The client lacks sufficient authorization

My domain is:eh-uat.mdtlabs.org

I ran this command:

letsencrypt certonly --webroot -w /home/ubuntu/mdtlabs -d eh-uat.mdtlabs.org

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to
cancel): rajkumar@gmail.com


Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory


(A)gree/©ancel: A


Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let’s Encrypt project and the non-profit
organization that develops Certbot? We’d like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.


(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for eh-uat.labsplatform.com
Using the webroot path /home/platform/letsencrypt_certificate/labsplatform for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. eh-uat.labsplatform.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://eh-uat.labsplatform.com/.well-known/acme-challenge/lTkZTrzHDu4IwThy4xJjRQggJcxUlRm6CfETTDsxkZM [35.154.246.116]: “<!doctype html><html lang=“en”><meta charset=“utf-8”/><link rel=“shortcut icon” href=”/favicon.ico"/><meta name=“viewport”"

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: eh-uat.labsplatform.com
    Type: unauthorized
    Detail: Invalid response from
    http://eh-uat.labsplatform.com/.well-known/acme-challenge/lTkZTrzHDu4IwThy4xJjRQggJcxUlRm6CfETTDsxkZM
    [35.154.246.116]: “<!doctype html><html lang=“en”><meta
    charset=“utf-8”/><link rel=“shortcut icon”
    href=”/favicon.ico"/><meta name=“viewport”"

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

My web server is (include version): Using AWS ELB

The operating system my web server runs on is (include version): Operating System is ubuntu 18.04

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Yes, Google Domain

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

1 Like

Hi,

If you are using AWS Elastic Load Balancing and are trying to request Let’s Encrypt certificate for your machines behind ELB, you’ll need to make sure each server has a copy of the challenge file, because ELB doesn’t guarentee you which server will be selected to serve the request.

I’m not sure what’s your exact usage here, but if you want to use that Let’s Encrypt certificate on the ELB, you might want to take a look at AWS’s ACM feature, which allows you to request certificate for use on ELB or Cloudflare (and other instances).

Thank you

2 Likes

Hi,
Currently am pointing only one server to ELB.

And whether we need to have a challenge file manually in the server or it will generate automatically? It will generate automatically right?

That's the issue.
If you have only one server under ELB and use Let's Encrypt, there'll probably be no issue. (If you run that client on the server and it's configured correctly to serve those requests)
However, ACME client generally won't copy the files to other servers, which means the challenge file will only create on the server you run that script. Thus, if ELB serves that content through another server on any of the validations (Let's Encrypt perform multiple attempts to validate that file), this whole process will fail.

However, i don't have that much experiences with ELB, and there might be some other ways to resolve this issue and still use Let's Encrypt... I just stopped there and choose not to bother myself with renewals and use ACM. (Since ACM asks you to use a CNAME record to point a specific record to a aws domain, and as long as that record exists, ACM will renew that certificate)

This is why I think it will make your life easier if you use AWS's own certificate manager (ACM) with ELB.

Hi stevenzhu,

Thanks for feedback. let me try to use one machine with ELB. If certificate generated successfully then I will attach one more machine to my ELB. In that case it will work I guess.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.