The client lacks sufficient authorization

My domain is: kidscreativeworld.com

I ran this command: sudo certbot --nginx -d kidscreativeworld.com -d www.kidscreativeworld.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for kidscreativeworld.com
http-01 challenge for www.kidscreativeworld.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.kidscreativeworld.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.kidscreativeworld.com/.well-known/acme-challenge/u4DsyteXPIv_WCk7OQ3MjsfDiB_b2zzj-DKbq2l1P3A [2604:a880:400:d1::9b9:e001]: “\r\n404 Not Found\r\n<body bgcolor=“white”>\r\n

404 Not Found

\r\n
”, kidscreativeworld.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://kidscreativeworld.com/.well-known/acme-challenge/hsiJ2fr6k_XqdS3twjbaIAWGCNPYgzOD37N1yq8S3Zk [2604:a880:400:d1::9b9:e001]: “\r\n404 Not Found\r\n<body bgcolor=“white”>\r\n

404 Not Found

\r\n

IMPORTANT NOTES:

My web server is (include version): nginx

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: digitalocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

This is a brand new droplet made with installed only LEMP and phpmyadmin and I’ve read a lot of examples to see if I can figure why this isn’t working, but I ran out of ideas. I have set A, AAAA and CNAME records for the site and I have the same configuration in server block like on other domains in different droplets where adding a certificate works.

I’ve checked https://check-your-website.server-daten.de/?q=kidscreativeworld.com to see if I can find any information and what caught my attention is that I have a “connection failure”. I have no idea why since my ufw has enabled Nginx Full.

On the other hand, I have similar response on another domain which is on a different droplet, but there I don’t have a connection failure.

So, with huge lack of ideas how to proceed, I’m asking for some help here.

1 Like

Hi @Hrenky

the "connection failure" isn't relevant, that's the https check. If you don't have a working certificate, that's expected.

The test shows a critical problem:

http://kidscreativeworld.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 142.93.243.191, Status 301
	
	http://kidscreativeworld.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 
2604:a880:400:d1::9b9:e001, Status 404
	configuration problem - different ip addresses with different status

Looks like your ipv6 isn't configured, so another server or vHost / server block answers.

  • Remove your ipv6 entry (or)
  • add a file in /.well-known/acme-challenge with a random filename, then try to check that file directly with the online tool to see, if ipv4 and ipv6 have the same content
1 Like

Yep, removing the ipv6 entry did the trick, but I do have to ask why?

This droplet is based in NYC so there’s a possibility of something being different, but the rest of my droplets are based in Frankfurt and on 3 domains, setting ipv6 didn’t cause any problems, but on 1 it did so I gotta say that I’m confused at this point.

1 Like

Read your new check with the test file - https://check-your-website.server-daten.de/?q=kidscreativeworld.com%2F.well-known%2Facme-challenge%2Ftest.txt

http + ipv4 + non-www has a redirect -> http + www
http + ipv6 + non-www has a http status 404 - Not Found.

So there are two options:

  • ipv4 and ipv6 -> different machines, another nginx answers (or)
  • ipv4 + ipv6 -> same machine, your server block doesn't work with ipv6 or another server block answers.

Check

nginx -T

to see if there is a Listen [::] directive.

1 Like

I'm guessing that if it's the 1st choice then there's nothing much I can do.

Considering the possibility of the 2nd choice, I checked nginx -T and only listen directives I found were in default server block. Never assumed that it could be linked to another block.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.