Unable to renew certificate - urn:acme:error:unauthorized :: The client lacks sufficient authorization

As per every 3 months, running command to renew certificate:

sudo letsencrypt renew --standalone --rsa-key-size 4096

today returned the following error. No configuration has been changed since last renewal which finished fine.

If anyone has any idea, please help.

Processing /etc/letsencrypt/renewal/gitlab.spartagency.com.conf
2019-06-05 14:37:50,126:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/gitlab.spartagency.com.conf produced an unexpected error: Failed authorization procedure. office.spartagency.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://office.spartagency.com/.well-known/acme-challenge/e9itqHxvw8ZcT2OF2oZWkEnPUaQrEpsrpKusYOkursM [89.216.22.59]: “\r\n404 Not Found\r\n<body bgcolor=“white”>\r\n

404 Not Found

\r\n
”, gitlab.spartagency.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://gitlab.spartagency.com/.well-known/acme-challenge/n5zsAuX9FNpH66kOVIbofGcHIRRonL2FITgwxs63yEQ [89.216.22.59]: “\r\n404 Not Found\r\n<body bgcolor=“white”>\r\n

404 Not Found

\r\n
”. Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/gitlab.spartagency.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: office.spartagency.com
    Type: unauthorized
    Detail: Invalid response from http://office.spartagency.com/.well-
    known/acme-challenge/e9itqHxvw8ZcT2OF2oZWkEnPUaQrEpsrpKusYOkursM
    [89.216.22.59]: “\r\n404 Not
    Found\r\n<body bgcolor=“white”>\r\n

    404
    Not Found

    \r\n

    Domain: gitlab.spartagency.com
    Type: unauthorized
    Detail: Invalid response from http://gitlab.spartagency.com/.well-
    known/acme-challenge/n5zsAuX9FNpH66kOVIbofGcHIRRonL2FITgwxs63yEQ
    [89.216.22.59]: “\r\n404 Not
    Found\r\n<body bgcolor=“white”>\r\n

    404
    Not Found

    \r\n

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.

:wave: Hi @stasas,

Using --standalone indicates that Certbot will be binding a small webserver to port 80 to respond to HTTP-01 challenges.

The HTML output you’re seeing in the urn:acme:error:unauthorized error from Let’s Encrypt seems to indicate there’s another webserver actually answering the HTTP-01 challenge verification requests, and serving page content instead of a challenge response.

My requests to office.spartagency.com are showing a Server: nginx header in the response. Did you previously have something in your Nginx config that would direct requests to /.well-known/acme-challenge/ to the Certbot standalone server? In general are you sure that nothing has changed in the way that HTTP requests to the failing domains are routed?

Hi @cpu,

No configuration has been changed since last 3 months, I’m stopping nginx server on the machine from which I’m running letsencrypt renew…

In /var/log/letsencrypt/letsencrypt.log I found maybe relevant errors:

2019-06-05 13:30:14,030:DEBUG:acme.challenges:tls-alpn-01 was not recognized, full message: {u’status’: u’invalid’, u’token’: u’TTwpiTHVRFUPuFsPfyrxqoB_vZ4lzKcGu0B6L609Dj4’, u’type’: u’tls-alpn-01’, u’uri’: u’https://acme-staging.api.letsencrypt.org/acme/challenge/8pwbT7qnm_pPvbdDh53yQQ80A38JRtkknXtZmp8ee58/319873858’}
2019-06-05 13:30:14,031:DEBUG:acme.challenges:dns-01 was not recognized, full message: {u’status’: u’invalid’, u’token’: u’nXD5rhpHxnFn5tAhBswVS6Z5Fmj8I9nTDLqNdBIsdc8’, u’type’: u’dns-01’, u’uri’: u’https://acme-staging.api.letsencrypt.org/acme/challenge/8pwbT7qnm_pPvbdDh53yQQ80A38JRtkknXtZmp8ee58/319873860’}

Have you considered using the Certbot nginx plugin instead? It would let you renew this certificate without having to take down the Nginx instance by having Certbot write the HTTP-01 challenge response into the Nginx webroot.

It’s difficult to diagnose your problem since I assume you’ve started the Nginx instance again. To be able to help we would likely need to see what is happening when Nginx is stopped and Certbot --standalone is running. Using Certbot’s native nginx plugin is likely a better path forward unless there’s a reason it can’t be used in your environment.

In the end it was the router configuration which forwarded port 80 to different virtual machine and what differed from other times is this time cert actually expired so it didnt use tls-sni for renewal, but http and it ended up on different server :flushed:

Thank you for your help!

2 Likes

Happy to hear you got things sorted out! Thanks for reporting back :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.