The client lacks sufficient authorization :: Invalid response from

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ultra-sites.de, specific subdomain: cloud.ultra-sites.de

I ran this command:
/usr/bin/certbot renew

It produced this output:
Attempting to renew cert (ultra-sites.de) from /etc/letsencrypt/renewal/ultra-sites.de.conf produced an unexpected error: Failed authorization procedure. cloud.ultra-sites.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://cloud.ultra-sites.de/index.php/login [185.54.118.88]: "\n<html class=“ng-csp” data-placeholder-focus=“false” lang=“en” >\n\t<head data-requesttoken=“KEt1A2YSFAg8ChUQTU5CEQ”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
** /etc/letsencrypt/live/ultra-sites.de/fullchain.pem (failure)**

My web server is (include version):
nginx 1.14.1

The operating system my web server runs on is (include version):
linux Raspbian GNU/Linux buster/sid

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

This looks like certbot has followed a “bad” redirection.
http requests for authentication should be excluded from the default redirection statement.

1 Like

Hi @UltraSitesMedia

yep, as @rg305 wrote: A wrong redirect:

Domainname Http-Status redirect Sec. G
http://cloud.ultra-sites.de/
185.54.118.88 301 https://cloud.ultra-sites.de/ 0.126 A
https://cloud.ultra-sites.de/
185.54.118.88 302 https://cloud.ultra-sites.de/index.php/login 2.803 N
Certificate error: RemoteCertificateChainErrors
https://cloud.ultra-sites.de/index.php/login 200 2.067 N
Certificate error: RemoteCertificateChainErrors
http://cloud.ultra-sites.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
185.54.118.88 301 https://cloud.ultra-sites.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.114 A
Visible Content: 301 Moved Permanently nginx/1.14.1
https://cloud.ultra-sites.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 302 https://cloud.ultra-sites.de/index.php/login 1.920 N
Certificate error: RemoteCertificateChainErrors
Visible Content:

The redirect http -> https is ok. But /.well-known/acme-challenge shouldn’t redirect to a login, that can’t work.

So you have two options: Find the login redirect and add a statement. Or check your port 80 vHost to add the statement there, so there is no redirect of /.well-known/acme-challenge to https.

Thank you!

It was my mistake!

The part of:

	location ~ /.well-known { ... }

was missing in my nginx config!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.