Got this error message - what now

akc42 · December 8, 2015, 10:53pm

I just tried letsencrypt for the first time, and successfully completed the process for www.hartley-consultants.com

I then tried to repeat the process for planner.hartley-consultants.com and got the following

root@asgard:~/letsencrypt# ./letsencrypt-auto certonly --webroot -w /var/www/redmine/public -d planner.hartley-consultants.com
Updating letsencrypt and virtual environment dependencies.......
Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt certonly --webroot -w /var/www/redmine/public -d planner.hartley-consultants.com
Failed authorization procedure. planner.hartley-consultants.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Error parsing key authorization file: Invalid key authorization: 181 parts

IMPORTANT NOTES:

The following 'urn:acme:error:unauthorized' errors were reported by
the server:

Domains: planner.hartley-consultants.com
Error: The client lacks sufficient authorization

Both domains are currently running from a single CA-Cert.org certificate, but the difference is that planner.hartley-consultants.com will only serve its site on https, whereas www.hartley-consultants.com will serve on either http or https.

Do I have to make planner.hartley-consultants.com serve on http?

selecadm · December 8, 2015, 11:16pm

Yes, you should try to make it work on HTTP.

NOYB · December 8, 2015, 11:18pm

Yes we want to encrypt the internet so lets require http to do that. LOL

akc42 · December 8, 2015, 11:20pm

So why don’t the documents say so?

NOYB · December 8, 2015, 11:22pm

Welcome to beta testing. Or in the case of the LE client and documentation more akin to alpha testing.

selecadm · December 8, 2015, 11:24pm

When a server requests a certificate issuance, it’s fair to assume it doesn’t have HTTPS available yet. Either 443 port closed, or self-signed cert installed. So I can only give you a half-like for such sarcasm.

NOYB · December 8, 2015, 11:29pm

Very incorrect, and inappropriate, assumption. Not a fair assumption at all. That would mean LE is only automating for those who are establishing the initial https. Somehow I don't think that is the intention and therefor that would be a very bad assumption.

selecadm · December 8, 2015, 11:38pm

If there have already been LE certs issued for this host, LE should try HTTPS first. Not necessarily LE if there is also Certificate Transparency search. Agree now?

NOYB · December 8, 2015, 11:40pm

No. CT is not a current standards requirement.