I’m running several node apps proxyed through nginx (cloudflare is running DNS as well, the worst possible setup I know). I’ve tried multiple ways to authenticate with Let’s Encrypt and I keep running into errors. After reading through the various discussions I think I’m supposed to be using --webroot?
I run this: ./letsencrypt-auto certonly --webroot -w /path/to/node/app/ -d domain.net -d www.domain.net
and get this:
IMPORTANT NOTES:
- The following 'urn:acme:error:connection' errors were reported by
the server:
Domains: www.domain.net
Error: The server could not connect to the client to verify the
domain
- The following 'urn:acme:error:unauthorized' errors were reported by
the server:
Domains: domain.net
Error: The client lacks sufficient authorization
It’ll be easier for us to help debug if you’re willing to list the actual domain name you’re using.
You’re correct that webroot is the best current option for Nginx users. The connection error could be a number of things. Can you run with -vvv and paste the full log?
Can you double-check that your site is publicly accessible from the Internet? On both the www and non-www versions?
Sorry, the domain is adamsimpson.net. The site is up and available. www currently 301 redirects to non-www via a server block like so:
server {
server_name www.adamsimpson.net;
return 301 http://adamsimpson.net$request_uri;
}
The -vvv output was really hard to parse, so here’s the -v output:
/etc/letsencrypt/keys/0018_key-letsencrypt.pem
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
http-01 challenge for adamsimpson.net
Waiting for verification...
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
errors were reported by the server:
Error: The client lacks sufficient authorization
Cleaning up challenges
followed by:
Failed authorization procedure. www.adamsimpson.net (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Error parsing key authorization file: Invalid key authorization: 30 parts, adamsimpson.net (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Error parsing key authorization file: Invalid key authorization: 30 parts
IMPORTANT NOTES:
- The following 'urn:acme:error:unauthorized' errors were reported by
the server:
Domains: adamsimpson.net, www.adamsimpson.net
Error: The client lacks sufficient authorization
Hope that helps shine a light on what’s going wrong on my end.
From reading other posts it seems like it should follow redirection so I would welcome clarification from someone that knows. It could be that the real problem was something else.
I’ve done the same with my server blocks (though I use a single common root for LE rather than letting it go into each application’s webroot) since the public beta launched, and have been able to issue (and renew, for that matter) 2 certificates covering 3 domains.
That said, though, during the earlier closed beta, I successfully issued a certificate for both www and non-www even though the former used a 301 redirect to the latter (didn’t even occur to me to consider that until after it worked), so I don’t think the redirect itself should be the problem unless the server side has been changed since then to reject redirects; there was even a thread concerning this very topic and suggesting the server not follow redirects, though IIRC we had an LE engineer or two chime in saying that this was intended and desired behavior and wouldn’t be changing.