Failed authorization procedure. / The client lacks sufficient authorization ::

My domain is: example.com

I ran this command: sudo certbot --nginx -d example.com -d www.example.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Obtaining a new certificate Performing the following challenges: http-01 challenge for www.example.com Waiting for verification… Cleaning up challenges Failed authorization procedure. www.example.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.example.com/.well-known/acme-challenge/1HtLkaKQGWJRwh-hY1py8Ucw8DtYL0-SyJwtzMqvcc4 [2607:f8b0:400f:805::2013]: "\n\n \n <meta name=viewport content=“initial-scale=1, minimum-scale=1, width=dev” IMPORTANT NOTES: - The following errors were reported by the server: Domain: www.example.com Type: unauthorized Detail: Invalid response from http://www.example.com/.well-known/acme-challenge/1HtLkaKQGWJRwh-hY1py8Ucw8DtYL0-SyJwtzMqvcc4 [2607:f8b0:400f:805::2013]: "\n\n \n <meta name=viewport content=“initial-scale=1, minimum-scale=1, width=dev” To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.

My web server is (include version): nginx

The operating system my web server runs on is (include version): linux ubuntu 16 ec2 instance on AWS

My hosting provider, if applicable, is: Godaddy

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

www.example.com points to some Google service. Fix up its IP address to point to your nginx server.

Hi @jclinton830

checking your domain you see the problem - https://check-your-website.server-daten.de/?q=example.com

You have ipv4- and ipv6 - addresses, that’s good.

Host T IP-Address is auth. ∑ Queries ∑ Timeout
example.com A 18.222.135.95 Dublin/Ohio/United States (US) - Amazon.com, Inc. Hostname: ec2-18-222-135-95.us-east-2.compute.amazonaws.com yes 1 0
AAAA yes
www.example.com C ghs.googlehosted.com yes 1 0
A 216.58.211.115 Amsterdam/North Holland/Netherlands (NL) - Google LLC Hostname: ams15s32-in-f19.1e100.net yes
AAAA 2a00:1450:400e:809::2013 Dublin/Leinster/Ireland (IE) - GOOGLE-2a yes

But your non-www is Amazon, your www is Google. So you can’t create one certificate with both domain names and http-validation.

I deleted the www pointing to google from godaddy dns management system.

But the problem still persists.

Yep, there is a new check of your domain, now the www doesn’t exist.

Did you removed the www version in your command?

If yes, the main things are ok, /.well-known/acme-challenge/random-filename answers with the expected http result 404 - Not Found.

What says

nginx -T

Are there duplicated combinations port + server_name?

Thanks for your help. After deleting the CNAME record for www pointing to google, I added another CNAME record for www and pointed it to @.

The certificates were generated for both non www and www.

Thanks for your help.

2 Likes

Yep, there is a new check - and a new certificate:

CN=example.com
	04.09.2019
	03.12.2019
expires in 90 days	
example.com, www.example.com - 2 entries

That looks good :+1:

Is it possible to set it up to renew the ssl certificates automatically?

1 Like

Did you use Certbot?

If yes, there should be a cron job or something else.

Check

Automated renewals

1 Like

I edited this thread at the original poster’s request to change the domain (ROT13 of fcebhgfpvragvsvp.pbz) to example.com. (This thread was not really about the example.com domain.)

1 Like