The client lacks sufficient authorization :: Invalid response from [Again]

Yeah, I know there are a lot of topics with this issue, but I can't solved it...

My domain is: cytconectar.com

I ran this command: certbot certonly --webroot --agree-tos --no-eff-email --email rojo.fede@gmail.com -w /var/www/letsencrypt -d www.cytconectar.com -d cytconectar.com

It produced this output:

Failed authorization procedure. cytconectar.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://cytconectar.com/.well-known/acme-challenge/PJWkP102EQXII81MMVu-hwTxNv8J8dACQdxee17O23A [ip]: "\n\n\n <link rel="stylesheet" type="text/css" class="meteor-css" href="/200d8026b7770a1baa08dde3ab4", www.cytconectar.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.cytconectar.com/.well-known/acme-challenge/Ww9TazO-7Xw515QQkskg3flfweSvYXZe2nOnEQXFW28 [ip]: "\n\n\n <link rel="stylesheet" type="text/css" class="meteor-css" href="/200d8026b7770a1baa08dde3ab4"

IMPORTANT NOTES:

I'm usin
nginx version: nginx/1.14.0 (Ubuntu)
Ubuntu 18.04.4 LTS
Digital Ocean
certbot 0.31.0

My conf is

server{
listen 80;

server_name cytconectar.com;

access_log /var/log/nginx/app.dev.access.log;
error_log /var/log/nginx/app.dev.error.log;

location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header X-Forwarded-For $remote_addr;
}

}

I can acces to my site with http

Thanks for any helps!!

2 Likes

Welcome to the Let's Encrypt Community, Fede :slightly_smiling_face:

Let's take a look here... :thinking:

From what I can tell, it appears that you have a problem with your IPv6 address. Either fix or remove the AAAA record in your DNS zone then try again.

You may run into trouble with http://cytconectar.com/.well-known/acme-challenge/test redirecting back to http://cytconectar.com/

3 Likes

That is very unlikely to be your actual web root.
and Your FQDN has two IPs:

Name:    cytconectar.com
Addresses:  2604:a880:2:d0::5363:4001
          165.22.174.73

curl -6Iki cytconectar.com
curl: (7) Failed to connect to cytconectar.com port 80: Connection refused

4 Likes

Your IPv4 listen statement:

May not cover the IPv6 address in DNS:

Name:    cytconectar.com
Addresses:  2604:a880:2:d0::5363:4001
          165.22.174.73

And when available LE will prefer IPv6 over IPv4 [without fallback].

So either:

  • also listen on [::]:80
  • remove the AAAA record from DNS
3 Likes

I have removed AAAA from Digital Ocean, but the error is the same. Maybe I have to wait some time?

1 Like

Hi @fede18_lfc

no, that's not required.

Letsencrypt checks the authoritative name servers, so there is no caching.

Checking your domain there is an answer.

But the answer looks wrong:

D:\temp>download http://cytconectar.com/.well-known/acme-challenge/1234 -h
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Sun, 04 Oct 2020 17:14:23 GMT
Server: nginx

Status: 200 OK

Normally, a http status 404 - Not Found is expected.

PS: Yep, checked your domain - https://check-your-website.server-daten.de/?q=cytconectar.com - there is a wrong answer:

Visible Content: . . . </cyt-conectar>

Doesn't look like the required validation file.

2 Likes

The reason that @JuergenAuer's test failed is:

You might have a rewrite rule happening somewhere that is stripping the request uri off the end.

Per @JuergenAuer's wisdom, that looks like something happening in your website's application. Please read the end of my next long response for further details:

1 Like

You are wrong. You didn't read the output. A http status 200 isn't a redirect (301, 302 etc).

2 Likes

It's not technically a "redirect", it's a rewrite. You are correct there. Click on the test url I provided then look at your address bar.

1 Like

Please learn the basics. You can't check that with a browser.

You have to use raw tools like curl / download.exe or online tools.

2 Likes

If the server rewrites http://cytconectar.com/.well-known/acme-challenge/test to http://cytconectar.com/ for my browser, are you saying the server will treat a curl request differently?

And there

is no rewrite, that's an application redirect which is invisible using online tools. But that's not a http redirect.

2 Likes

Thanks for your patience with me @JuergenAuer. I know I still have much to learn.

Your evaluation explains a lot. :slightly_smiling_face: I was wondering why it only seemed to be happening from the client side. It might explain why there's a 200 for absolutely every address I've tested too, including yours: http://cytconectar.com/.well-known/acme-challenge/1234

Even the online redirect checker I use says 200:

Will this "application redirect" really not affect the certification process?


Upon further inspection, it appears that the same page is returned regardless of what request uri is specified. This is some type of override on the server. There needs to be an exception to allow the real content of anything requested in the http://cytconectar.com/.well-known/acme-challenge/ directory to be returned without override.

This could very well be a rewrite rule WITHOUT a redirect on the server. Perhaps the server passes the request uri to the serverside application file, which then returns whatever content it deems appropriate from that point?

@fede18_lfc

Please check to see how your server is handling requests for specific URIs. I have a feeling that's where the snag is.

1 Like

Sorry, where do I look it?

I setup https 6 month ago. It was ok.. but a month ago the domain expired (godaddy). I bought the domain again.

The code is the same and de configuration is the same. I only changed cytconectar.com.conf

1 Like

I don't know.

There answers your application, not a raw file.

Please read some basics.

Then the basics about http validation.

So Letsencrypt has the wrong content. But it's a problem of your - unknown - application.

PS: Your config shows a proxy. So create an exception of /.well-known/acme-challenge, so you can use that with webroot. And why do you use webroot? Is /var/www/letsencrypt defined? If not, your command can't work.

PPS: Disclaimer: It's not my job to check answers of other users. One other answer is wrong again.

What are the contents of cytconectar.com.conf? Perhaps the answer lies there. You may have already completely posted it above, but I just want to make sure. Let's take a look. Please put three backticks (`) on lines above and below the contents so they're easy to read here. How did the changes you make here differ from the other? This might help us understand. Your situation is different than what we typically encounter here, but I for one am willing to learn something from this.

1 Like

@JuergenAuer

Please read here:

Being empathic is the right thing to do in its own right, but it’s especially valuable in encrypting the web. One of the many reasons we don’t have more encryption on the web today is that the skills required are too arcane. If we can help people learn those skills, or if we can get feedback from people that helps us make things clearer, we further the mission of encrypting the web.

And here:
https://community.letsencrypt.org/guidelines

3 Likes

This is my actual conf

server{
 listen 80 default_server;

 # this could be your IP address, a subdomain or a full domain
 server_name cytconectar.com;

 access_log /var/log/nginx/app.dev.access.log;
 error_log /var/log/nginx/app.dev.error.log;

 location / {
   proxy_pass http://127.0.0.1:3000;
   proxy_http_version 1.1;
   proxy_set_header Upgrade $http_upgrade;
   proxy_set_header Connection 'upgrade';
   proxy_set_header X-Forwarded-For $remote_addr;
 }

}

Before this I have

proxy_cache_path /tmp/nginx levels=1:2 keys_zone=my_zone:10m inactive=60m;
proxy_cache_key "$scheme$request_method$host$request_uri";

#server_tokens off;

upstream backend {
  server 127.0.0.1:3000;
}

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
    if ($host = www.cytconectar.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = cytconectar.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80 ipv6only=on;

    server_name   cytconectar.com www.cytconectar.com;
    return 301 https://cytconectar.com$request_uri;




}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    ssl_certificate /etc/letsencrypt/live/cytconectar.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/cytconectar.com/privkey.pem; # managed by Certbot
    ssl_trusted_certificate /etc/letsencrypt/live/cytconectar.com/fullchain.pem;
    include /etc/nginx/snippets/ssl.conf;

    server_name    www.cytconectar.com;
    return         301 https://cytconectar.com$request_uri;

}

server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    ssl_certificate /etc/letsencrypt/live/cytconectar.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/cytconectar.com/privkey.pem; # managed by Certbot
    ssl_trusted_certificate /etc/letsencrypt/live/cytconectar.com/fullchain.pem;
    include /etc/nginx/snippets/ssl.conf;

    root /var/www/cytconectar.com;
    index index.html index.htm;

    server_name cytconectar.com;

    gzip on;
    gzip_disable "msie6";
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;

    location / {
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $proxy_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Accept-Language $http_accept_language;

        proxy_redirect off;

        proxy_http_version 1.1;

        proxy_pass http://backend;
    }

    location ~ ^/(ufs/) {
        proxy_cache my_zone;


        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $proxy_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Accept-Language $http_accept_language;

        proxy_redirect off;

        proxy_http_version 1.1;

        proxy_pass http://backend;
    }

    location ~ \.(css) {

        root /opt/cyt/tmp/bundle/programs/web.browser;
        access_log off;
        expires 30d;

        add_header Pragma public;
        add_header Cache-Control "public";
        add_header X-Proxy-Cache $upstream_cache_status;
    }

    location ~ \.(js) {

        root /opt/cyt/tmp/bundle/programs/web.browser/app;
        access_log off;

        expires 30d;

        add_header Pragma public;
        add_header Cache-Control "public";
        add_header X-Proxy-Cache $upstream_cache_status;
    }
    location ~ \.(jpg|jpeg|png|gif|mp3|ico|pdf) {

        root /opt/cyt/tmp/bundle/programs/web.browser/app;
        access_log off;

        expires 30d;

        add_header Pragma public;
        add_header Cache-Control "public";
        add_header Pragma public;
        add_header Cache-Control "public";
        add_header X-Proxy-Cache $upstream_cache_status;
    }

    location ^~ /packages {
        proxy_cache my_zone;
        add_header X-Proxy-Cache $upstream_cache_status;

        root /opt/cyt/tmp/bundle/programs/web.browser;
        access_log off;
        expires 30d;
        add_header Pragma public;
        add_header Cache-Control "public";
    }


}
1 Like

I run

sudo certbot --nginx -d cytconectar.com -d www.cytconectar.com

And it work! Maybe I have something wrong with my previous command

certbot certonly --webroot --agree-tos --no-eff-email --email rojo.fede@gmail.com -w /var/www/letsencrypt -d www.cytconectar.com -d cytconectar.com

Thanks to all!!

3 Likes

Glad to see you got your cert and you've installed it. Nice website! :wink:

3 Likes