The client lacks sufficient authorization :: Invalid response from http://domain.com/.well-known/acme-challenge/txJ.. [X]: 403

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: flow-robotics.com

I ran this command: sudo certbot renew --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/flow-robotics.com.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for flow-robotics.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (flow-robotics.com) from /etc/letsencrypt/renewal/flow-robotics.com.conf produced an unexpected error: Failed authorization procedure. flow-robotics.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://flow-robotics.com/.well-known/acme-challenge/SQMleaOsOpjDloO-TMCAIJAYyuXqI7tBIvmmOKTwvLA [2a02:2350:5:104:640:0:db23:2909]: 403. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/flow-robotics.com/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/flow-robotics.com/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

So I’m wondering what is throwing the 403 Unauthorized. The request URL seems to be a http:// one, so is it perhaps some HTTP->HTTPS redirection that causes this problem?
I renewed similarly on a staging subdomain, that has the same configuration, and it worked without a problem there. Thanks in advance!

1 Like

Your server responds differently for IPv4 and IPv6. With IPv4 I’m getting the expected HTTP -> HTTPS redirect, but with IPv6 I’m getting a 403 Forbidden error like Let’s Encrypt.

1 Like

Hi @jeppe

see your ip addresses - https://check-your-website.server-daten.de/?q=flow-robotics.com

Host T IP-Address is auth. ∑ Queries ∑ Timeout
flow-robotics.com A 52.47.137.87 Paris/Île-de-France/France (FR) - Amazon Technologies Inc. Hostname: ec2-52-47-137-87.eu-west-3.compute.amazonaws.com yes 1 0
AAAA 2a02:2350:5:104:640:0:db23:2909 Copenhagen/Capital Region/Denmark (DK) - One.com A/S yes

Your ipv4 is from Amazon. Your ipv6 is in Copenhagen.

Checking your domain Letsencrypt prefers ipv6, so that’s critical.

If your AmazonAWS doesn’t have an ipv6, remove your ipv6 entry.

1 Like

Thank you for your reply Juergen, this solved the issue. :slight_smile: