Getting the error The client lacks sufficient authorization


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
maddydomain2.ml
I ran this command:
sudo certbot certonly --standalone --preferred-challenges http -d maddydomain2.ml
It produced this output:
Failed authorization procedure. maddydomain2.ml (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://maddydomain2.ml/.well-known/acme-challenge/F6XWyTXFeNlidPbXWtqLZBfz-YxkBSP62udXpDMtIX4
My web server is (include version):
Apache running on Ubuntu 9 on google cloud
The operating system my web server runs on is (include version):
Ubuntu 9
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no


#2

Hi @madhuramit

you have two certificates created today (two precertificates and two leaf certificates are listed).

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:maddydomain2.ml&lu=cert_search

If you use certonly, the certificate isn’t installed.

So check your certificates with

sudo certbot certificates

#3

Yes, I created a cert with --manual option that does not let me automate the renewal process.
I do not want to install the certs.

My use case is to automate a process that will generate a certificate and renew on a regular basis.
Whenever I try to generate the cert using the mentioned command teh get the same error.
Only manual option works.

Is there a way once I generate the certs manually I can automate the renewal process?
If not, then I need to generate the certs without manual option.

Thanks,
Madhura


#4

You have a running webserver. If you use --standalone, this webserver must be interrupted, standalone creates a temporary webserver.

So check your vHost configuration to find your webroot (perhaps /var/www/html/ or /var/www/html/maddydomain2.ml). Then try

sudo certbot certonly --webroot -w yourWebRoot -d maddydomain2.ml

#5

I am running the standalone from a different machine that has no webserver running.
Is there any other way to run a process to generate the certs so that I can generate the certs for various domains in a scripted way and store in any central location? And also, run a cronjob to renew the certs


#6

If you want to use http validation, Letsencrypt needs an A-record yourdomainname -> ip-address with a running webserver. You can add redirects domain-webserver -> special webserver, so that a GET /.well-known/acme-challenge is redirected to your central validation server.

Or you use dns-01 - validation. Then you don’t need a running webserver.


#7

Thank you.

I have a A-record for my domain and an ipaddress associated with it that is running apache. But I am running the certbot from another server that does not have any webserver running and I want to download all the certs in that server.I am still not clear what I need to do for achieving this.
When I tried doing this with manual option it works fine but not other way.


#8

Why do you want to run Apache and Certbot on different servers? Can you explain the setup?

Certbot’s easiest to work with when everything is on the same server. You can set it up other ways, but it gets more complicated.

To validate, you might, for example, use DNS-01 validation, or HTTP-01 validation with a reverse proxy or HTTP redirect. To install the certificate, you might write a custom hook that copies it over SSH.

For what it’s worth, the GetSSL client has built-in support for using SSH to access other servers.

What’s Ubuntu 9?

Edit:

Also, don’t issue too many too many production certificates while working on this.

You can issue staging certificates by passing the --staging option to Certbot.


#9

We would like to download the certs to a central server for multiple domains with wildcard character for example *.dev.com.
All these sites can be running on various servers like IIS, apache or NodeJS. We would ideally install the certs on the load balancer. This is the reason why I would not like to run the certbot on the same server where the application server is running.

Also, I would like to automate this entire process and the renewal.

Is this feasible? Can we automate this process? What is the best way of achieving this?

Thanks,
Madhura


#10

That’s entirely feasible. You surely could automate the process. You’ll need to make sure that the domain’s DNS provider have API support (key to automation since you don’t want to add DNS records by hand Everytime you want to renew)

The best way… Depends on what DNS provider you use…

Thank you


#11

Is there any resource/documentation/guide I can use that will help me to automate the process?