I know there is a couple of threats on "The client lacks sufficient authorization" already. I think, however, my problem is a bit different, and I did not want to hijack any of the other threats.
So I have a webserver (apache2) serving a couple of subdomains with a self-signed wildcard certificate. I would like to replace that with letsencrypt certificates. So instead of using a wildcard certificate, I try to create a certficiate for all subdomains:
/usr/local/src/letsencrypt/letsencrypt-auto --apache --debug -d example.com -d www.example.com -d mail.example.com -d calendar.example.com -d mailgate.example.com -d example.dyndns.com
That works - for all but mailgate.example.com, which throws the well-known error:
File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in
sys.exit(main())
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 1396, in main
return args.func(args, config, plugins)
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 557, in run
lineage = _auth_from_domains(le_client, config, domains)
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 389, in _auth_from_domains
new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py", line 266, in obtain_certificate
return self._obtain_certificate(domains, csr) + (key, csr)
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py", line 224, in _obtain_certificate
authzr = self.auth_handler.get_authorizations(domains)
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/auth_handler.py", line 84, in get_authorizations
self._respond(cont_resp, dv_resp, best_effort)
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/auth_handler.py", line 142, in _respond
self._poll_challenges(chall_update, best_effort)
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/auth_handler.py", line 204, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. mailgate.example.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found example.com, *.example.com, example2.com, *.example2.com
IMPORTANT NOTES:
- The following 'urn:acme:error:unauthorized' errors were reported by
the server:
Domains: mailgate.example.com
Error: The client lacks sufficient authorization
So what's special about mailgate.example.com: That's a different IP address which does not really do anything but route requests through a VPN tunnel to my server (apache, etc.). Replies are routed back to that IP, and from there - with the sender IP modified back into mailgate's public IP - to the client. The reason for this is very simple: I am typically on a dial-up IP with quite some restrictions. The mailgate machine is a virtual host with a "real, fixed IP".
This setup works well for my regular mail traffic, and also for serving ports 80 and 443 on the mailgate IP. But it appears to cause trouble with letsencrypt's verification.
Any hint how I can work around this? If acme needs another port than 80 and 443 to be routed through the tunnel to work properly, I could surely add that.
Thanks!