Failed authorization procedure: urn:acme:error:unauthorized :: The client lacks sufficient authorization


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: lonestarelixir.com

I ran this command: sudo /usr/local/bin/certbot renew --preferred-challenges http-01

It produced this output:

$ sudo /usr/local/bin/certbot renew --preferred-challenges http-01
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /usr/local/etc/letsencrypt/renewal/lonestarelixir.com.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for lonestarelixir.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (lonestarelixir.com) from /usr/local/etc/letsencrypt/renewal/lonestarelixir.com.conf produced an unexpected error: Failed authorization procedure. lonestarelixir.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://lonestarelixir.com/.well-known/acme-challenge/Fu0Uymtz_7Xf17C-9JSJmqi-Pd1WOIo3e-XaZTNmY_4: “\r\n404 Not Found\r\n<body bgcolor=“white”>\r\n

404 Not Found

\r\n
”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/usr/local/etc/letsencrypt/live/lonestarelixir.com/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/usr/local/etc/letsencrypt/live/lonestarelixir.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): nginx version: nginx/1.10.1

The operating system my web server runs on is (include version): FreeBSD 11.0

My hosting provider, if applicable, is: GCE

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I have put a test file in the cert directory and am able to access the file via https and http. My assumption is that certbot is not writing the test verification file: Fu0Uymtz_7Xf17C-9JSJmqi-Pd1WOIo3e-XaZTNmY_4.


#2

I have been able to solve my own problem.
I had to change my configuration file.

The config file /usr/local/etc/letsencrypt/renewal/lonestarelixir.com.conf
had

authenticator = standalone

which I changed to

authenticator = webroot

The file also did not have webroot defined.
I added the lines

[[webroot_map]]
lonestarelixir.com = /app/crypt/lonestarelixir.com