Renew:The client lacks sufficient authorization


#1

My domain is: lms-edxplatform-tm.trafficmanager.cn

I ran this command: sudo certbot renew

It produced this output:

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for lms-edxplatform-tm.trafficmanager.cn
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (lms-edxplatform-tm.trafficmanager.cn) from /etc/letsencrypt/renewal/lms-edxplatform-tm.trafficmanager.cn.conf produced an unexpected error: Failed authorization procedure. lms-edxplatform-tm.trafficmanager.cn (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://lms-edxplatform-tm.trafficmanager.cn/.well-known/acme-challenge/Fy3ZUlvbKXeJi-xPOxTcmk3N9AvIl2ZZS12q-tpAhwQ: "\r\n<html xmlns=“http”. Skipping.

I use Nginx on Ubuntu.
The version of my client is certbot 0.22.2
I have a file located at http://lms-edxplatform-tm.trafficmanager.cn/.well-known/acme-challenge/test
but it return 502

Anyone can help , thanks.


#2

This seems a bit outdated but should not be the reason for this http request to fail:

You will need to ensure that certbot can correctly detect the document root used for that domain.
[so it can place the challenge file in the correct folder]

http://lms-edxplatform-tm.trafficmanager.cn/.well-known/acme-challenge/{whatever file name}
should be served by:
{site root}/.well-known/acme-challenge/{that same file name}

You should test this by placing a test text file in that folder and see if it can be reached from the Internet.
[you will most likely need to create the /.well-known/acme-challenge/ subfolders first]


#3

Hi, I have set root location, here is my nginx config

listen 80 default_server;
    listen 443 default_server ssl;
  location ~ ^/.well-known {
    allow all;
    root /edx/app/edxapp/edx-platform/lms;
  }

And my .well-known directory is under that location.
Thanks.


#4

The location use for /.well-known is good.
But using listen 80 and 443 in the same block is NOT good:

port 80 is http (not encrypted)
port 443 is https (encrypted).
The web server can’t do both (encrypt and not encrypt) in the same block.
Those should be either very similar but separate blocks.
Or the http block can just redirect everything to https.


#5

@Abel-Liu

Can you check the /etc/letsencrypt/renewal/ file Certbot was using and Nginx’s error.log to try to make sure it was using the right server block and right root?

As @rg305 said, it doesn’t affect this, but if you installed Certbot using the PPA, it has version 0.28.0 right now. You should run sudo apt-get update and sudo apt-get upgrade.

It can as long as you don’t use “ssl on;”.


#6

Thanks you guys, I’ll check it later.