Getting "The client lacks sufficient authorization" on setting up auto renewal (HAProxy using certbot)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

sudo certbot certonly --agree-tos --renew-by-default --config ‘/usr/local/etc/le-renew-haproxy.ini’ --http-01-port ‘54321’

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from "

Error 404 Not Found <b"


My web server is (include version): HA-Proxy version 1.6.3 2015/12/25

The operating system my web server runs on is (include version): Ubuntu 16.04.3 LTS

My hosting provider, if applicable, is: ApolloGlobal.Net, Application Service Provider (this is according to because i’m not entirely sure)

I can login to a root shell on my machine (yes or no, or I don’t know): yes I have root access

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I followed the instructions from for setting up the initial certificate. And now about 2 weeks before the certificate expires, I forgot to setup the auto-renewal. After trying the steps from the digital ocean site. I’m stuck with this error (client lacks insufficient authorization)

I verified that we don’t have any firewall for the server yet (ufw is inactive); Also I modified the renewal conf file in /etc/letsencrypt/renewal to listen to port 54321, and my HAProxy config file also lists the backend for letsencrypt at :54321 port and have applied the ACL in the frontend sections. I can provide any config file if needed. Any help is greatly appreciated.

I think that tutorial is assuming that your backend will be redirecting HTTP to HTTPS, which it’s not. If you don’t want to redirect I think you’ll have to add the acl/use_backend to the HTTP frontend too.

I will try adding the acl for letsencrypt for the default www-http. Is it okay If I post my HAProxy here?

frontend http-in
        reqadd X-Forwarded-Proto:\ http
        acl letsencrypt-acl path_beg /.well-known/acme-challenge/
        use_backend letsencrypt-backend if letsencrypt-acl
        default_backend www-backend

frontend https-in
        bind ssl crt /etc/haproxy/certs/
        reqadd X-Forwarded-Proto:\ https
        rspirep ^Location:\ http://(.*)  Location:\ https://\1  if { status 301 } OR { status 302 } OR { status 303 } #mixed content fix
        acl letsencrypt-acl path_beg /.well-known/acme-challenge/
        use_backend letsencrypt-backend if letsencrypt-acl
        default_backend www-backend

backend www-backend
        redirect scheme https if !{ ssl_fc }
        server pwa-test check

backend letsencrypt-backend
        server letsencrypt

I did put the redirect in the backend if it helps. Also, how do I make sure that :54321 is not really taken when the renew takes place? Do I need to put a conditional netstat command or something similar?

That looks fine (to my un-haproxy-trained eye). Your server seems to have a valid cert now so I guess that means it worked.

I don’t think you really need to worry too much about the port? Just don’t run anything else that will listen on it… or if you’re running something else that chooses a port randomly, you could put certbot on a privileged port (below 1024) that only root can listen on.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.