The client lacks sufficient authorization

#1

I’m aware that this appeared many times, but no solution seems to work for me. I’m using the standalone plugin, no nginx or apache. the renewal worked for previous versions, now suddenly it doesn’t. It’s on an alibaba server,I think there are some problems with its configuration, because on other aws servers it just works.

My domain is: cn.api.metamusic.ai

I ran this command: sudo certbot renew

It produced this output:


Processing /etc/letsencrypt/renewal/cn.api.metamusic.ai.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for cn.api.metamusic.ai
Waiting for verification…

Exception happened during processing of request from (’::ffff:66.133.109.36’, 46004, 0, 0)
Traceback (most recent call last):
File “/usr/lib/python3.5/socketserver.py”, line 313, in _handle_request_noblock
self.process_request(request, client_address)
File “/usr/lib/python3.5/socketserver.py”, line 341, in process_request
self.finish_request(request, client_address)
File “/usr/lib/python3.5/socketserver.py”, line 354, in finish_request
self.RequestHandlerClass(request, client_address, self)
File “/usr/lib/python3/dist-packages/acme/standalone.py”, line 206, in init
BaseHTTPServer.BaseHTTPRequestHandler.init(self, *args, **kwargs)
File “/usr/lib/python3.5/socketserver.py”, line 681, in init
self.handle()
File “/usr/lib/python3/dist-packages/acme/standalone.py”, line 215, in handle
BaseHTTPServer.BaseHTTPRequestHandler.handle(self)
File “/usr/lib/python3.5/http/server.py”, line 422, in handle
self.handle_one_request()
File “/usr/lib/python3.5/http/server.py”, line 410, in handle_one_request
method()
File “/usr/lib/python3/dist-packages/acme/standalone.py”, line 221, in do_GET
self.handle_simple_http_resource()
File “/usr/lib/python3/dist-packages/acme/standalone.py”, line 246, in handle_simple_http_resource
self.end_headers()
File “/usr/lib/python3.5/http/server.py”, line 524, in end_headers
self.flush_headers()
File “/usr/lib/python3.5/http/server.py”, line 528, in flush_headers
self.wfile.write(b"".join(self._headers_buffer))
File “/usr/lib/python3.5/socket.py”, line 593, in write
return self._sock.send(b)
ConnectionResetError: [Errno 104] Connection reset by peer

Cleaning up challenges
Attempting to renew cert (cn.api.metamusic.ai) from /etc/letsencrypt/renewal/cn.api.metamusic.ai.conf produced an unexpected error: Failed authorization procedure. cn.api.metamusic.ai (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://cn.api.metamusic.ai/.well-known/acme-challenge/7aBEwd8iq_uRKuxtkXlvtxYScq_M17y7kVIDhRCXTR8 [120.26.102.220]: “\n\n<meta http-equiv=“Content-Type” content=“textml;charset=UTF-8” />\n body{background-color:#FFFFFF}”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/cn.api.metamusic.ai/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/cn.api.metamusic.ai/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: cn.api.metamusic.ai
    Type: unauthorized
    Detail: Invalid response from
    http://cn.api.metamusic.ai/.well-known/acme-challenge/7aBEwd8iq_uRKuxtkXlvtxYScq_M17y7kVIDhRCXTR8
    [120.26.102.220]: "\n\n<meta
    http-equiv=“Content-Type” content=“textml;charset=UTF-8” />\n

    body{background-color:#FFFFFF}"

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): none? did not need until now

The operating system my web server runs on is (include version): ubuntu 16

My hosting provider, if applicable, is: godaddy

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

#2

Hi @MeerKatDev

there are two problems ( https://check-your-website.server-daten.de/?q=cn.api.metamusic.ai ) : Your ipv6

Host T IP-Address is auth. ∑ Queries ∑ Timeout
cn.api.metamusic.ai A 120.26.102.220 yes 1 0
AAAA fe80::216:3eff:fe11:8cb1 yes
www.cn.api.metamusic.ai Name Error yes 1 0

is a link local address, not a public, worldwide unique ip address. Letsencrypt may ignore that error.

Critical:

Domainname Http-Status redirect Sec. G
http://cn.api.metamusic.ai/
120.26.102.220 -2 1.677 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 120.26.102.220:80
https://cn.api.metamusic.ai/
120.26.102.220 200 3.530 B
http://cn.api.metamusic.ai/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
120.26.102.220 -2 1.640 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 120.26.102.220:80
Visible Content:

Your port 80 is blocked. Port 80 must be open if you want to use http-01 validation.

Perhaps you have used tls-sni-01 validation (port 443), that’s deprecated, not longer supported.

#3

Hi, thank you very much. And is it possible to verify through some other port other than 80?

#4

You can use tls-alpn-01 - validation. But Certbot doesn’t support that.

Or dns-01 - validation, then a dns entry is required.

Check

and

A closed port 80 isn’t a “more secure system”. You can add redirects http -> https.

1 Like
#5

Unluckily it’s not me deciding for that port. It’s blocked due to external reasons (Chinese law).
What do I run for renewal with dns? I searched by and large but all I’ve found is about only creation with dns-01.
And how do I get the token to put in the TXT record? I understand that it should be called _acme-challenge.cn.api (?), right?

#6

That’s the same.

Start

certbot -d cn.api.metamusic.ai --preferred-challenges dns --manual

then Certbot shows the txt entry you have to use.

closed #7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.