Not actually whitelisted yet?


#1

Hi,

I’ve received the invite to the beta confirming that my domain (granivo.re) was whitelisted.

However, when I run the client, with:

./letsencrypt-auto --agree-dev-preview -d granivo.re --server https://acme-v01.api.letsencrypt.org/directory -vvvvvvv auth

I get the error:

Failed authorization procedure. granivo.re (simpleHttp): unauthorized :: The client lacks sufficient authorization :: Validation payload has improper value for field token

IMPORTANT NOTES:

  • The following ‘unauthorized’ errors were reported by the server:

    Domains: granivo.re
    Error: The client lacks sufficient authorization

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contains the right IP address.

I’m running the python http server serving the challenge response in another term, as instructed.

relevant parts of the log:

2015-10-27 13:38:26,948:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/SFfLT0zABTK_hkEvFvsGMYuc5TLA_LSseXBs8KzxaAo. args: (), kwargs: {}
2015-10-27 13:38:26,957:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2015-10-27 13:38:27,223:DEBUG:requests.packages.urllib3.connectionpool:“GET /acme/authz/SFfLT0zABTK_hkEvFvsGMYuc5TLA_LSseXBs8KzxaAo HTTP/1.1” 200 1314
2015-10-27 13:38:27,235:DEBUG:root:Received <Response [200]>. Headers: {‘Content-Length’: ‘1314’, ‘Expires’: ‘Tue, 27 Oct 2015 13:38:27 GMT’, ‘Strict-Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Link’: ‘<EDITED BECAUSE PIECE OF SHIT FORUM WANTS NO MORE THAN 2 LINKS>;rel=“next”’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Tue, 27 Oct 2015 13:38:27 GMT’, ‘X-Frame-Options’: ‘DENY’, ‘Content-Type’: ‘application/json’, ‘Access-Control-Allow-Origin’: ‘’, ‘Replay-Nonce’: ‘bzs9DazPWcwMT_8oD6GTMkZ7_Ef46CNbFDPuu4cCtoE’}. Content: '{“identifier”:{“type”:“dns”,“value”:“granivo.re”},“status”:“invalid”,“expires”:“2015-11-03T13:37:51Z”,“challenges”:[{“type”:“simpleHttp”,“status”:“invalid”,“error”:{“type”:“urn:acme:error:unauthorized”,“detail”:“Validation payload has improper value for field token”},“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/SFfLT0zABTK_hkEvFvsGMYuc5TLA_LSseXBs8KzxaAo/19980",“token”:“p8BhiFn1J9XlwUG2m3Wkd4d1TKUaSyXeHlIqdNM3UJw”,“tls”:false,“validationRecord”:[{“url”:“http://granivo.re/.well-known/acme-challenge/p8BhiFn1J9XlwUG2m3Wkd4d1TKUaSyXeHlIqdNM3UJw”,“hostname”:“granivo.re”,“port”:“80”,“addressesResolved”:[“195.154.235.104”],“addressUsed”:“195.154.235.104”}]},{“type”:“dvsni”,“status”:“pending”,“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/SFfLT0zABTK_hkEvFvsGMYuc5TLA_LSseXBs8KzxaAo/19981”,“token”:“10c9eG85fXIci51xTCFN7bDamOsOQMyi9CtL4yMcOJ0”},{“type”:“http-01”,“status”:“pending”,“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/SFfLT0zABTK_hkEvFvsGMYuc5TLA_LSseXBs8KzxaAo/19982”,“token”:“vXE9OGFHtcw8XHQhfzrQ4c1BWr8XQY9sDVqCG-9o23M”},{“type”:“tls-sni-01”,“status”:“pending”,“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/SFfLT0zABTK_hkEvFvsGMYuc5TLA_LSseXBs8KzxaAo/19983”,“token”:“Q2iEJsP7sW4VLRqbJAHG7WRIPAe9YiacmlGp2_cowIc”}],"combinations”:[[0],[1],[2],[3]]}'
2015-10-27 13:38:27,244:DEBUG:acme.client:Received response <Response [200]> (headers: {‘Content-Length’: ‘1314’, ‘Expires’: ‘Tue, 27 Oct 2015 13:38:27 GMT’, ‘Strict-Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Link’: ‘EDITED BECAUSE PIECE OF SHIT FORUM WANTS NO MORE THAN 2 LINKS;rel=“next”’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Tue, 27 Oct 2015 13:38:27 GMT’, ‘X-Frame-Options’: ‘DENY’, ‘Content-Type’: ‘application/json’, ‘Access-Control-Allow-Origin’: '
’, ‘Replay-Nonce’: ‘bzs9DazPWcwMT_8oD6GTMkZ7_Ef46CNbFDPuu4cCtoE’}): ‘{“identifier”:{“type”:“dns”,“value”:“granivo.re”},“status”:“invalid”,“expires”:“2015-11-03T13:37:51Z”,“challenges”:[{“type”:“simpleHttp”,“status”:“invalid”,“error”:{“type”:“urn:acme:error:unauthorized”,“detail”:“Validation payload has improper value for field token”},“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/SFfLT0zABTK_hkEvFvsGMYuc5TLA_LSseXBs8KzxaAo/19980",“token”:“p8BhiFn1J9XlwUG2m3Wkd4d1TKUaSyXeHlIqdNM3UJw”,“tls”:false,“validationRecord”:[{“url”:“http://granivo.re/.well-known/acme-challenge/p8BhiFn1J9XlwUG2m3Wkd4d1TKUaSyXeHlIqdNM3UJw”,“hostname”:“granivo.re”,“port”:“80”,“addressesResolved”:[“195.154.235.104”],“addressUsed”:“195.154.235.104”}]},{“type”:“dvsni”,“status”:“pending”,“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/SFfLT0zABTK_hkEvFvsGMYuc5TLA_LSseXBs8KzxaAo/19981”,“token”:“10c9eG85fXIci51xTCFN7bDamOsOQMyi9CtL4yMcOJ0”},{“type”:“http-01”,“status”:“pending”,“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/SFfLT0zABTK_hkEvFvsGMYuc5TLA_LSseXBs8KzxaAo/19982”,“token”:“vXE9OGFHtcw8XHQhfzrQ4c1BWr8XQY9sDVqCG-9o23M”},{“type”:“tls-sni-01”,“status”:“pending”,“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/SFfLT0zABTK_hkEvFvsGMYuc5TLA_LSseXBs8KzxaAo/19983”,“token”:“Q2iEJsP7sW4VLRqbJAHG7WRIPAe9YiacmlGp2_cowIc”}],"combinations”:[[0],[1],[2],[3]]}’

the IP address in these log entries does match the domain, so I’m not sure what is going wrong. Hence why I’m wondering if maybe there was a problem with the whitelisting.


#2

It’s not the whitelist, it’s an error somewhere else in the client validation.


#3

Yeah, I had seen that error, but it didn’t help much in understanding the problem.
I had started following the stack trace but python is yucky so I was hoping on a whitelisting problem, or someone noticing something else interesting in those logs. I guess I’ll start sprinkling more prints in that code.

thanks.


#4

Same issue, different error messages.

whitelisted domain : www.blmarket.net blmarket.net (I double-checked domains from email)
DNS setting : blmarket.net has A record with IP address, www.blmarket.net CNAME blmarket.net
requested domains : every combination possible (single ones and both of them)

relevant /var/log/letsencrypt/letsencrypt.log

2015-11-02 10:40:25,398:DEBUG:acme.client:Received response <Response [403]> (headers: {'Content-Length': '101', 'Expires': 'Mon, 02 Nov 2015 10:40:25 GMT', 'Server': 'nginx', 'Connection': 'close', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Mon, 02 Nov 2015 10:40:25 GMT', 'Content-Type': 'application/problem+json', 'Replay-Nonce': 'z1gyg4LqJsh9zzpTFWWSzfyhjVaQ20MaPPYGAqPbEYs'}): '{"type":"urn:acme:error:unauthorized","detail":"Error creating new authz :: Name is not whitelisted"}'
2015-11-02 10:40:25,399:DEBUG:letsencrypt.cli:Exiting abnormally:
**stacktrace**

#5

Same problem here:
relevant bits from the log file:

2015-11-02 10:58:43,041:DEBUG:acme.client:Received response <Response [403]> (headers: {'Content-Length': '101', 'Expires': 'Mon, 02 No
v 2015 10:58:42 GMT', 'Server': 'nginx', 'Connection': 'close', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store',
 'Date': 'Mon, 02 Nov 2015 10:58:42 GMT', 'Content-Type': 'application/problem+json', 'Replay-Nonce': '1EmU2DTM8Y04QQWtqJN3TcjunLfzbeDq
j8yLKriN9u4'}): '{"type":"urn:acme:error:unauthorized","detail":"Error creating new authz :: Name is not whitelisted"}'
2015-11-02 10:58:43,070:DEBUG:letsencrypt.cli:Exiting abnormally:

Error: unauthorized :: The client lacks sufficient authorization :: Error creating new authz :: Name is not whitelisted

#6

That’s some issue with the CNAME, try to remove that and retry, should work then. We had that here some days ago, but it’s not yet fixed in the client / server. I don’t know what the exact problem is, but I think it works without the CNAME record.

See also [SOLVED] The server could not resolve a domain name.


#7

I changed my DNS record to CNAME but still getting the same error


#8

OP here. I just wanted to point out, that my particular problem was not whitelisting (as @jcjones also pointed out). That post was originally just to make sure of it.

My actual problem was described and “solved” (afaic) here https://github.com/letsencrypt/letsencrypt/issues/1280


#9

@kelunik, seems you were right. after changing CNAME record to respective A record (with enough time waiting DNS propagation :smile:) makes it works. thanks for solving my problem!


#10

Hi all,

We had a problem where the most recent batch of domain names was whitelisted, and then reverted by one of our automated systems. It’s now fixed. If you got the “name is not whitelisted” error, please try again.

Some people have also been getting the less-common " The server experienced an internal error :: Error creating new authz" error. This is a generic 500, but one common cause is https://github.com/letsencrypt/letsencrypt/issues/1138 / https://github.com/letsencrypt/boulder/issues/1048. In short: if you have a CNAME at the root of your domain pointing at a subdomain, you’ll get this error. It’s fixed in our codebase, and will be fixed in prod with our next deploy.

Thanks,
Jacob


#11

now I still normal work.show xiaoyu.net not in Whitelisted. why it is?


#12

Whitelisting shouldn’t matter anymore because we are now in public beta – there are no more restrictions on the ability to participate and request certs. What sort of error message are you getting now?