[SOLVED] Urn:acme:error:unauthorized :: The client lacks sufficient authorization

I run this command:
certbot certonly --agree-tos --expand --authenticator webroot --installer apache -d “hotelgalassia.ml,www.hotelgalassia.ml” --webroot-path /var/www/html/elpiro.ml/hotelgalassia.ml

but I get:
hotelgalassia.ml (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://hotelgalassia.ml/.well-known/acme-challenge/Nvaiyeh0Ems5JSFZLm4VjarpPKRVzd3sETTWn6Ux9L8:

I think I hit some limits:

“identifier”: {
“type”: “dns”,
“value”: “www.hotelgalassia.ml”
},
“status”: “invalid”,
“expires”: “2018-02-22T23:38:24Z”,
“challenges”: [
{
“type”: “tls-sni-01”,
“status”: “pending”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/Z_2PGj-Hl6MmWLUdTT91GyZNDuUAcj0rKgI4b3xXxn0/3475145678”,
“token”: “H_rhGBOPeW9-H2QdUXgo_WljWOJ7JpvZFvuDrMZsd44”
},
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:acme:error:unauthorized”,
“detail”: "Invalid response from http://www.hotelgalassia.ml/.well-known/acme-challenge/oydwsReY8X3k0YxSFdMhYzwM2TboTL8lcCAUpnqrFu4: “\u003c!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”\u003e\n\u003chtml\u003e\u003chead\u003e\n\u003ctitle\u003e404 Not Found\u
"status”: 403
},
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/Z_2PGj-Hl6MmWLUdTT91GyZNDuUAcj0rKgI4b3xXxn0/3475145679”,
“token”: “oydwsReY8X3k0YxSFdMhYzwM2TboTL8lcCAUpnqrFu4”,
“keyAuthorization”: “oydwsReY8X3k0YxSFdMhYzwM2TboTL8lcCAUpnqrFu4.iZpd_Z4cKYtjUvkCaCNjxa_Ey67dNiLKJY1wS8Tc53g”,
“validationRecord”: [
{
“url”: “http://www.hotelgalassia.ml/.well-known/acme-challenge/oydwsReY8X3k0YxSFdMhYzwM2TboTL8lcCAUpnqrFu4”,
“hostname”: “www.hotelgalassia.ml”,
“port”: “80”,
“addressesResolved”: [
“94.130.141.157”
],
“addressUsed”: “94.130.141.157”
}
]
}

Does it mean I have to wait till 22.02.2018 to get a new cert?
with “–test-cert” it works

Hi @maistoast,

This error isn’t a rate limit error. Rather, it suggests that your --webroot-path is wrong because the certificate authority can’t find the validation file at the expected URL on your site.

It’s strange that it worked with --test-cert, though. Did you use exactly the same command otherwise?

Do you have information in your web server logs showing the attempts by the certificate authority to connect to your server to download the validation file (in both the --test-cert and non---test-cert cases)?

Could you place a file test.txt in /var/www/html/elpiro.ml/hotelgalassia.ml/.well-known/acme-challenge/test.txt and see if it then becomes visible in a web browser at http://www.hotelgalassia.ml/.well-known/acme-challenge/test.txt?

By the way, certonly and --installer contradict each other (although that isn’t the reason for the error that you’ve encountered). certonly means “don’t use any installer at all (only obtain the certificate and don’t try to install it in a local web server)”. So the --installer will be ignored. If you do want to use --installer apache, you can use run instead of certonly, or simply omit certonly entirely.

According to https://crt.sh/?Identity=%hotelgalassia.ml&iCAID=16418, you did obtain a couple of certificates a little over a week ago (but not enough certificates to trigger the rate limits!). Do you know if you used the same command then, and whether anything has changed in your web server configuration in the meantime?

Thanks for the help. I noticed that when trying to reach the test.txt file I was redirected to /var/lib/dehydrated.
After uninstalling the packages dehydrated and dehydrated-apache2, certbot succeeded.
I’m sorry but I don’t have the time to investigate any further.
Thanks again for pointing me in the right direction.

A post was split to a new topic: Client lacks sufficient authorization

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.