Unable to renew certificate - urn:acme:error:unauthorized :: The client lacks sufficient authorization

As per every 3 months, running command to renew certificate:

sudo letsencrypt renew --standalone --rsa-key-size 4096

today returned the following error. No configuration has been changed since last renewal which finished fine.

If anyone has any idea, please help.

Processing /etc/letsencrypt/renewal/gitlab.spartagency.com.conf
2018-01-12 09:59:07,085:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/gitlab.spartagency.com.conf produced an unexpected error: Failed authorization procedure. office.spartagency.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://office.spartagency.com/.well-known/acme-challenge/BRWn7u_NTbF3r7Gx3W12YJ4vD_9rg-DyL7LBwg0m_BQ: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>", gitlab.spartagency.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://gitlab.spartagency.com/.well-known/acme-challenge/PG8vw-k_w2Mgo9BkEzxAXGbwMIRYhZv5d4Fcq3mj9rI: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>". Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/gitlab.spartagency.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: office.spartagency.com
   Type:   unauthorized
   Detail: Invalid response from http://office.spartagency.com/.well-
   known/acme-challenge/BRWn7u_NTbF3r7Gx3W12YJ4vD_9rg-DyL7LBwg0m_BQ:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: gitlab.spartagency.com
   Type:   unauthorized
   Detail: Invalid response from http://gitlab.spartagency.com/.well-
   known/acme-challenge/PG8vw-k_w2Mgo9BkEzxAXGbwMIRYhZv5d4Fcq3mj9rI:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

Server: Federal Security Service of the Russian Federation

lol

Anyway, could you show the contents of /etc/letsencrypt/renewal/gitlab.spartagency.com.conf ?

Could it have to do with https://acme-v01.api.letsencrypt.org Security issue?

cert = /etc/letsencrypt/live/gitlab.spartagency.com/cert.pem
privkey = /etc/letsencrypt/live/gitlab.spartagency.com/privkey.pem
chain = /etc/letsencrypt/live/gitlab.spartagency.com/chain.pem
fullchain = /etc/letsencrypt/live/gitlab.spartagency.com/fullchain.pem

# Options and defaults used in the renewal process
[renewalparams]
no_self_upgrade = False
no_verify_ssl = False
ifaces = None
register_unsafely_without_email = False
uir = None
installer = none
config_dir = /etc/letsencrypt
text_mode = False
staging = False
dry_run = False
work_dir = /var/lib/letsencrypt
tos = False
duplicate = False
http01_port = 80
init = False
noninteractive_mode = False
key_path = None
fullchain_path = None
email = None
csr = None
agree_dev_preview = None
redirect = None
verbose_count = -3
config_file = None
renew_by_default = False
hsts = False
authenticator = standalone
nginx = False
rsa_key_size = 4096
verb = renew
checkpoints = 1
manual_test_mode = False
apache = False
cert_path = None
webroot_path = ,
reinstall = False
expand = False
strict_permissions = False
account = 5535114a2243b20b57f8687f61c7f834
prepare = False
manual_public_ip_logging_ok = False
chain_path = None
break_my_certs = False
domains = gitlab.spartagency.com, office.spartagency.com
standalone = True
manual = False
server = https://acme-v01.api.letsencrypt.org/directory
standalone_supported_challenges = "tls-sni-01,http-01"
webroot = False
os_packages_only = False
func = <function renew at 0x7f7eea1b6140>
user_agent = None
debug = False
tls_sni_01_port = 443
logs_dir = /var/log/letsencrypt
configurator = None
[[webroot_map]]

It's possible that it has to do with the tls-sni issue, if you were previously reliant on it:

standalone_supported_challenges = "tls-sni-01,http-01"

You should be able to use one of two suggested workarounds documented here, both of which will avoid the (currently disabled) tls-sni-01 challenge.

1 Like

Changing configuration to only use http (standalone_supported_challenges = “http-01”) doesnt help, still getting the same error.

And I think it was trying to use http from start, judging from:
gitlab.spartagency.com (http-01): urn:acme:error:unauthorized

Did you try the linked workarounds?

If not already done, configuring nginx to serve /.well-known/acme-challenge from a known location and then passing the document root to Certbot via --authenticator webroot --webroot-path should take care of the 404 issue.

e.g.

location /.well-known/acme-challenge {
    root /var/www/letsencrypt;
}

--webroot-path /var/www/letsencrypt

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.