"The client lacks sufficient authorization" in standalone mode

Hey, guys!

My domain is: treinamento.branetlogistica.com.br

I ran this command: /etc/certbot-auto certonly --staging

It produced this output: I chose “1” for standalone mode and it returned this:

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): treinamento.branetlogistica.com.br
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for treinamento.branetlogistica.com.br
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. treinamento.branetlogistica.com.br (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://treinamento.branetlogistica.com.br/.well-known/acme-challenge/oJAfjxqQb9BwnweSfIe9dmY8wm_yWcN9ldKByQ1wfhQ: "<!doctype html>\r\n<html>\r\n\t<head>\r\n\t\t<meta charset=\"utf-8\"/>\r\n\t\t<meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\"/>\r\n\t\t<meta n"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: treinamento.branetlogistica.com.br
   Type:   unauthorized
   Detail: Invalid response from
   http://treinamento.branetlogistica.com.br/.well-known/acme-challenge/oJAfjxqQb9BwnweSfIe9dmY8wm_yWcN9ldKByQ1wfhQ:
   "<!doctype html>\r\n<html>\r\n\t<head>\r\n\t\t<meta
   charset=\"utf-8\"/>\r\n\t\t<meta http-equiv=\"X-UA-Compatible\"
   content=\"IE=edge\"/>\r\n\t\t<meta n"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): Tomcat 7

The operating system my web server runs on is (include version): CentOS 6

I am root and port 80 is open.

What am I doing wrong?
Thank you already!

Hi @mateusscheper

checking your port 80:

D:\temp>download http://treinamento.branetlogistica.com.br/ -h
Content-Length: 0
Location: http://treinamento.branetlogistica.com.br/hub/

Status: 301 MovedPermanently

530,65 milliseconds
0,53 seconds

A first redirect. Then

D:\temp>download http://treinamento.branetlogistica.com.br/hub/ -h
Content-Length: 0
Location: http://treinamento.branetlogistica.com.br:4248/form/?targetId=6172707e-1657-477b-af66-831e419d3156

Status: 302 Redirect

545,07 milliseconds
0,55 seconds

A second to another port. Then:

D:\temp>download http://treinamento.branetlogistica.com.br:4248/form/ -h
X-Frame-Options: DENY
Content-Length: 95866
Cache-Control: no-cache, no-store
Date: Wed, 24 Oct 2018 21:36:49 GMT
Server: Microsoft-HTTPAPI/2.0

Status: 200 OK

559,58 milliseconds
0,56 seconds

A Microsoft - Server.

The first and second don't have additional headers. Is this a proxy configuration? So perhaps Certbot is running somewhere else, doesn't see a used port 80, creates an own instance - but the proxy catches the traffic.

Hi!
Thank you for your reply.

The actual admin didn’t tell me at the time, but later I found that the server is behind another device.
I made the certificate in my own server then copied the files to the web server and it worked.

Thank you very much for your time!

This works. But Letsencrypt certificates only 90 days valide, so you have to repeat these steps every 60 - 85 days.

Is this really a solution?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.