"The client lacks sufficient authorization" in standalone mode


#1

Hey, guys!

My domain is: treinamento.branetlogistica.com.br

I ran this command: /etc/certbot-auto certonly --staging

It produced this output: I chose “1” for standalone mode and it returned this:

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): treinamento.branetlogistica.com.br
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for treinamento.branetlogistica.com.br
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. treinamento.branetlogistica.com.br (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://treinamento.branetlogistica.com.br/.well-known/acme-challenge/oJAfjxqQb9BwnweSfIe9dmY8wm_yWcN9ldKByQ1wfhQ: "<!doctype html>\r\n<html>\r\n\t<head>\r\n\t\t<meta charset=\"utf-8\"/>\r\n\t\t<meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\"/>\r\n\t\t<meta n"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: treinamento.branetlogistica.com.br
   Type:   unauthorized
   Detail: Invalid response from
   http://treinamento.branetlogistica.com.br/.well-known/acme-challenge/oJAfjxqQb9BwnweSfIe9dmY8wm_yWcN9ldKByQ1wfhQ:
   "<!doctype html>\r\n<html>\r\n\t<head>\r\n\t\t<meta
   charset=\"utf-8\"/>\r\n\t\t<meta http-equiv=\"X-UA-Compatible\"
   content=\"IE=edge\"/>\r\n\t\t<meta n"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): Tomcat 7

The operating system my web server runs on is (include version): CentOS 6

I am root and port 80 is open.

What am I doing wrong?
Thank you already!


#2

Hi @mateusscheper

checking your port 80:

D:\temp>download http://treinamento.branetlogistica.com.br/ -h
Content-Length: 0
Location: http://treinamento.branetlogistica.com.br/hub/

Status: 301 MovedPermanently

530,65 milliseconds
0,53 seconds

A first redirect. Then

D:\temp>download http://treinamento.branetlogistica.com.br/hub/ -h
Content-Length: 0
Location: http://treinamento.branetlogistica.com.br:4248/form/?targetId=6172707e-1657-477b-af66-831e419d3156

Status: 302 Redirect

545,07 milliseconds
0,55 seconds

A second to another port. Then:

D:\temp>download http://treinamento.branetlogistica.com.br:4248/form/ -h
X-Frame-Options: DENY
Content-Length: 95866
Cache-Control: no-cache, no-store
Date: Wed, 24 Oct 2018 21:36:49 GMT
Server: Microsoft-HTTPAPI/2.0

Status: 200 OK

559,58 milliseconds
0,56 seconds

A Microsoft - Server.

The first and second don’t have additional headers. Is this a proxy configuration? So perhaps Certbot is running somewhere else, doesn’t see a used port 80, creates an own instance - but the proxy catches the traffic.


#3

Hi!
Thank you for your reply.

The actual admin didn’t tell me at the time, but later I found that the server is behind another device.
I made the certificate in my own server then copied the files to the web server and it worked.

Thank you very much for your time!


#4

This works. But Letsencrypt certificates only 90 days valide, so you have to repeat these steps every 60 - 85 days.

Is this really a solution?