Trying renew after installation fails with 'lacks sufficient authoriation'


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
www.gratwifi.eu
I ran this command:
certbot --dry-run
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/gratwifi.eu.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for beta.gratwifi.eu
http-01 challenge for dashboard.gratwifi.eu
http-01 challenge for portal.gratwifi.eu
http-01 challenge for gratwifi.eu
http-01 challenge for www.gratwifi.eu
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (gratwifi.eu) from /etc/letsencrypt/renewal/gratwifi.eu.conf produced an unexpected error: Failed authorization procedure. www.gratwifi.eu (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.gratwifi.eu/.well-known/acme-challenge/DEZ3c4CFlNSPYBgQsKlbppaBN1kHkjN9Cg3nXdO3BE0: “”, gratwifi.eu (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://gratwifi.eu/.well-known/acme-challenge/0a3TW6nD9G0YCRY-AvoLPq4LB61PKJejvfqUyLN4gjw: “”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/gratwifi.eu/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/gratwifi.eu/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.gratwifi.eu
    Type: unauthorized
    Detail: Invalid response from
    http://www.gratwifi.eu/.well-known/acme-challenge/DEZ3c4CFlNSPYBgQsKlbppaBN1kHkjN9Cg3nXdO3BE0:
    “”

    Domain: gratwifi.eu
    Type: unauthorized
    Detail: Invalid response from
    http://gratwifi.eu/.well-known/acme-challenge/0a3TW6nD9G0YCRY-AvoLPq4LB61PKJejvfqUyLN4gjw:
    “”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.
    My web server is (include version):
    nginx version: nginx/1.12.2
    The operating system my web server runs on is (include version):
    Ubuntu 14.04.5 LTS
    My hosting provider, if applicable, is:
    own server
    I can login to a root shell on my machine (yes or no, or I don’t know):
    yes
    I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
    no


#2

From the output of your server you have configured nginx with proxy_pass to a Ruby application, yes?

You might need to add an exclusion for /.well-known/acme-challenge to prevent the Ruby application from intercepting those requests, but I am surprised that the Certbot nginx plugin is not doing it for you:

location /.well-known/acme-challenge/ {
  # No contents needed, just need to override proxy_pass
}

#3

Yes, it is a proxy_pass to a ruby (and elixir) app.
Is see in the log a couple of times this:

server {rewrite ^(/.well-known/acme-challenge/.*) $1 break; # managed by Certbot

I don’t know if that is what you mean.


#4

I added the rules and now I get this:


Processing /etc/letsencrypt/renewal/gratwifi.eu.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for beta.gratwifi.eu
http-01 challenge for dashboard.gratwifi.eu
http-01 challenge for portal.gratwifi.eu
http-01 challenge for gratwifi.eu
http-01 challenge for www.gratwifi.eu
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (gratwifi.eu) from /etc/letsencrypt/renewal/gratwifi.eu.conf produced an unexpected error: Failed authorization procedure. www.gratwifi.eu (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.gratwifi.eu/.well-known/acme-challenge/ddvP8_x4z3sWpnu2ASjv5e07R2LppmY-lx72H2HDo3I: "

404 Not Found

404 Not Found


", gratwifi.eu (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://gratwifi.eu/.well-known/acme-challenge/hYE4ct-K0_cXhfpCGuCtwxGXfpRsY4TCLofQwakIDgc: " 404 Not Found

404 Not Found


". Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/gratwifi.eu/fullchain.pem (failure)

#5

I just checked the code of the Certbot nginx plugin and it appears I have misunderstood how it works. My advice isn’t helpful, you can get rid of that location block.

The plugin works by temporarily adding something like

location = /.well-known/acme-challenge/xyxyxyxyxy {
  default_type text/plain;
  return 200 'abababababababab';
}

(except with the real validation values) and reloading nginx.

So the problem in your case would be that for some reason, that change isn’t being applied by/loaded by nginx.

It might help to try with --dry-run --debug and upload the full /var/log/letsencrypt/letsencrypt.log somewhere so it can be checked for issues.


#6

can we do this somewhere private?


#7

Sure, you can PM someone for help, however I am off to bed so it may be worth waiting to see if someone like schoen or bmw have any ideas.


#8

Not really—I’d like to see the logs and also to check what version of Certbot it is (although it must be reasonably recent because it’s doing HTTP-01 with --nginx).


#9

How can I PM you with the link?


#10

I just edited your forum account so that you should now be able to send PMs.


#11

Hi @Hermanverschooten, I tried looking at your log briefly.

One thing that seems important to double-check: Some of your hostnames have both the IPv6 address 2a03:a800:12:1::4728:9434 and the IPv4 address 77.73.99.74, while some have only the IPv4 address. While it does appear that both the IPv4 and IPv6 versions of http://gratwifi.eu/ are operating and serving the same web content, can you confirm that this server is meant to have both IP addresses and that the IPv6 address does, in fact, point directly at the machine where you ran the Certbot command?


#12

Hi @schoen,
Yes they both point to the same machine, and I need to change it so all sites use the IPv6.


#13

I don’t know exactly why, but I split the file that contained both www.gratwifi.eu and portal.gratwifi.eu, and now it is working.


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.