The client lacks sufficient authorization problem


#1

Hi ,
I’ve just built up letsencrypt and just have a first step trying to use it,
but got stuck at this problem.

Failed authorization procedure. mydomain (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mydomain.com/.well-known/acme-challenge/mkRepxXg1tXmZrPoRlCQgMvecVvX4zFTmXE2DB2Z2BQ [211.72.193.169]: 404

Here’s the command I used:

./letsencrypt-auto --agree-dev-preview -d mydomain.com --server https://acme-v01.api.letsencrypt.org/directory certonly

do I need to mail to server of my domain to add into whitelist at server ?
And my environment is centOS7 , thanks a lot!

btw , I just realized something and little bit worried with it,

  1. do I really need to access into the web server of the domain I used,
    or can I use other server to get CA for different domain
  2. cuz it needs to log IP as having requested this certificate, but I’m using internal IP, can I use FQDN as a substitution?

#2

Just follow: Tutorial for OS X local certificates and Shared Hosting

Works for OSX, should have no issues in centos as long as you have sudo/root access. I did this on my laptop behind a VPN and honestly, doesnt matter. Worked fine for my domain on a shared web host. Move the certs to where you need them afterwards. :smile:

You have to create 2 validation files in /public_html/.well-known/acme-challenge else validation will fail, assuming public_html is your root directory. Both files need to have the naming it requires and contain the code it provides.

example:
file1
name and location: public_html/.well-known/acme-challenge/pMN4blqL5Nzvr4I59vSbpMN4blqL5Nzvr4I59vSb
contains: pMN4blqL5Nzvr4I59vSbpMN4blqL5Nzvr4I59vSb.iBdbhb2I-Yg-HHtsR7JJTHaiBdbhb2I-Yg-HHtsR7JJTHa

file 2
name and location: public_html/.well-known/acme-challenge/HtsR7JJTHa9q1mGPFtR8HtsR7JJTHa9q1mGPFtR8
contains: HtsR7JJTHa9q1mGPFtR8HtsR7JJTHa9q1mGPFtR8.5Nzvr4I59vSbSvbwV5Nzvr4I59vSbSvbwV

Let me know if this makes any sense.


#3

Thanks a lot for replying my questions, and it does work and successfully generate pem file!
But there’s another question that I can’t get : is that 2 validations I need to do?
when I was running letsencrypt-auto , it only generated one pair of it , is that correct?
Or it means domain and it’s sub-domain?

Really thanks!


#4

I figured it out at the article you posted and got the answer

If you defined the domain with “yourdomain.com” and “www.yourdomain.com” (you should), Let’s Encrypt will ask for a second verification. Just repeat the step above with the second verification code. Now you can close your SSH Terminal window with: exit

so it needs two verification indeed.