[Resolved] The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge


#1

Massive edit.

Long story short, I had the “The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge” error message. Seems the trick is, the client also spawns its own HTTPS server, which then gets asked by Lets Encrypt servers to validate the info you just sent them. This is not different from the old behavior, however most likely you have a running HTTPS server at your system!

Having said that, you then have two options to get your certificate. Both solutions worked for me and for my personal devices which only I care about them, but if you are using a Let’s Encrypt certificate on a busier server, it might be a little bit of trouble – however, in reality, you should have been using a 1 or 2 year certificate MINIMUM, not a 90 day one, but that is not for me to argue your choices.

  1. Ensure your letsencrypt-auto client has a way to serve HTTP and HTTPS requests for the hostname/domain name you are going to generate the certificate - which might then mean stopping your real production web server whenever the client is to be run, and then resuming it afterwards, plus disabling any reverse proxy, should it intercept your HTTP/HTTPS sessions and decides to answer with its cache data or own certificates;

  2. Forget about the renewal and issue a new certificate via manual mode, by using Let’s Encrypt client as “certonly --standalone --standalone-supported-challenges http-01”. The http-01 challenge is the original behavior, way less secure and with less checks, hence still left as a last resort.

So now you have it. There may be other options to get the official Let’s Encrypt client to issue or renew certificates (actually, there are, but I won’t be discussing them at this time), but these two choices might give you some hints on the process and how to get your certs running in no time.

Have fun.

Last but not least, thanks to the Let’s Encrypt team for their awesome work, providing the Internet community with a little more security.