Issue with Error creating new authz :: Name is not whitelisted for my domain


#1

Hi folks,

I am facing the following issue while trying to generate my certificate for my domain akrambenaissi.com
Error creating new authz :: Name is not whitelisted

And the full log is:

Wadez-Wood:letsencrypt Akram$ ./letsencrypt-auto --agree-dev-preview --server   https://acme-v01.api.letsencrypt.org/directory certonly --debug
Updating letsencrypt and virtual environment dependencies.......
Running with virtualenv: sudo /Users/Akram/.local/share/letsencrypt/bin/letsencrypt --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory certonly --debug

raceback (most recent call last):
  File "/Users/Akram/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/Users/Akram/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/cli.py", line 1206, in main
    return args.func(args, config, plugins)
  File "/Users/Akram/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/cli.py", line 500, in obtain_cert
    _auth_from_domains(le_client, config, domains)
  File "/Users/Akram/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/cli.py", line 325, in _auth_from_domains
    lineage = le_client.obtain_and_enroll_certificate(domains)
  File "/Users/Akram/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/client.py", line 283, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
  File "/Users/Akram/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/client.py", line 266, in obtain_certificate
    return self._obtain_certificate(domains, csr) + (key, csr)
  File "/Users/Akram/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/client.py", line 224, in _obtain_certificate
    authzr = self.auth_handler.get_authorizations(domains)
  File "/Users/Akram/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/auth_handler.py", line 74, in get_authorizations
    domain, self.account.regr.new_authzr_uri)
  File "/Users/Akram/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py", line 215, in request_domain_challenges
    typ=messages.IDENTIFIER_FQDN, value=domain), new_authz_uri)
  File "/Users/Akram/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py", line 195, in request_challenges
    response = self.net.post(new_authzr_uri, new_authz)
  File "/Users/Akram/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py", line 628, in post
    return self._check_response(response, content_type=content_type)
  File "/Users/Akram/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py", line 544, in _check_response
    raise messages.Error.from_json(jobj)
Error: unauthorized :: The client lacks sufficient authorization :: Error creating new authz :: Name is not whitelisted

I was thinking that this was related to this issue: https://github.com/letsencrypt/letsencrypt/issues/1283#issuecomment-159192068

But it seems, that the issue may have a lot of causes.
can you help ?


#2

The usual question: Did you apply for the private beta and receive the invite email? Let’s Encrypt is in private beta until December 3rd, and domains are whitelisted manually.

Note that subdomains are not included automatically, you have to request every subdomain explicitly. If you forgot one, you will need to reapply using the same form.


#3

Hi @pfg,
yes I did enroll for the beta and received the email on nov the 4th.
And, yes, I added all my domains, and even tried with my TLD only, because my CNAME points to it and it is sufficient.
But none works and returns the same error.


#4

I have two domains that I recently received the whitelist email for (andrewkendall.com & krisatomic.com). I’m also seeing the same errors. I’m trying to track down the cause at the moment. @akram if you find a solution I’d love to know what it was.


#5

do CNAMEs work ? i thought only DNS A records work right now ?


#6

I’m using A records and still seeing this issue.


#7

i see

guess it’s some issue on LEs end ?


#8

Is it possible to see what the Let’s Encrypt servers think a domain is resolving to?

If I ping my domain I’m seeing the IP I expect, would be useful for debugging to make sure that the Let’s Encrypt servers are seeing the same thing.


#9

Hi Akram,

Sorry for the trouble. I checked things out and these domains are whitelisted, as you said:

When you were doing your certificate, those domains validated fine - including the HTTP-01 validation - but you included one or more other names that weren’t on the whitelist. I’m afraid that during the closed beta you’re limited to just what was explicitly requested in the signup.

While you can re-submit to add the additional domains you’re looking for, since there’s only a few days left until the 3rd of December, it’s up to you whether it’s worth the trouble.

Sorry!


#10

@jcjones can you see what I might be doing wrong with andrewkendall.com and www.andrewkendall.com?


#11

Odd. Looks like the authorizations didn’t complete, maybe your client skipped a step?
unable to create new cert: Authorizations for these names not found or expired: andrewkendall.com, www.andrewkendall.com, andrewkendall.com

I checked the auth logs and they are all listed as still pending. I think we’d need to look at the client logs, and probably take this to its own thread since it’s not a whitelist issue.


#12

@jcjones thank you for taking a look. Just knowing it’s not a whitelist issue is a good start! I’m using this code https://gist.github.com/technion/f299433f42dd3ae5dd96#file-acme-client-runner-rb around the acme-client gem. First thing I’ll do is start fresh with the acme-client gem and write my own version of the acme-client-runner.rb rather than just copying and pasting from GitHub. Hopefully that will help me track down the issue. If I’m still having problems I’ll start a new thread.