Renew:The client lacks sufficient authorization

Abel-Liu · January 28, 2019, 4:11am

My domain is: lms-edxplatform-tm.trafficmanager.cn

I ran this command: sudo certbot renew

It produced this output:

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for lms-edxplatform-tm.trafficmanager.cn
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (lms-edxplatform-tm.trafficmanager.cn) from /etc/letsencrypt/renewal/lms-edxplatform-tm.trafficmanager.cn.conf produced an unexpected error: Failed authorization procedure. lms-edxplatform-tm.trafficmanager.cn (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://lms-edxplatform-tm.trafficmanager.cn/.well-known/acme-challenge/Fy3ZUlvbKXeJi-xPOxTcmk3N9AvIl2ZZS12q-tpAhwQ: "\r\n<html xmlns=“http”. Skipping.

I use Nginx on Ubuntu.
The version of my client is certbot 0.22.2
I have a file located at http://lms-edxplatform-tm.trafficmanager.cn/.well-known/acme-challenge/test
but it return 502

Anyone can help , thanks.

rg305 · January 28, 2019, 5:08am

This seems a bit outdated but should not be the reason for this http request to fail:

You will need to ensure that certbot can correctly detect the document root used for that domain.
[so it can place the challenge file in the correct folder]

http://lms-edxplatform-tm.trafficmanager.cn/.well-known/acme-challenge/{whatever file name}
should be served by:
{site root}/.well-known/acme-challenge/{that same file name}

You should test this by placing a test text file in that folder and see if it can be reached from the Internet.
[you will most likely need to create the /.well-known/acme-challenge/ subfolders first]

Abel-Liu · January 28, 2019, 5:15am

Hi, I have set root location, here is my nginx config

listen 80 default_server;
    listen 443 default_server ssl;
  location ~ ^/.well-known {
    allow all;
    root /edx/app/edxapp/edx-platform/lms;
  }

And my .well-known directory is under that location.
Thanks.

rg305 · January 28, 2019, 8:39pm

The location use for /.well-known is good.
But using listen 80 and 443 in the same block is NOT good:

port 80 is http (not encrypted)
port 443 is https (encrypted).
The web server can't do both (encrypt and not encrypt) in the same block.
Those should be either very similar but separate blocks.
Or the http block can just redirect everything to https.

mnordhoff · January 28, 2019, 8:56pm

@Abel-Liu

Can you check the /etc/letsencrypt/renewal/ file Certbot was using and Nginx's error.log to try to make sure it was using the right server block and right root?

As @rg305 said, it doesn't affect this, but if you installed Certbot using the PPA, it has version 0.28.0 right now. You should run sudo apt-get update and sudo apt-get upgrade.

It can as long as you don't use "ssl on;".

Abel-Liu · January 29, 2019, 5:02am

Thanks you guys, I’ll check it later.

system · February 28, 2019, 5:02am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to renew certificate - client lacks authorization Help	7	2598	August 5, 2017
Renew failed: The client lacks sufficient authorization Help	11	999	August 30, 2019
Certbot renewal fails with "The client lacks sufficient authorization" error Help	2	4698	July 30, 2017
Failed Authorisation Procedure. The client lacks sufficient authorization Help	6	577	July 9, 2022
Problem with certbot renewal Help	10	724	July 22, 2018

Renew:The client lacks sufficient authorization

Related topics