The client lacks sufficient authorization problem

#1

My domain is: aya.nl

I ran this command:

sudo certbot --nginx -d aya.nl -d www.aya.nl --test-cert

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for aya.nl
http-01 challenge for www.aya.nl
nginx: [warn] conflicting server name “www.aya.nl” on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name “aya.nl” on 0.0.0.0:80, ignored
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. aya.nl (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://aya.nl/.well-known/acme-challenge/v6G3wwa_cS1_KztmIXfHCAPDsXIJv1QO5mW32Xr_5Qg: "<!doctype html>\n <html lang=“nl”>\n \n <meta charset=“utf-8”>\n <meta name=“viewport” content=“width=devi”, www.aya.nl (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.aya.nl/.well-known/acme-challenge/Q8KN6WK82Hze7XHKlIsFiPhAl9K9ZL5w8XgcDrYwkF0: "<!doctype html>\n <html lang=“nl”>\n \n <meta charset=“utf-8”>\n <meta name=“viewport” content=“width=devi”

IMPORTANT NOTES:

My web server is (include version):
nginx 1.10.3

The operating system my web server runs on is (include version):
ubuntu 18.04

My hosting provider, if applicable, is:
digitaloceaan

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 0.28.0

The weird thing is that other domains on the same server, with the samen virtual host configuration working fine. I can make certificates for the domains, but only aya.nl doesn’t work.

I must say i change the dns yesterday, is there some dns cache? Do i need to wait more than 24 hours?

I tried to make the directory: http://www.aya.nl/.well-known/acme-challenge/test.txt.

I tried this in the virtual host conf:

location ~ /.well-known/acme-challenge {

allow all;

}

But this are actions that not working and with other domains i had never problems with things like acme.

#2

Hi @matthijs-neijenhuijs

this isn’t relevant. Letsencryt uses the authoritative nameservers, so the current entries are used.

Your main configuration ( https://check-your-website.server-daten.de/?q=aya.nl ) is ok:


Domainname Http-Status redirect Sec. G
http://aya.nl/
178.62.195.34 200 0.313 H
http://www.aya.nl/
178.62.195.34 200 0.093 H
https://aya.nl/
178.62.195.34 -4 0.064 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. Authentication failed because the remote party has closed the transport stream.
https://www.aya.nl/
178.62.195.34 -4 0.063 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. Authentication failed because the remote party has closed the transport stream.
http://aya.nl:443/
178.62.195.34 -3 0.060 A
ReceiveFailure - The underlying connection was closed: An unexpected error occurred on a receive. Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
http://www.aya.nl:443/
178.62.195.34 -3 0.050 A
ReceiveFailure - The underlying connection was closed: An unexpected error occurred on a receive. Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
http://aya.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
178.62.195.34 404 0.077 A
Not Found
http://www.aya.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
178.62.195.34 404 0.080 A
Not Found

Port 80 is open, there is the expected answer http status 404 when fetching a file in /.well-known/acme-challenge.

But this

isn’t good. You have different definitions with the same server name, so Certbot doesn’t know which vHost is used. So maybe your first step: Fix this configuration.

And / or use direct your root definition from your vHost:

sudo certbot --webroot -w YourWebroot -d aya.nl -d www.aya.nl --test-cert

To check you have found your correct webroot, create the two directories

yourwebroot/.well-known/acme-challenge

there a file (file name 1234), then try to load this file with your browser

http://aya.nl/.well-known/acme-challenge/1234
http://www.aya.nl/.well-known/acme-challenge/1234

Then the webroot version should work.

#3

I did what you tell me and it works. But why are this actions not required for the other domains on the server. There this just work without --webroot

I just have in my sites-avaliable directory a file aya.nl with this:

server_name aya.nl www.aya.nl;

I have also for example a conf called foodelicious.nl and there certbot is working without making directories like well-known.

1 Like
#4

Happy to read that it has worked.

That

is a problem.

1 Like
closed #5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.