The client lacks sufficient authorization

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:laragate.com

I ran this command:
certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d *.laragate.com -d laragate.com

It produced this output:
The client lacks sufficient authorization
My web server is (include version):
apache2
The operating system my web server runs on is (include version):
linuxmint 19
My hosting provider, if applicable, is:
self
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 0.31.0

I am running a web server for multiple virtual domains using drupal7. I have a separate server which is the primary DNS server with a number of secondaries from a third party.

I have full access to both servers.

Please provide the entire output.

Also:

Where did you get this ancient version of Certbot? It's currently at 2.9.0!

2 Likes

I followed the manual and downloaded it today from certbot repository

repository in apt added today: certbot-certbot-bionic.list

tail of letsencrypt.log:

tail letsencrypt.log
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. laragate.com (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "qw9EM2CYri-nMEA7PighPBk2c03fYRPYBjkUPw1hVD4" (and 1 more) found at _acme-challenge.laragate.com, laragate.com (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "hI2cB8q7mugcugdBLhA48ZX254u-kmIx2e90bD5Xq1I" (and 1 more) found at _acme-challenge.laragate.com

I suspect this could be due to the server running multiple virtual website via drupal7. There are no well-known files in any of the virtual server folders. The laragate.com is one of the virtual website/servers

Try to run Certbot with --debug-challenges and check if all TXT records are being added. It might be a little bit slow. Because currently I'm seeing eh75mrCM4wq7YP4TGwTqPPr0vDW2i57lGXOG5fmG9RQ and mQ0lV5n-wo69uyUD584QAlhPsx-7p2AfFn-uU9iuols at 2927124e-8203-4977-8f14-fa0a0d97bf6c.auth.acme-dns.io (which is where your _acme-challenge label redirects to using a CNAME), and not the qw9EM2CYri-nMEA7PighPBk2c03fYRPYBjkUPw1hVD4 from the error message.

2 Likes

I have the correct CNAME install in the domain.

I have spent a bunch of time and even installed a snap package to hopefully get a recent version.

From what I see, the problem is that I am running an Apache2 server and have multiple virtual domains under the drupal7 /sites folder. The site run fine, but they are all HTTP because I don't have certificates and have not modified the Apache config files for encryption.

The certbot processing wants a /well-known folder with the sub-directory. The certbot can't find the well-known location so it fails.

What I need is specific instructions on how to work with a drupal7 installation with multiple virtual domains. If that's not available, I am not going to play trial& error to reverse engineer this. I will just have to generate self-signed certificates for each virtual domain and live with browser complaints about the certificates.

Any help is appreciated but I have many things so far and tried to understand the diagnostics.

Please show:
sudo apachectl -t -D DUMP_VHOSTS

2 Likes

root@sylvester:/etc# apachectl -t -D DUMP_VHOSTS
[Sun Feb 25 07:15:08.382408 2024] [core:error] [pid 6201] (EAI 2)Name or service not known: AH00547: Could not resolve host name springsdanceclub.org -- ignoring!
[Sun Feb 25 07:15:08.424940 2024] [core:error] [pid 6201] (EAI 2)Name or service not known: AH00547: Could not resolve host name springsdanceclub.com -- ignoring!
[Sun Feb 25 07:15:08.473272 2024] [core:error] [pid 6201] (EAI 2)Name or service not known: AH00547: Could not resolve host name douglas-bruce.com -- ignoring!
[Sun Feb 25 07:15:08.608057 2024] [core:error] [pid 6201] (EAI 2)Name or service not known: AH00547: Could not resolve host name microsmartdigi.com -- ignoring!
AH00112: Warning: DocumentRoot [/var/www/html/usd/] does not exist
AH00112: Warning: DocumentRoot [/var/www/html/usd/] does not exist
AH00112: Warning: DocumentRoot [/var/www/html/pei/] does not exist
[Sun Feb 25 07:15:08.765063 2024] [core:error] [pid 6201] (EAI 2)Name or service not known: AH00547: Could not resolve host name ReformCityHall.com -- ignoring!
[Sun Feb 25 07:15:08.806474 2024] [core:error] [pid 6201] (EAI 2)Name or service not known: AH00547: Could not resolve host name 719Painter.com -- ignoring!
[Sun Feb 25 07:15:08.847537 2024] [core:error] [pid 6201] (EAI 2)Name or service not known: AH00547: Could not resolve host name noraintax.net -- ignoring!
[Sun Feb 25 07:15:09.839632 2024] [core:error] [pid 6201] (EAI 2)Name or service not known: AH00547: Could not resolve host name pra2022.com -- ignoring!
[Sun Feb 25 07:15:09.883705 2024] [core:error] [pid 6201] (EAI 2)Name or service not known: AH00547: Could not resolve host name 603knick.com -- ignoring!
[Sun Feb 25 07:15:09.921965 2024] [core:error] [pid 6201] (EAI 2)Name or service not known: AH00547: Could not resolve host name VoteNoCC.com -- ignoring!
VirtualHost configuration:
65.124.153.166:80 is a NameVirtualHost
default server www.thecfbc.com (/etc/apache2/conf-enabled/httpd.conf:3)
port 80 namevhost www.thecfbc.com (/etc/apache2/conf-enabled/httpd.conf:3)
port 80 namevhost www.finaq.com (/etc/apache2/conf-enabled/httpd.conf:21)
port 80 namevhost www.307re.com (/etc/apache2/conf-enabled/httpd.conf:40)
port 80 namevhost www.northgateresources.com (/etc/apache2/conf-enabled/httpd.conf:57)
port 80 namevhost www.TheDailyEagle.com (/etc/apache2/conf-enabled/httpd.conf:92)
port 80 namevhost www.thecfbc.com (/etc/apache2/conf-enabled/httpd.conf:231)
port 80 namevhost www.petitionrights.com.com (/etc/apache2/conf-enabled/httpd.conf:285)
port 80 namevhost www.pra2024.com (/etc/apache2/conf-enabled/httpd.conf:340)
port 80 namevhost www.juneheimsoth.com (/etc/apache2/conf-enabled/httpd.conf:370)
port 80 namevhost www.thedailyeagle.com (/etc/apache2/conf-enabled/httpd.conf:391)
port 80 namevhost www.inferential.com (/etc/apache2/conf-enabled/httpd.conf:411)
port 80 namevhost www.hh-no.com (/etc/apache2/conf-enabled/httpd.conf:465)
port 80 namevhost www.zefcatt.com (/etc/apache2/conf-enabled/httpd.conf:483)
port 80 namevhost www.jsigrill.com (/etc/apache2/conf-enabled/httpd.conf:501)
port 80 namevhost www.acwcp.com (/etc/apache2/conf-enabled/httpd.conf:519)
port 80 namevhost www.laragate.com (/etc/apache2/conf-enabled/httpd.conf:537)
port 80 namevhost forcongress.douglasbruce.com (/etc/apache2/conf-enabled/httpd.conf:555)

Had a few dead virtual hosts

I'd fix each one of those problems before continuing.

2 Likes

The dead virtual hosts are not the problem. I was only trying to use the tool for a single virtual host. I have in fact removed a few of the dead hosts, but will leave the others in the HTTP config for the time being.

The problem is in the verification process because the tool can't handle a drupal7 installation. Unless there is some documentation about how to use the tool in my server, I will have to abandon the tool and just generate self-signed individual certificate.

Thanks anyway.
Fred

1 Like

If you can specify the document root path, you may be able to use --webroot.
See: User Guide — Certbot 2.10.0.dev0 documentation (eff-certbot.readthedocs.io)

You should do all your testing against the LE staging environment [not LE production].
You can also test access with a couple of simple steps:

  1. place a test text file in the expected challenge location:
    <domain document root path>/.well-known/acme-challenge/<test file name>

  2. browse to that file location from elsewhere [via the Internet]
    http://your-domain-name/.well-known/acme-challenge/test-file-name

1 Like

Why are you worried about the acme challenge files on the web server anyway? The first post showed trying to use a DNS challenge.

Have I missed something?

2 Likes

You may have missed this post:

1 Like

I didn't miss it. I just thought they misinterpreted the reason for the failure. I never saw any example of them using an http challenge.

2 Likes

Lack of information will create these divergences :frowning:

1 Like

Yeah it is confusing. Post number one showed a DNS challenge. Post Number 6 showed part of a log from a DNS challenge failing. And then in post number seven they guessed there was a problem with their web server and the Acme challenge folder.

2 Likes