How to fix "Failed authorization procedure"?

[Moderator’s note, September 2018: “Failed authorization procedure” is a generic error that can cover just about any type of error during the domain validation process. The most relevant part of the error message is at the end.]

Hello again. I’m trying to set ssl cert on debian 7.1 with apache 2.2.22 via certbot
after selecting the desired domain name and vhost I recieved such error message:

Failed authorization procedure. antilopagold.su (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested e1640bb27bfcfaea1987f14500c92612.8b198ac4b95f9fc5d70e58306d3c7ba9.acme.invalid from 185.15.208.190:443. Received certificate containing ‘’, www.antilopagold.su (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested 0d3ec8e3aa8545fde8e4d58ec470d7ee.6e69793969fb86ab7e61f618c23183b8.acme.invalid from 185.15.208.190:443. Received certificate containing ‘’, server1.antilopagold.su (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested 4abc78d2eedeebd1738ad3c3959f2587.d89dd06f9491a49504aa8f08dca7d975.acme.invalid from 185.15.208.190:443. Received certificate containing ‘’

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: antilopagold.su
    Type: unauthorized
    Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
    Requested
    e1640bb27bfcfaea1987f14500c92612.8b198ac4b95f9fc5d70e58306d3c7ba9.acme.invalid
    from 185.15.208.190:443. Received certificate containing ‘’

    Domain: www.antilopagold.su
    Type: unauthorized
    Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
    Requested
    0d3ec8e3aa8545fde8e4d58ec470d7ee.6e69793969fb86ab7e61f618c23183b8.acme.invalid
    from 185.15.208.190:443. Received certificate containing ‘’

    Domain: server1.antilopagold.su
    Type: unauthorized
    Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
    Requested
    4abc78d2eedeebd1738ad3c3959f2587.d89dd06f9491a49504aa8f08dca7d975.acme.invalid
    from 185.15.208.190:443. Received certificate containing ‘’

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.

Please tell, what should I check and fix?

Visiting your domain shows a Server: nginx header. If you’re using apache behind nginx (with nginx acting as a reverse proxy), you’ll need to follow the instructions for nginx rather than apache.

thank you. And how to remove all installed packages for apache? rm -rf /root/.local/share/letsencrypt/ ?

There’s no need for that, certbot hasn’t made any permanent changes to your apache installation and if you delete your current installation and start from the beginning, you’d end up with the apache plugin again anyhow. Basically, just use the commands given in the nginx guide - the apache plugin won’t be started at all.

thank you
Now I see such error message:

Failed authorization procedure. www.antilopagold.su (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.antilopagold.su/.well-known/acme-challenge/6FT8J5dYP5vUzuMJbjxAq_mYwZrto7nb_j8VJXByQo4: "<!doctype html>

<meta charset="utf-8"", antilopagold.su (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://antilopagold.su/.well-known/acme-challenge/WPNVmaUojsJzgFhDtW9dbl3ek8x3azbMkMwiaaIqD_4: " <html "

IMPORTANT NOTES:

It seems like i have to create some directories and files in my site folder. Do I have to create /.well-known/acme-challenge/ subfolder structure with a file named as 6FT8J5dYP5vUzuMJbjxAq_mYwZrto7nb_j8VJXByQo4 with no extension at the end? And what should be the content of such file?

I’m assuming you’re using the webroot plugin. With that plugin, certbot asks you to provide a path to the DocumentRoot of your domain and will automatically create files under the correct path with the correct content. Note that the files (and the acme-challenge directory) are deleted after certbot runs, so the files not being there anymore doesn’t mean they weren’t created (you’d get an error message if that happens).

Things you want to check:

  • Was the webroot path you provided correct? To test this, you can create a file manually under {webroot_path}/.well-known/acme-challenge/test, put some random content in there, and verify that when you browse to http://antilopagold.su/.well-known/acme-challenge/test, you get that content back.
  • Is there a .htaccess rule (or something similar) that could be interfering with that request, and prevent the file from being served?

I created the folder /var/www/antilopa/data/www/antilopagold.su/.well-known/acme-challenge which i pointed while ./certbot-auto certonly command execution. After typing the domain names and the mentioned path in folder /var/www/antilopa/data/www/antilopagold.su/.well-known/acme-challenge a new empty “.well-known” subfolder was created and there was the result answer at the screen:

Failed authorization procedure. antilopagold.su (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://antilopagold.su/.well-known/acme-challenge/AlBNIrsv-pHx1rjML5z2Eb3X0LyyDrnXbIYyFgB0RvI: "

<html ", www.antilopagold.su (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.antilopagold.su/.well-known/acme-challenge/4XOo6oK_MeO5lXSZ4GblqcWM9JOpvJXVSlwOkW_e0rc: " <meta charset="utf-8""

IMPORTANT NOTES:

What now?
P.S. the test file /var/www/antilopa/data/www/antilopagold.su/.well-known/acme-challenge/test can be opened via browser

The path you need to provide is the one to your DocumentRoot, not including .well-known/acme-challenge. certbot will take care of that. In your case, that should be /var/www/antilopa/data/www/antilopagold.su

thank you. it seems like it's done:

  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/www.antilopagold.su/fullchain.pem. Your cert
    will expire on 2016-11-01. To obtain a new or tweaked version of
    this certificate in the future, simply run certbot-auto again. To
    non-interactively renew all of your certificates, run
    "certbot-auto renew"
    Can you tell me how to schedule the regular cron renewal process?

crontab -e
and then type
30 0 1 */3 * /bin/shell /usr/local/ispmgr/sbin/myletsencrypt_update.sh
and type
./certbot-auto renew --quiet --no-self-upgrade
in that myletsencrypt_update.sh file?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.