The client lacks sufficient authorization :: Invalid response

Please help – thank you!

Interestingly enough, I have another domain on this server which renews just fine, so I’m obviously doing something wrong on this particular one. I’ve read lots and tried lots but have so far been unable to see what I’m doing wrong.

I can view files at the location specified.


Thank you!

My domain is:

I ran this command: certbot renew --dry-run

It produced this output:

Processing /etc/letsencrypt/renewal/
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
http-01 challenge for
Waiting for verification...
Cleaning up challenges
Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>", (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>". Skipping.

My web server is (include version): nginx/1.13.12

The operating system my web server runs on is (include version): Ubuntu 16.04.1, 4.13.0-43-generic

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Resolving (…, 2a03:b0c0:3:d0::54:f001

LE prefers IPv6 over IPv4 and I don’t think it falls back on IPv6 failures.
Is your site (and the challenge directory) available by IPv6?


Please show:
and the vhost config that covers this domain name.


It looks like you are using the webroot authenticator, which tries to put the response file in a specific location on your filesystem so the webserver will serve it in response to the challenge. Is it possible you've moved directories around since you first issued the certificate? As @rg305 mentioned, you should check in /etc/letsencrypt/renewal/ and make sure the the configured webroot directory matches the directory where you just put .well-known-acme-challenge/test.txt.

You may also want to try switching to the Nginx plugin, which can manage things for you more automatically, like figuring out where to put the file, and reloading your webserver once the new certificate is available.

1 Like

@rg305's diagnosis seems exactly right to me. In IPv4 the test file returns a redirect to the HTTPS version of the site, which then returns "ugh". In IPv6, the test file returns a 404 error. So, the problem seems to be the discrepancy between the IPv4 and IPv6 versions of the site.


To add a little detail: If @rg305’s and @schoen’s theory is correct, the fix will be to add [::]:443 to the listen directives of each of your virtual hosts that serves SSL/TLS. Or to remove the AAAA (IPv6) record from your DNS.


Since the site returns an nginx default page in IPv6, it seems like the server is already fully IPv6-capable and the [::]:443 solution should work fine.

1 Like

I’m bowled over by the speed and quality of these responses. I’m travelling for the next couple of hours, but I’ll try this change as soon as I can. Thank you to everyone!

1 Like

Okay, I tried the above options and there's no change.

I've replaced the webroot plugin with the nginx plugin and I have a functioning Let's Encrypt certificate again! However, I run into the same error when trying to renew that (the permissions error).

Here are some more details that were requested in the thread so far.

version = 0.17.0
archive_dir = /etc/letsencrypt/archive/
cert = /etc/letsencrypt/live/
privkey = /etc/letsencrypt/live/
chain = /etc/letsencrypt/live/
fullchain = /etc/letsencrypt/live/

# Options used in the renewal process
authenticator = webroot
installer = None
account = 20bfe4dd01f2ae0b164f302d3af6cbf3
renew_hook = /usr/sbin/service nginx reload
[[webroot_map]] = /var/www/ = /var/www/

You know what, I think there are enough reasons to completely rebuild this server, so I'm not going to take this any further. Thank you for your help so far everyone, I'm going to do a clean Ubuntu 18.04 LTS build on a fresh DO server and follow some best practices.

Any better guides than the slightly old Set Up a DigitalOcean Virtual Server for WordPress on Ubuntu 22.04 that you can recommend?


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.