The client lacks sufficient authorization :: Invalid response from

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:, specific subdomain:

I ran this command:
/usr/bin/certbot renew

It produced this output:
Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from []: "\n<html class=“ng-csp” data-placeholder-focus=“false” lang=“en” >\n\t<head data-requesttoken=“KEt1A2YSFAg8ChUQTU5CEQ”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
** /etc/letsencrypt/live/ (failure)**

My web server is (include version):
nginx 1.14.1

The operating system my web server runs on is (include version):
linux Raspbian GNU/Linux buster/sid

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

This looks like certbot has followed a “bad” redirection.
http requests for authentication should be excluded from the default redirection statement.

1 Like

Hi @UltraSitesMedia

yep, as @rg305 wrote: A wrong redirect:

Domainname Http-Status redirect Sec. G 301 0.126 A 302 2.803 N
Certificate error: RemoteCertificateChainErrors 200 2.067 N
Certificate error: RemoteCertificateChainErrors 301 0.114 A
Visible Content: 301 Moved Permanently nginx/1.14.1 302 1.920 N
Certificate error: RemoteCertificateChainErrors
Visible Content:

The redirect http -> https is ok. But /.well-known/acme-challenge shouldn’t redirect to a login, that can’t work.

So you have two options: Find the login redirect and add a statement. Or check your port 80 vHost to add the statement there, so there is no redirect of /.well-known/acme-challenge to https.

Thank you!

It was my mistake!

The part of:

	location ~ /.well-known { ... }

was missing in my nginx config!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.