Invalid Response Error "Client Lacks Sufficient Authorization"

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.


-> Getting certs for all three of the below domains works fine individually, but if we try to specify SANS entries it does ok with the local, but throws error for the other two domains. If we try from the servers hosting autha or authb it fails for the other two domains.

My domain is:


I ran this command:

-> certbot certonly --csr request.csr --webroot -w /apache/webapps/ --agree-tos --non-interactive --staging -d -d

It produced this output:

Performing the following challenges:
http-01 challenge for
http-01 challenge for
http-01 challenge for
Using the webroot path /abs/apache-tomcat-8.5.13/webapps for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from “<!doctype html>HTTP Status 404 \u2013 Not Foundh1 {font-family:Tahoma,A”, (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from “<!doctype html>HTTP Status 404 \u2013 Not Foundh1 {font-family:Tahoma,A”

My hosting provider, if applicable, is:

-> AWS

I can login to a root shell on my machine (yes or no, or I don’t know):

-> YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Hi @bushwacker

the three domains have three different ip-addresses. So if you run the command on the webserver of - can this certbot really copy files to the /.well-known/acme-challenge/ - subdomains of the other two domains?


Thank you so much for the quick reply. That is a great question, and I am not sure. All I know is I see the requests reach the other two servers from their access logs. It usually shows four requests from different IPs come in from let’s encrypt: - - [19/Jul/2018:13:44:07 -0400] “GET /.well-known/acme-challenge/UkM95S9DWZhPxp3OeQGvR2dSoLOVUAEzBOTb_VtOv4Y HTTP/1.1” 404 1140 - - [19/Jul/2018:13:44:07 -0400] “GET /.well-known/acme-challenge/UkM95S9DWZhPxp3OeQGvR2dSoLOVUAEzBOTb_VtOv4Y HTTP/1.1” 404 1140 - - [19/Jul/2018:13:44:07 -0400] “GET /.well-known/acme-challenge/UkM95S9DWZhPxp3OeQGvR2dSoLOVUAEzBOTb_VtOv4Y HTTP/1.1” 404 1140 - - [19/Jul/2018:13:44:07 -0400] “GET /.well-known/acme-challenge/UkM95S9DWZhPxp3OeQGvR2dSoLOVUAEzBOTb_VtOv4Y HTTP/1.1” 404 1140


Also, if I put a test page in the acme-challenge folder of any of these servers I can reach them from the server issuing the certbot command, or from a browser with no issues.

Is there one server with three ip-addresses? If yes, that may work.

If you have three different server, then run certbot on every server, only with

-d domainofthisserver

Actual, you want to create one certificate with three names. But that requires, that certbot can copy the test-files correct.

Instead: Create per website / ip-address one certificate with one name -> run certbot on every website.

That was it. Thank you so much JuergenAuer… I am new to let’s encrypt / certbot and wasn’t thinking that certbot generates the file in acme-challenge locally that let’s encrypt then reaches in to get for verification - so of course it wouldn’t be able to create on the other servers. Temporarily pointing the other dns records to the same server allowed me to get the cert with all the subject alternative names.

Thank you again.

A problem with this is that you'll have to repeat this at every subsequent renewal time. If you can't do that, maybe you could make the web servers on the other machines redirect to with an HTTP 301 redirect, where is the machine where you're running Certbot. (Or else run Certbot separately on each machine, as @JuergenAuer suggested.)

Hello Schoen,

That is a great suggestion. What I did today is definitely untenable it was just a workaround to see if the SANS resolved another issue of mine. I will try to implement what you suggested.

Thanks again.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.