sake of CT was okay
  • textual output that told me to put text123 and http://example.com/.well-known/acme-challenge/url123 and setting the content header to text/plain
  • I went to my PC (aka web-“server” putting the text in there and putting together an htaccess that forces text/plain for the acme folder
  • then back at the RasPi I pressed enter

    then it saved my key and cert at the /etc/letsencrypt/live/ folder

#8

Thank you,

I’ll try it. :smile:
PZ


#9

Ok,

didn´t know whats wrong

that is the DNS Record lookup: http://viewdns.info/dnsrecord/?domain=user-agents.me

any ideas, what i should add?

// Oliver


#10

could you try the manual mode as per my last post?


#11

Mmh, ok tried it and the certification was created.

But is this the right way to do it?


#12

So in the default situation your request should reach to LE servers from 87.118.120.48 IP address. Can you confirm if you reach https://www.whatismyip.com/ from the server you can see 87.118.120.48?

Regards,

PZ

P.S.

The manual mode that ‘mentor’ mentioned might be a good workaround for you.


#13

Mhh anyway nginx is blocking my check. Workaround has helped.

But the next problem is still here. Integration in Plesk.