The client lacks sufficient authorization: Invalid response

My domain is: maurodelossantos.ga

I ran this command: sudo certbot certonly

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?


1: Nginx Web Server plugin (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)


Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator nginx, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): maurodelossantos.ga
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for maurodelossantos.ga
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. maurodelossantos.ga (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://maurodelossantos.ga/.well-known/acme-challenge/A5p9rBdQi5kbaiRpY9bJMWnQIYWCatkMB6LXmdCHn5A [195.20.53.246]: "\n\n\n \n <titl"

IMPORTANT NOTES:

My web server is (include version): A nginx 1.14.2

The operating system my web server runs on is (include version): Raspbian

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.31.0

I've just tested all the solutions that i found on the internet and none have worked.

  • Creating a static local file in .well-known/acme-challenge/test and accesing from browser -> DONE
  • Creating static local redirections in /etc/hosts file for IPv4 and IPv6 (maurodelossantos.ga - localhost/::1) -> DONE

What more should I test?

Thanks.

Hi @mauro_983

that

doesn't work, there is no test file visible. And if that works, you should switch to --webroot and use the correct root directory.

But if --nginx doesn't work, Certbot doesn't understand your config.

What says

nginx -T

PS: Your setup can't work. There

http://maurodelossantos.ga/.well-known/acme-challenge/A5p9rBdQi5kbaiRpY9bJMWnQIYWCatkMB6LXmdCHn5A

is a frame

 <frame frameborder=0 src="http://mauropi.ddns.net" name="dot_tk_frame_content" scrolling="auto" noresize>

You must use the ip of mauropi.ddns.net directly as A record. But that may be impossible.

Or you use dns validation + --manual.

Please read the basics to understand why your setup can't work.

1 Like

Well, first of all, thanks for your reply.

Now:

Reading the way that LetsEncrypt works, I continue without understanding why this is not working and what is the solution. The second challenge that the documentation mentions that LetsEncrypt use for authenticate the agent (creating and singing an http resource), i'm able to do it. And now i'm correcting what i've said before:

  • I've created a file in the .well-known/acme-challenge/test directory, called test.txt and i'm able to access and to read it with a curl:

curl maurodelossantos.ga/.well-known/acme-challenge/test/test.txt
ACCESS GRANTED

So, if this works, its meaning should be that LetsEncrypt is capable to authenticate the agent, no?

By the way, using the second approach (webroot one), also fails in the same step.

How would you like to authenticate with the ACME CA?


1: Nginx Web Server plugin (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)


Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 3
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): maurodelossantos.ga
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for maurodelossantos.ga
Input the webroot for maurodelossantos.ga: (Enter 'c' to cancel): /var/www/html/public
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. maurodelossantos.ga (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://maurodelossantos.ga/.well-known/acme-challenge/n3E9aIoF_FtUC2k01PjqfpmAW_PxKw724TbH7OvVEhM [195.20.53.246]: "\n\n\n \n <titl"

IMPORTANT NOTES:

So, if both of that solutions do not work and the use directly mauropi.ddns.net as A record solution is impossible, what could i do for migrate correctly maurodelossantos.ga to https with certbot?

Thanks a lot and sorry about my little knowledge in the topic. (and about my english too :sweat_smile: )

As written: I can't, Letsencrypt can't.

There is a frame, no file.

See your check - ~~50 minutes old - https://check-your-website.server-daten.de/?q=maurodelossantos.ga

Host Type IP-Address is auth. βˆ‘ Queries βˆ‘ Timeout
maurodelossantos.ga A 195.20.53.246 Amsterdam/North Holland/Netherlands (NL) - OpenTLD Web Network No Hostname found yes 1 0
AAAA yes
www.maurodelossantos.ga CNAME maurodelossantos.ga yes 1 0
A 195.20.53.246 Amsterdam/North Holland/Netherlands (NL) - OpenTLD Web Network No Hostname found yes

That's your ip, there you must run Certbot.

But you can't, because that's a frame of your domain provider (or someone else).

May be it's impossible if you use such a DDNS-service. You can create a certificate with your ddns-name.

2 Likes

Why would anyone register a domain name and then forward that to a free DDNS name?
[that seems to be going in the wrong direction]

curl -Iki http://maurodelossantos.ga/.well-known/acme-challenge/test/test.txt
HTTP/1.1 301
Server: nginx
Date: Thu, 29 Oct 2020 00:20:42 GMT
Connection: keep-alive
Location: https://mauropi.ddns.net
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:01 GMT

And the authentication may be further broken by the DNS IP mismatch:

Name:    maurodelossantos.ga
Address:  195.20.53.246

Name:    mauropi.ddns.net
Address:  188.86.113.36

READERS: Get involved and participate: If you read something you like, then click to like it :heart:

Creating the certificate with my ddns-name is the solution.

Thanks.

That may be a solution...
But what happens with to the domain "maurodelossantos.ga" ?
Will https://maurodelossantos.ga/ ever get used?

Well, yes, i had to pay a little price for "arrange" the problem, and that price was to not use the maurodelossantos.ga domain...I mean:

At this moment, i have a ddns domain that is mauropi.ddns.net and a normal domain maurodelossantos.ga, this is due that my internet provider has dinamic public IP and i had to choose between: or to pay a royalty and have static public IP, or to configure in my router a ddns with noip, so i chose the last one. (also I could configure a script that would send me an email or similar warning me of the ip change and i manually would have to change it in the domain configuration but i discard this option).

So, the second one, http://maurodelossantos.ga is configured with a 301 redirection to https://mauropi.ddns.net in the noip webpage.

And, the first one, http://mauropi.ddns.net has the certficates and a 301 redirection in the nginx conf to https://mauropi.ddns.net.

So, on resume, I have:

Proxy the ACME challenges from maurodelossantos.ga to mauropi.ddns.net (via CNAME), perhaps?

1 Like

Three out of four is not bad.
But I think you could have reached four out of four (or, at least, three and a half out of four).
With a CNAME for the www.maurodelossantos.ga to mauropi.ddns.net.
And the base name could be switched manually with an A record (each time you get an email that your IP has changed).
OR

  • look for a DNS provider that could "redirect" the base name to an IP of the other FQDN (functioning like CNAME).
  • look for a DNS provider that allows updates via API and script an update to the base name yourself (each time the IP changes or sync it every hour if you like).

My point is there are solutions to the problem and you could use both domains securely (if you can put more effort into it - no more money is required).

In any case, I'm glad you can now serve your content securely and the IP will follow you on reboots :slight_smile:

Cheers from Miami :beers:

READERS: Get involved and participate: If you read something you like, then click to like it :heart:

1 Like

The names resolved to different IPs...

1 Like

Still possible. Just means to run certbot on the other device. Porting the keys and such might not be ideal. Probably better to add an exception if using http-01.

1 Like

(re)design it better.

1 Like