Urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
I ran this command:
sudo certbot --authenticator webroot -w / --installer nginx --no-redirect --agree-tos --no-eff-email -d switchmagic.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for switchmagic.com
Using the webroot path / for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. switchmagic.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://switchmagic.com/.well-known/acme-challenge/3b-AqGypG8WkGLQPbO5bEPKHK2o--zxMQAfQYYm-uZQ []: "\r\n<html lang=“en”>\r\n\r\n\r\n <meta charset=“UTF-8”>\r\n <meta name=“viewport” content="width=device-width, "


My web server is (include version):
nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 16.4
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.17.0

unless your webserver’s files are in / , you need more specific location.
maybe you could try --authenticator nginx?

Hi @beyondJohn

I hope, your webroot isn’t the root of your server, that would be terrible.

A typical nginx server block may look like

server {
    listen         80 default_server;
    listen         [::]:80 default_server;
    server_name    example.com www.example.com;
    root           /var/www/example.com;
    index          index.html;
    try_files $uri /index.html;

Then /var/www/example.com is your webroot you have to use with your -w parameter. It’s the path in your file system to your logical path “/” of your webserver.

Hi @JuergenAuer
Thanks for your reply!
You are of course correct, the webroot was not actually pointing to the server root “/”. I suspected pointing to the wrong webroot was my issue and after reading your reply that confirmed my suspicions. However…
The following is my server config block (omitting ssl_ciphers line just in case),

HTTP - redirect all requests to HTTPS:

server {
listen 80;
listen [::]:80 default_server ipv6only=on;
location /{
return 301 https://$host$request_uri;

HTTPS - proxy requests on to local Node.js app:

server {
listen 443;
server_name switchmagic.com;

    ssl on;
    # Use certificate and key provided by Let's Encrypt:
    ssl_certificate /etc/letsencrypt/live/switchmagic.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/switchmagic.com/privkey.pem; # managed by Certbot
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    # Pass requests for / to localhost:8080:
    location / {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-NginX-Proxy true;
            #proxy_pass http://localhost:5000/;
            proxy_ssl_session_reuse off;
            proxy_set_header Host $http_host;
            proxy_cache_bypass $http_upgrade;
            proxy_redirect off;


Please note “#proxy_pass http://localhost:5000/;” has been commented out. I did that in order to get the LetsEncrypt cert to successfully install. Here is the command used to successfully install the LetsEncrypt cert,

sudo certbot --authenticator webroot -w /usr/share/nginx/html --installer nginx --no-redirect --agree-tos --no-eff-email -d switchmagic.com

Prior to successfully installing the latest LetsEncrypt cert I was able to use the LetsEncrypt cert to navigate to ports and the ports would also be encrypted. For example https://switchmagic.com:5554/ . But after installing the new cert the ports are no longer encrypted though the ports are using the same cert just like before installing the new LetsEncrypt cert,
const options = {
hostname: ‘switchmagic.com’,
key: fs.readFileSync(’/etc/letsencrypt/live/switchmagic.com/privkey.pem’),
cert: fs.readFileSync(’/etc/letsencrypt/live/switchmagic.com/cert.pem’),
ca: fs.readFileSync(’/etc/letsencrypt/live/switchmagic.com/chain.pem’)

How can the ports become encrypted like they were prior to installing the new LetsEncrypt cert?

Thank you!


You have created a new Letsencrypt certificate (2019-04-28). So update your non-standard installation.

The last part - you have to do every time you create a new certificate.


Excellent, you are correct again, sorry, I should have thought of that. I restarted the apps that were being served on different ports which updated the LetsEncrypt certs for the apps on each port. All seems well and the ports are now appearing online with valid https certs. Kudos and thanks for the quick help, I spent the better part of the day yesterday trying to figure this out on my own, your assistance was invaluable!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.