The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. OpenShift


#1

Hey,
today I wanted to renew ssl certificates for domain digrin.com. However I ran into problems:

Failed authorization procedure. www.digrin.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found '*.rhcloud.com, rhcloud.com'

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.digrin.com
   Type:   unauthorized
   Detail: Correct zName not found for TLS SNI challenge. Found
   '*.rhcloud.com, rhcloud.com'

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

Domain is hosted in cloud - Openshift Online - Amazon AWS. That means, IP can change and I use CNAME instead of A tag. How do I renew certificate in this case? I tried to add A tag for domain, but its not very good approach since it can change. It does not work anyway (may be DNS were not updated yet??)

Command that gave me above mentioned output is this: ./letsencrypt-auto certonly --email my@gmail.com --agree-tos --manual-public-ip-logging-ok -d www.digrin.com.

I want to create certificates on my laptop and upload them to server afterwards.


#2

It looks like your site is hosted behind some kind of load balancer. The validation mechanism you’re using at the moment requires that you are able to change the SSL configuration on the fly.

I would recommend switching to the webroot plugin. It works by making your web server file certain files under http://www.digrin.com/.well-known/acme-challenge/random_token. The command you would use (based on yours) would look something like this:

./letsencrypt-auto certonly --webroot -w /var/www/html -d www.digrin.com --email my@gmail.com --agree-tos --manual-public-ip-logging-ok

/var/www/html would be your web server’s DocumentRoot in this example.


#3

Hi, yes there is a HAProxy load balancer.
I tried running you code:
./letsencrypt-auto certonly --webroot -w /var/www/html -d www.digrin.com --email my@gmail.com --agree-tos --manual-public-ip-logging-ok
And this is what I got:

Failed authorization procedure. www.digrin.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Error parsing key authorization file: Invalid key authorization: 1 parts

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.digrin.com
   Type:   unauthorized
   Detail: Error parsing key authorization file: Invalid key
   authorization: 1 parts

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

Again, I am running it on my laptop and I need to upload files to OpenShift Online later.


#4

Sorry, missed that! :blush:

In that case, you’ll want to use manual mode:

./letsencrypt-auto certonly --manual -d www.digrin.com --email my@gmail.com --agree-tos --manual-public-ip-logging-ok

The client will then print a list of paths under which you have to create certain files which then need to be hosted on your site so that the CA server can request them via HTTP.

If that’s not possible, you can verify your domain ownership with dns-01, using DNS TXT records. This, however, is currently not supported by the official client. You can use one of the three bash clients if you need dns-01.

Note that Let’s Encrypt issues certificates that are valid for 90 days, so you’ll have to repeat those steps manually at least once every 3 months (this applies to both solutions).


#5

Thanks for you help. I know I need to renew certificates every 90 days and I am glad letsencrypt sends notifications. I had problems with some extra directories. I was trying to run

before, but it returned error. I had extra directories in /etc/letsencrypt folders:
$ ls archive
digrin.com www.digrin.com www.digrin.com-0001

After I deleted www.digrin.com-0001 from archive, live and renewal, it created new certificate successfully. However it created new certificates to new directory www.digrin.com-0001. Why is this happening? Should I use renew command? I believe www.digrin.com directory should contain all certificates and www.digrin.com-0001 is not needed.


#6

If you run the client with -d www.example.com, and later add another domain, e.g. -d sub.example.com -d www.example.com, the client will treat this as a new “lineage”, creating a separate directory (-001).

To avoid this, you can add the --expand flag:

--expand            If an existing cert covers some subset of the
                    requested names, always expand and replace it with the
                    additional names. (default: False)

#7

thanx, that is what I wanted!


#8

as an alternative solution or as extra information for those finding this later I recently did a post on how to configure haproxy to forward both tls-sni-01 and http-01 challenges to a different server from the rest of the traffic which for at least some uses cases can be very helpful.

https://www.cloudoptimizedsmb.com/articles/20160409-00/using-haproxy-to-split-letsencrypt-acme-challenges-from-regular-traffic


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.