TL;DR
I just want to know what this output from certbot means:
The request message was malformed :: No such authorization
Furthermore, if an individual domain being requested is to blame, how might I learn that? Can LE’s error handling for this case be improved to include domain/hostname?
Full Explanation
The following command has been working without incident for ~8 months and began failing on July 4th (4 days ago).
letsencrypt certonly --webroot --staging --csr /path/to/my.csr -w /path/to/html -d www.somedoman1.com -d www.somedomain2.com
The domains above are just example. However, it only seems to fail when certain domains are used; the problem appears to be with the domains and we still succeed with most domains. However, when there has been a failure with a domain in the past, that has always been evident from the log message we get from certbot. For example:
Failed authorization procedure. www.bsd100.org (http-01): urn:acme:error:unauthorized
^^ That is an example of 1 of many errors we get which contains the causal domain and allows our automated scripts to parse out the problem domain retry w/o it. Those scripts recover from any error like this reliably.
However, the failure output we’re now getting is:
The request message was malformed :: No such authorization
Which puts us in a difficult position for diagnosing. Our recovery scripts are unable to recover. I believe my next step is to determine a causal domain by manual process of elimination.
Here is the actual command with full list of domains…
letsencrypt certonly --webroot --staging --csr /path/to/my.csr -w /path/to/html -d pleasanthillschools.com -d admin.alhs.nyc -d admin.ardmore.lakeviewpublicschools.org -d admin.avalongardenselementary.com -d admin.chowchillahigh.k12.ca.us -d admin.cpdlf.org -d admin.dcsedu.com -d admin.dhs.dcsedu.com -d admin.dms.dcsedu.com -d admin.elcaonline.org -d admin.es.pleasanthillschools.com -d admin.greenwood.lakeviewpublicschools.org -d admin.greenwoodscharter.org -d admin.harmon.lakeviewpublicschools.org -d admin.is.pleasanthillschools.com -d admin.jefferson.lakeviewpublicschools.org -d admin.lakeviewhs.lakeviewpublicschools.org -d admin.lakeviewpublicschools.org -d admin.midwoodhighschool.org -d admin.ms.pleasanthillschools.com -d admin.onwardleaders.org -d admin.princeton.lakeviewpublicschools.org -d admin.ps.pleasanthillschools.com -d admin.refugiohs.org -d admin.st-augustine.org -d admin.stdominicschool.org -d admin.sunriseacademy.net -d admin.syvpirates.org -d admin.syvuhsd.org -d admin.usj.dcsedu.com -d admin.wes.dcsedu.com -d admin.wheat.lakeviewpublicschools.org -d alhs.nyc -d ardmore.lakeviewpublicschools.org -d avalongardenselementary.com -d chowchillahigh.k12.ca.us -d coretca.org -d dcsedu.com -d dhs.dcsedu.com -d dms.dcsedu.com -d edisonchargers.com -d elcaonline.org -d es.pleasanthillschools.com -d greenwood.lakeviewpublicschools.org -d harmon.lakeviewpublicschools.org -d is.pleasanthillschools.com -d jefferson.lakeviewpublicschools.org -d lakeviewhs.lakeviewpublicschools.org -d lakeviewpublicschools.org -d losarbolesmiddle.org -d midwoodhighschool.org -d onwardleaders.org -d panolacharterschool.net -d princeton.lakeviewpublicschools.org -d ps.pleasanthillschools.com -d refugiohs.org -d school.stpaulannarbor.org -d st-augustine.org -d staugschool.org -d stdominicschool.org -d sunriseacademy.net -d syvpirates.org -d syvuhsd.org -d torahdayschoolofphoenix.com -d usj.dcsedu.com -d wes.dcsedu.com -d wheat.lakeviewpublicschools.org -d www.alhs.nyc -d www.avalongardenselementary.com -d www.chowchillahigh.k12.ca.us -d www.coretca.org -d www.dcsedu.com -d www.edisonchargers.com -d www.elcaonline.org -d www.greenwoodscharter.org -d www.lakeviewpublicschools.org -d www.losarbolesmiddle.org -d www.midwoodhighschool.org -d www.onwardleaders.org -d www.panolacharterschool.net -d www.pleasanthillschools.com -d www.refugiohs.org -d www.st-augustine.org -d www.stdominicschool.org -d www.sunriseacademy.net -d www.syvpirates.org -d www.syvuhsd.org
Further mandatory diagnostic info…
My web server is (include version):
Apache 2
The operating system my web server runs on is (include version):
Ubuntu
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you’re using Certbot):
Very old certbot: letsencrypt 0.4.1
CLI, but with the webroot
plugin