Getting "The client lacks sufficient authorization" on setting up auto renewal (HAProxy using certbot)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: pwa-test.apollo.com.ph

I ran this command:

sudo certbot certonly --agree-tos --renew-by-default --config ‘/usr/local/etc/le-renew-haproxy.ini’ --http-01-port ‘54321’

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for pwa-test.apollo.com.ph
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. pwa-test.apollo.com.ph (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://pwa-test.apollo.com.ph/.well-known/acme-challenge/4Uz3Fh5lPCpjOiP1_RVsOzgFGHuk0mZe8e4ceTfSa9o: "

Error 404 Not Found <b"

IMPORTANT NOTES:

My web server is (include version): HA-Proxy version 1.6.3 2015/12/25

The operating system my web server runs on is (include version): Ubuntu 16.04.3 LTS

My hosting provider, if applicable, is: ApolloGlobal.Net, Application Service Provider (this is according to https://hostingdetector.com/ because i’m not entirely sure)

I can login to a root shell on my machine (yes or no, or I don’t know): yes I have root access

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I followed the instructions from https://www.digitalocean.com/community/tutorials/how-to-secure-haproxy-with-let-s-encrypt-on-ubuntu-14-04 for setting up the initial certificate. And now about 2 weeks before the certificate expires, I forgot to setup the auto-renewal. After trying the steps from the digital ocean site. I’m stuck with this error (client lacks insufficient authorization)

I verified that we don’t have any firewall for the server yet (ufw is inactive); Also I modified the renewal conf file in /etc/letsencrypt/renewal to listen to port 54321, and my HAProxy config file also lists the backend for letsencrypt at :54321 port and have applied the ACL in the frontend sections. I can provide any config file if needed. Any help is greatly appreciated.

I think that tutorial is assuming that your backend will be redirecting HTTP to HTTPS, which it’s not. If you don’t want to redirect I think you’ll have to add the acl/use_backend to the HTTP frontend too.

I will try adding the acl for letsencrypt for the default www-http. Is it okay If I post my HAProxy here?

frontend http-in
        bind 202.60.9.201:80
        reqadd X-Forwarded-Proto:\ http
        acl letsencrypt-acl path_beg /.well-known/acme-challenge/
        use_backend letsencrypt-backend if letsencrypt-acl
        default_backend www-backend

frontend https-in
        bind 202.60.9.201:443 ssl crt /etc/haproxy/certs/pwa-test.apollo.com.ph.pem
        reqadd X-Forwarded-Proto:\ https
        rspirep ^Location:\ http://(.*)  Location:\ https://\1  if { status 301 } OR { status 302 } OR { status 303 } #mixed content fix
        acl letsencrypt-acl path_beg /.well-known/acme-challenge/
        use_backend letsencrypt-backend if letsencrypt-acl
        default_backend www-backend

backend www-backend
        redirect scheme https if !{ ssl_fc }
        server pwa-test 202.60.9.201:8080 check

backend letsencrypt-backend
        server letsencrypt 127.0.0.1:54321

I did put the redirect in the backend if it helps. Also, how do I make sure that :54321 is not really taken when the renew takes place? Do I need to put a conditional netstat command or something similar?

That looks fine (to my un-haproxy-trained eye). Your server seems to have a valid cert now so I guess that means it worked.

I don’t think you really need to worry too much about the port? Just don’t run anything else that will listen on it… or if you’re running something else that chooses a port randomly, you could put certbot on a privileged port (below 1024) that only root can listen on.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.