Getting error "client lacks sufficent authorization" on raspbian


I was looking for a ssl ca when i found lets encrypt, I installed it on a raspberry pi 2 running raspbian and after a few bumps along the way, it finaly ran, but when i did i got the error
""client lacks sufficient authorization : error parsing key authorization file : Invalid key authorization : 145 parts"
i ran sudo ./letsencrypt-auto certonly --webroot -w /cer_location -d
also this is for a gitlab server for which id like some encryption


Please paste the full letsencrypt commandline you used, and the contents of letsencrypt.log. Thanks!


i ran sudo ./letsencrypt-auto certonly --webroot -w /etc/gitab/ssl -d
will get to the log once i get home cause i think my router is blocking incoming port 80 (again…)


Everything is connected and the check starts but comes with the error that "client lacks sufficient authorization : error parsing key authorization file : Invalid key authorization : 145 parts"
after many tries of running the command i used and others, the log has this?!(edit looked at the wrong log, i looked at ~/letsencrypt/letsencrypt.log instead of /var/log/letsencrypt, also putting only the end, cause the most of it has only web requests, and all of that works so here goes):
2015-12-11 04:10:38,543:INFO:letsencrypt.reporter:Reporting to user: The following ‘urn:acme:error:unauthorized’ errors were reported by the server:

Error: The client lacks sufficient authorization
2015-12-11 04:10:38,580:INFO:letsencrypt.auth_handler:Cleaning up challenges
2015-12-11 04:10:38,590:DEBUG:letsencrypt.plugins.webroot:Removing /etc/gitlab/ssl/.well-known/acme-challenge/EAGHxEBxwn9P61YZPhZq6x8qoZrml9u7w3jWkwGtYF0
2015-12-11 04:10:38,607:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
File “/root/.local/share/letsencrypt/bin/letsencrypt”, line 11, in
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/”, line 1283, in main
return args.func(args, config, plugins)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/”, line 512, in obtain_cert
_auth_from_domains(le_client, config, domains)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/”, line 336, in _auth_from_domains
lineage = le_client.obtain_and_enroll_certificate(domains)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/”, line 283, in obtain_and_enroll_certificate
certr, chain, key, _ = self.obtain_certificate(domains)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/”, line 266, in obtain_certificate
return self._obtain_certificate(domains, csr) + (key, csr)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/”, line 224, in _obtain_certificate
authzr = self.auth_handler.get_authorizations(domains)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/”, line 84, in get_authorizations
self._respond(cont_resp, dv_resp, best_effort)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/”, line 142, in _respond
self._poll_challenges(chall_update, best_effort)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/”, line 204, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Error parsing key authorization file: Invalid key authorization: 145 parts"
also a quick look at the log shows it got to the url:
so i’m not sure what the issue is here…

edit will update original post with this


Do you have a redirect in place that forces everyone to the login page - /users/sign_in ? I’m guessing that you have a .htaccess (or similar) redirect. If so you need to remove that for attempts to access anything in the /.well-known/acme-challenge/ folder


I wouldn’t know, i use the bundled version of nginx which comes with gitlab, and i don’t have a lot of control over it, aside for a few things and it works perfectly now so i don’t really want to mess it up.


well, it’s your decision if you want to modify things to enable it to work, or not.

If you were happy to change the config you’d need something like

server {
listen 80;
location /.well-known/acme-challenge/ {
try_files $uri =404;
…the rest of your config

(take backups etc before you make changes of course). If you don’t want to make modifications then I suspect you won’t be able to use the default LE client and need to use an alternative.


arrg, i was about to test it and then my router blocked (only) port 80 again…