The client lacks sufficient authorization - 404


#13

Thank you. I didn’t understand that http was needed and I must have missed that in the documentation.


#14

Good morning,

thanks serverco for getting back to me. Here are my answers to your initial questions:

Yes — I just masked the real domain for posting here and replaced it with mydomain.net

No I cannot reach the link in the browser. If I am not misinterpreting the error message I have posted it throws a 404 not found error. I have manually created the /.well-known/acme-challenge folder in the nginx docroot and it turned out my nginx conf was blocking requests that start with a dot (to prevent access to .ht[access|passwd] files…
Now it is just working as expected. Thanks.

There’s one last question: How can I generate a certificate that includes both the mydomain.net and www.mydomain.net — if even possible.

Thanks so much again for putting all this effort into a better and easier encryption!


#15

Add all the domains you want for that certificate on the command line;

./letsencrypt-auto certonly --webroot -w /var/www/default -d mydomain.net -d www.mydomain.net


#16

Hello,
Thanks for this great project!

As mmaedler, I get the same 404 message but the solution given here doesn’t work for me.

My server “MyServer” is accessible from the Internet (http, port 80) and a manual test page I put into ~.well-known/acme-challenge is also visible.

But when I try to get a cert using the command “./letsencrypt-auto certonly --manual -w /var/www/html -d MyServer” (I tried --manual and --webroot with no more success), I get those messages :
Failed authorization procedure. MyServer (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://MyServer/.well-known/acme-challenge/-cpx90pHqUIY7sRCVZ6Hqdtku9V3KmvY9ld3HnaTcSQ [5.56.47.138]: 404

IMPORTANT NOTES:

  • The following ‘urn:acme:error:unauthorized’ errors were reported by
    the server:

    Domains: MyServer
    Error: The client lacks sufficient authorization

Here are my httpd’s logs:
error.log:
192.168.255.149 - - [17/Dec/2015:17:54:36 +0100] “GET /favicon.ico HTTP/1.1” 200 1232 “http://MyServer/.well-known/acme-challenge/toto” "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36"
192.168.255.175 - - [17/Dec/2015:17:54:52 +0100] “GET / HTTP/1.1” 200 16852 “-” "check_http/v1.4.16 (nagios-plugins 1.4.16)"
access.log:
[Thu Dec 17 17:56:02 2015] [error] [client 192.168.255.149] File does not exist: /home/www/amicare/.well-known/acme-challenge/-cpx90pHqUIY7sRCVZ6Hqdtku9V3KmvY9ld3HnaTcSQ

MyServer is in Redhat Linux Enterprise 6.3 version, so the packages are not sufficient (version of python, …).
So I generate the cert on a Redhat Linux Entreprise 7.2.

I don’t really know where to search now.
Do you have an idea of what I missed?

Thanks a lot again


#17

You get an error that
/home/www/amicare/.well-known/acme-challenge/-cpx90pHqUIY7sRCVZ6Hqdtku9V3KmvY9ld3HnaTcSQ
does not exist.

With your apache ( I assume) config, is that the location it should be in for

http://MyServer/.well-known/acme-challenge/-cpx90pHqUIY7sRCVZ6Hqdtku9V3KmvY9ld3HnaTcSQ ?

You say the manual test page in .well-known/acme-challenge/ was visible … was that the internal ?

do you have any redirects (.htaccess ) that could be affecting it ?


#18

Hi!,
Thanks for your response.

Yes, this URL is the one where it should be.
My project is under “/home/www/amicare” and DocumentRoot has been defined as “/home/www/amicare” in my /etc/httpd/conf/httpd.conf
I’ve got a .htaccess where I defined: Options +FollowSymlinks +Indexes.
And I made a "chmod -R 777 /home/www/amicare/.well-known"
When I am surfing from Internet to http://MyServer/.well-known/acme-challenge, I get:
Index of /.well-known/acme-challenge

Name	Last modified	Size	Description

Parent Directory -
Apache/2.2.15 (Red Hat) Server at MyServer Port 80

But I can’t get a cert from LE.

Thanks for your help


#19

Hello @aegle,

Please, perform the following actions:

1.- Create a dummy file in acme-challenge dir in your Red Hat 6.3 Server.
printf "%s" thisisthecontentoffile > /home/www/amicare/.well-known/acme-challenge/dummychallengefile

2.- Launch below command from your Red Hat 7.2 and from internet and show us the complete output (change yourdomain.tld for your actual domain):
curl -i http://yourdomain.tld/.well-known/acme-challenge/dummychallengefile | cat -A

With this data we should check whether there is any issue with your apache conf, dns, etc. (keep in mind that should be better if you could show your real domain).

Cheers,
sahsanu


#20

Hello sahsanu,

Thanks for your reply.
Here is the result of the command launched from my RH7.2 server.
I put one my really testing server / domain as asked.

[root@integ4 letsencrypt]# curl -i http://integ-amicare.aegle.fr/.well-known/acme-challenge/dummychallengefile | cat -A
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 22 100 22 0 0 678 0 --:–:-- --:–:-- --:–:-- 709
HTTP/1.1 200 OK^M$
Date: Mon, 21 Dec 2015 10:08:01 GMT^M$
Server: Apache/2.2.15 (Red Hat)^M$
Last-Modified: Mon, 21 Dec 2015 10:07:26 GMT^M$
ETag: “203d5f-16-52765a7f83b7f”^M$
Accept-Ranges: bytes^M$
Content-Length: 22^M$
Content-Type: text/plain; charset=UTF-8^M$
Connection: close^M$
^M$
thisisthecontentoffile[root@integ4 letsencrypt]#

From another server on Internet, I get same successful response.

Regards.


#21

Hello @aegle,

The output seems correct to me, the only that could cause your problems is the Content-Type, seems letsencrypt doesn’t like it if the charset is added.

As you are using Apache, put a .htaccess file inside .well-known dir with this content:

ForceType 'text/plain'
AddDefaultCharset Off

And try again the test using curl, in Content-type you should only see:

Content-Type: text/plain

If the test is ok, try letsencrypt again but using --staging flag to create a non valid certificate, once you get the certificate created you can remove--staging from your command and this time it will create a valid certificate. I’m saying to use staging just in case you hit the rate limit.

Note: Keep in mind that you should only use -d integ-amicare.aegle.fr I’m saying it because www.integ-amicare.aegle.fr is not resolving by DNS so you can’t validate it.

Cheers,
sahsanu


#22

Dear sahsanu,

I created the .htaccess with instructions mentionned inside .well-known directory, with no more success. I will investigate later why UTF-8 is still present in Content-type. Perhaps my http.conf?
Then I tried the same .htaccess in another server/domain and the result is now ok for Content-type. But no more success with letsencrypt :sob:

Here are my new tries with this server:
[root@integ4 letsencrypt]# curl -i http://amicare-france.com/.well-known/acme-challenge/dummychallengefile | cat -A
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 22 100 22 0 0 1837 0 --:–:-- --:–:-- --:–:-- 2000
HTTP/1.1 200 OK^M$
Date: Mon, 21 Dec 2015 11:43:31 GMT^M$
Server: Apache/2.2.15 (Red Hat)^M$
Last-Modified: Sat, 19 Dec 2015 14:10:47 GMT^M$
ETag: “61c-16-52740d28b7b84”^M$
Accept-Ranges: bytes^M$
Content-Length: 22^M$
Connection: close^M$
Content-Type: text/plain^M$
^M$

[root@integ4 letsencrypt]# ./letsencrypt-auto certonly --manual --staging -w /var/www/html -d amicare-france.com
Updating letsencrypt and virtual environment dependencies…
Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt certonly --manual --staging -w /var/www/html -d amicare-france.com

Make sure your web server displays the following content at

If you don’t have HTTP server configured, you can run the following
command on the target server (as root):

mkdir -p /tmp/letsencrypt/public_html/.well-known/acme-challenge
cd /tmp/letsencrypt/public_html
printf “%s” 0IaVLH5tvo0X4OHJ7iUk8AKoGQUs3tzXOzARu_uv_cQ.1DYE223Nhwxf-0MUzbF313jl3QZ0-37zgVyL3IJYiak > .well-known/acme-challenge/0IaVLH5tvo0X4OHJ7iUk8AKoGQUs3tzXOzARu_uv_cQ

run only once per server:
$(command -v python2 || command -v python2.7 || command -v python2.6) -c
"import BaseHTTPServer, SimpleHTTPServer;
s = BaseHTTPServer.HTTPServer((’’, 80), SimpleHTTPServer.SimpleHTTPRequestHandler);
s.serve_forever()"
Press ENTER to continue

Self-verify of challenge failed.

Failed authorization procedure. amicare-france.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://amicare-france.com/.well-known/acme-challenge/Am9Sy7cvHKe0KZqEyHbOPWXCJ1eJ9A_EtLSEJ8ydPVY [5.56.47.140]: 404

IMPORTANT NOTES:

  • The following ‘urn:acme:error:unauthorized’ errors were reported by
    the server:

    Domains: amicare-france.com
    Error: The client lacks sufficient authorization
    [root@integ4 letsencrypt]#

Thanks for help.


#23

Maybe you are not allowing AllowOverride using .htaccess files in that dir.

Thats the message that you receive using manual mode but what you did?. I mean, exactly, what are the command that you used and in which machine?

Because these are the steps you should perform:

Server 1… where you are running the letsencryp comman in manual mode:
./letsencrypt-auto certonly -d amicare-france.com --staging --text --email youruser@yourdomain.tld --agree-tos --manual --manual-public-ip-logging-ok
Then you should see in your screen the procedure to create the challenge file, don’t press enter yet. Copy the printf “%s” … line and now you should open a new ssh session to your server 2.

Server 2:
With the new session open, cd till the document root of your web server (the one used by amicare-france.com (I think it is /var/www/html/) so once in that dir, paste the line that you copied previously (printf …)
Now, check that you can connect to that new file created.

curl -i http://amicare-france.com/.well-known/acme-challenge/herethenameofthenewchallengefilethatyouhavecreatedwithprintf

If you get no error, you can see the content of the file now then, go back to session opened in Server 1.

Server 1, press Enter to continue the validation of the challenge.

If you follow these steps should work pretty fine… maybe :wink:

Good luck,
sahsanu


#24

Hello @sahsanu,

Thanks a lot for your precious help as the manual mode works like a charm!
I won’t use the --webroot option which doesn’t work for me, but never mind as I get a solution with the manual mode.

Thanks again, good luck for your super project … and Merry Christmas.
Cheers


#25

Glad you finally get your certificates :wink:

Merry Christmas and Happy New Year
sahsanu


#26

I had the same problem with the ‘client lacks the sufficient authorization’ error today. It turned out that I created the .well-known/acme-challenge/ folders into the wrong directory. LE wanted the challenge folders to be above my domain directories which are:

~/home/www/
mydomain.tld
mydomain2.tld
.well-known

:slightly_smiling:


#27

I was getting this issue only on certain sites on my server when using certonly and webroot.

It turned out to be the htaccess file from the cms’s on those domains (grav) which was blocking files and folders starting with a dot.

# Block all direct access to files and folders beginning with a dot
RewriteRule (^\.|/\.) - [F]

Commenting out that line fixed the issue and the certs then installed.

I had also been checking in the .well-known folder and didn’t see any files in there before or after it was working, so I’m not sure if that’s anything to do with ftp configuration but having no files in that folder doesn’t seem to be an issue.


#28

My issue was also a CMS .htaccess file that blocked the LE cert generation. I’m using Ghost and commenting out this line resolved the issue:

RewriteRule ^(.*)$ http://labs.meandyouis.us:61924/$1 [P]

I also temporarily commented out the root .htaccess file while I was generating the cert. Thanks, @robwent!


#29

Glad it worked!

I changed my rule to allow that folder so I could keep the rule and update the certs without any issues.

RewriteRule (^|/)\.(?!well-known) - [F]

#30

Another reason this can happen is if you’re redirecting all http traffic to https, but forget to append the rest of the URL on the end.

For instance, if you’re redirecting all http traffic to the homepage / root like this
RewriteCond %{HTTP_HOST} =example.com
RewriteRule ^(.*) https://www.example.com [L,R=301]
then the challenge will fail with

FailedChallenges: Failed authorization procedure. askdirections.org (http-01): urn:acme:error:unauthorized

Use this instead
RewriteCond %{HTTP_HOST} =example.com
RewriteRule ^(.*) https://www.example.com/$1 [L,R=301]


#31

Can you help me with this error?

Failed authorization procedure. streamupbox.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for streamupbox.com

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: streamupbox.com
    Type: connection
    Detail: DNS problem: SERVFAIL looking up A for streamupbox.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.
    admin@StreamupBox:/opt/letsencrypt$ sudo ./letsencrypt-auto certonly --webroot -w /var/www/streamupbox.com/streamupbox -d streamupbox.com
    Checking for new version…
    Requesting root privileges to run letsencrypt…
    /home/admin/.local/share/letsencrypt/bin/letsencrypt certonly --webroot -w /var/www/streamupbox.com/streamupbox -d streamupbox.com
    Failed authorization procedure. streamupbox.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for streamupbox.com

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: streamupbox.com
    Type: connection
    Detail: DNS problem: SERVFAIL looking up A for streamupbox.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.


#32

@richard457 you would be better opening a new topic than commenting on one that is over a month old.

Looking at your domain ( streamupbox.com ) with whois it gives the primary DNS servers as;
Name Server: NS1.DIGITALOCEAN.COM
Name Server: NS2.DIGITALOCEAN.COM
Name Server: NS3.DIGITALOCEAN.COM

Yet NS1 and NS2 are not (for me ) returning any response. You need to sort out your DNS so that the nameservers specified at your domain name registrar respond correctly for your domain name.


SERVFAIL looking up A record