[Webroot] Error: The client lacks sufficient authorization


#1

Hi,

I did use the search but none results did not match my case. If I overlooked something please point me to it. Thanks

I did receive a certificate when LE entered public beta. On the 23.12.2015 I did re-new my Cert to check if it works fine, which it did. On the 24th I tested a automation script and got a new cert as well, so I was happy to run this once a Month.
Today I ran the script again and it failed. I got no clue why this is happening.

[code]Updating letsencrypt and virtual environment dependencies…
Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt certonly --agree-tos --renew-by-default --text --rsa-key-size 4096 --webroot --webroot-path /mnt/ftp.domain.de/domain.de/subdomain.domain.de --email letsencrypt@domain.de -d subdomain.domain.de
Failed authorization procedure. subdomain.domain.de (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Error parsing key authorization file: Invalid key authorization: 1 parts

IMPORTANT NOTES:

  • The following ‘urn:acme:error:unauthorized’ errors were reported by
    the server:

    Domains: subdomain.domain.de
    Error: The client lacks sufficient authorization

[/code]

the letsencrypt.log says:

2016-01-01 12:11:33,582:DEBUG:letsencrypt.cli:Root logging level set at 30
2016-01-01 12:11:33,599:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-01-01 12:11:33,604:DEBUG:letsencrypt.cli:letsencrypt version: 0.1.1
2016-01-01 12:11:33,605:DEBUG:letsencrypt.cli:Arguments: ['--agree-tos', '--renew-by-default', '--text', '--rsa-key-size', '4096', '--webroot', '--webroot-path', '/mnt/ftp.domain.de/domain.de/subdomain.domain.de', '--email', 'letsencryp$
2016-01-01 12:11:33,610:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2016-01-01 12:11:33,612:DEBUG:letsencrypt.cli:Requested authenticator webroot and installer None
2016-01-01 12:11:34,877:DEBUG:letsencrypt.plugins.webroot:Creating root challenges validation dir at /mnt/ftp.domain.de/domain.de/subdomain.domain.de/.well-known/acme-challenge
2016-01-01 12:11:36,339:DEBUG:letsencrypt.display.ops:Single candidate plugin: * webroot
Description: Webroot Authenticator
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = letsencrypt.plugins.webroot:Authenticator
Initialized: <letsencrypt.plugins.webroot.Authenticator object at 0x75692ed0>
Prep: True
2016-01-01 12:11:36,346:DEBUG:letsencrypt.cli:Selected authenticator <letsencrypt.plugins.webroot.Authenticator object at 0x75692ed0> and installer None
2016-01-01 12:11:36,462:DEBUG:letsencrypt.cli:Picked account: <Account(ec233f47fc7c44913fc2014fa9e6e5d3)>
2016-01-01 12:11:36,472:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory. args: (), kwargs: {}
2016-01-01 12:11:36,503:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-01-01 12:11:37,211:DEBUG:requests.packages.urllib3.connectionpool:"GET /directory HTTP/1.1" 200 263
2016-01-01 12:11:37,231:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '263', 'Expires': 'Fri, 01 Jan 2016 12:11:37 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', '$
2016-01-01 12:11:37,233:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '263', 'Expires': 'Fri, 01 Jan 2016 12:11:37 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection':$
2016-01-01 12:11:37,248:INFO:letsencrypt.cli:Auto-renewal forced with --renew-by-default...
2016-01-01 12:12:27,007:INFO:letsencrypt.crypto_util:Generating key (4096 bits): /etc/letsencrypt/keys/0005_key-letsencrypt.pem
2016-01-01 12:12:27,419:INFO:letsencrypt.crypto_util:Creating CSR: /etc/letsencrypt/csr/0005_csr-letsencrypt.pem
2016-01-01 12:12:27,425:DEBUG:letsencrypt.client:CSR: CSR(file='/etc/letsencrypt/csr/0005_csr-letsencrypt.pem', data='0\x82\x04\x940\x82\x02|\x02\x01\x000\x1e1\x1c0\x1a\x06\x03U\x04\x03\x0c\x13subdomain.domain.de0\x82\x02"0\r\x06\t*\x86$
2016-01-01 12:12:27,428:DEBUG:root:Requesting fresh nonce
2016-01-01 12:12:27,429:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {}
2016-01-01 12:12:27,436:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-01-01 12:12:27,978:DEBUG:requests.packages.urllib3.connectionpool:"HEAD /acme/new-authz HTTP/1.1" 405 0
2016-01-01 12:12:27,999:DEBUG:root:Received <Response [405]>. Headers: {'Content-Length': '0', 'Pragma': 'no-cache', 'Expires': 'Fri, 01 Jan 2016 12:12:27 GMT', 'Server': 'nginx', 'Connection': 'keep-alive', 'Allow': 'POST', 'Cache-Cont$
2016-01-01 12:12:28,001:DEBUG:acme.client:Storing nonce: 'S\xfbN$\xf1\x8aAJS\xfa0\x0c_~\x9b)6n\xce~a&(\xedy\xc6\x0c~\xb8\xcd\x0f\xe4'
2016-01-01 12:12:28,002:DEBUG:acme.jose.json_util:Omitted empty fields: combinations=None, expires=None, status=None, challenges=None
2016-01-01 12:12:28,003:DEBUG:acme.client:Serialized JSON: {"identifier": {"type": "dns", "value": "subdomain.domain.de"}, "resource": "new-authz"}
2016-01-01 12:12:28,015:DEBUG:acme.jose.json_util:Omitted empty fields: x5u=None, x5c=(), crit=(), cty=None, x5tS256=None, jku=None, alg=None, jwk=None, kid=None, x5t=None, typ=None
2016-01-01 12:12:28,072:DEBUG:acme.jose.json_util:Omitted empty fields: x5u=None, x5c=(), crit=(), cty=None, x5tS256=None, jku=None, nonce=None, typ=None, kid=None, x5t=None
2016-01-01 12:12:28,074:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "lE469L8yHK2Gx1dP8wi9AeWGj0y$
2016-01-01 12:12:28,081:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-01-01 12:12:28,631:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-authz HTTP/1.1" 201 572
2016-01-01 12:12:28,651:DEBUG:root:Received <Response [201]>. Headers: {'Content-Length': '572', 'Expires': 'Fri, 01 Jan 2016 12:12:28 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', '$
2016-01-01 12:12:28,652:DEBUG:acme.client:Storing nonce: '_\x89\xc9H\xd3}\x8c7\x91X\x86\x91dq\x13M\xc4\r\xd5\xa9/\xbdJ\x98\xd5\xfa6\xe8Ec\x03X'
2016-01-01 12:12:28,653:DEBUG:acme.client:Received response <Response [201]> (headers: {'Content-Length': '572', 'Expires': 'Fri, 01 Jan 2016 12:12:28 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection':$
2016-01-01 12:12:28,658:INFO:letsencrypt.auth_handler:Performing the following challenges:
2016-01-01 12:12:28,659:INFO:letsencrypt.auth_handler:http-01 challenge for subdomain.domain.de
2016-01-01 12:12:31,416:DEBUG:letsencrypt.plugins.webroot:Attempting to save validation to /mnt/ftp.domain.de/domain.de/subdomain.domain.de/.well-known/acme-challenge/Qus-fHRLLTuyl_vdk1PeT6ktNQUJbV55ClXoPdlkBwE
2016-01-01 12:12:34,998:INFO:letsencrypt.auth_handler:Waiting for verification...
2016-01-01 12:12:34,999:DEBUG:acme.client:Serialized JSON: {"keyAuthorization": "Qus-fHRLLTuyl_vdk1PeT6ktNQUJbV55ClXoPdlkBwE.OC4HQQOeW8crBPJsWOBktq2tOI7N0g_vJJPrvzBSbvA", "type": "http-01", "resource": "challenge"}
2016-01-01 12:12:35,011:DEBUG:acme.jose.json_util:Omitted empty fields: x5u=None, x5c=(), crit=(), cty=None, x5tS256=None, jku=None, alg=None, jwk=None, kid=None, x5t=None, typ=None
2016-01-01 12:12:35,068:DEBUG:acme.jose.json_util:Omitted empty fields: x5u=None, x5c=(), crit=(), cty=None, x5tS256=None, jku=None, nonce=None, typ=None, kid=None, x5t=None
2016-01-01 12:12:35,070:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/challenge/ZvPAz0lNbdGwEIwqsmr5qmuA8SSiofO7ScL--Z5_Qu0/3848895. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQ$
2016-01-01 12:12:35,077:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-01-01 12:12:35,619:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/challenge/ZvPAz0lNbdGwEIwqsmr5qmuA8SSiofO7ScL--Z5_Qu0/3848895 HTTP/1.1" 202 312
2016-01-01 12:12:35,636:DEBUG:root:Received <Response [202]>. Headers: {'Content-Length': '312', 'Expires': 'Fri, 01 Jan 2016 12:12:35 GMT', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/a$
2016-01-01 12:12:35,641:DEBUG:acme.client:Storing nonce: "NB\xbf\x86 \x824q\x80\xaf\x8ex\xe1g\xad'\xfc\xfb\xc4q\xb1e\xff\x9b\xa5\x8b\x95L')\x89\xc7"
2016-01-01 12:12:35,642:DEBUG:acme.client:Received response <Response [202]> (headers: {'Content-Length': '312', 'Expires': 'Fri, 01 Jan 2016 12:12:35 GMT', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.l$
2016-01-01 12:12:38,648:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/ZvPAz0lNbdGwEIwqsmr5qmuA8SSiofO7ScL--Z5_Qu0. args: (), kwargs: {}
2016-01-01 12:12:38,655:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-01-01 12:12:39,161:DEBUG:requests.packages.urllib3.connectionpool:"GET /acme/authz/ZvPAz0lNbdGwEIwqsmr5qmuA8SSiofO7ScL--Z5_Qu0 HTTP/1.1" 200 1044
2016-01-01 12:12:39,178:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '1044', 'Expires': 'Fri, 01 Jan 2016 12:12:39 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', $
2016-01-01 12:12:39,183:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '1044', 'Expires': 'Fri, 01 Jan 2016 12:12:39 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection'$
2016-01-01 12:12:39,190:INFO:letsencrypt.reporter:Reporting to user: The following 'urn:acme:error:unauthorized' errors were reported by the server:

Domains: subdomain.domain.de
Error: The client lacks sufficient authorization
2016-01-01 12:12:39,191:INFO:letsencrypt.auth_handler:Cleaning up challenges
2016-01-01 12:12:39,938:DEBUG:letsencrypt.plugins.webroot:Removing /mnt/ftp.domain.de/domain.de/subdomain.domain.de/.well-known/acme-challenge/Qus-fHRLLTuyl_vdk1PeT6ktNQUJbV55ClXoPdlkBwE
2016-01-01 12:12:40,283:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 1396, in main
    return args.func(args, config, plugins)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 598, in obtain_cert
    _auth_from_domains(le_client, config, domains)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 389, in _auth_from_domains
    new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py", line 266, in obtain_certificate
    return self._obtain_certificate(domains, csr) + (key, csr)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py", line 224, in _obtain_certificate
    authzr = self.auth_handler.get_authorizations(domains)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/auth_handler.py", line 84, in get_authorizations
    self._respond(cont_resp, dv_resp, best_effort)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/auth_handler.py", line 142, in _respond
    self._poll_challenges(chall_update, best_effort)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/auth_handler.py", line 204, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. subdomain.domain.de (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Error parsing key authorization file: Invalid key authorization: 1 parts

Any help is much appreciated
Thanks and a happy new year


#2

It’s always more difficult to tell on these when you replace the domain name and details in the logs.

Basically it’s saying that it couldn’t reach “http ://subdomain.domain.de/.well-known/acme-challenge/Qus-fHRLLTuyl_vdk1PeT6ktNQUJbV55ClXoPdlkBwE” on your domain.


#3

Thanks for your reply.

Hmmm how can I trace the issue then ? on 24th it was working fine.

I played a bit aroud using the --test-cert --break-my-certs commands, but none of the changes helped. I always get the same error.
I do see the challenge gets created in the correct folder and then deleted again.

I’m not sure what is wrong.

btw. not sure how posting my domains would help here.


#4

posting the domain name and logs with the correct domain helps for a number of reasons, because we can check that the domain ( and appropriate .well-known/acme-challenge) is reachable, typographical errors etc. You may use cloudflare or similar protection on your domain which will affect things … without your domain name though it’s impossible to say such things and help narrow down the probable problem area for you.

You can have a look at other topics related to the same client lacks sufficient authorization but I would start by doing basic checks, if you place a file ( say test.txt) into the path /mnt/ftp.domain.de/domain.de/subdomain.domain.de/.well-known/acme-challenge/test.txt can you reach it in your browser at http ://subdomain.domain.de/.well-known/acme-challenge/test.txt ?


#5

Thanks,

I did put a test file into the .well-known/acme-challenge/ path using ftp first and already saw, that no matter what I stick into the acme-challenge/ folder, my webserver always returns a blank page. (even if I enter an url which does not exist, the webserver does return a blank page, not a 404)
If I rename the acme-challenge folder it starts working. A acme-challenge folder somewhere on my Webserver also works fine. As soon as I create the acme-challenge folder inside the .well-known folder, the webserver returns a blank page.

Is this something my hosting company needs to look into ?


#6

That depends how confortable you are with checking your nginx config for redirects etc.

I’m assuming that as you don’t want to post your domain name, you won’t want to post your config, so yes it may be best to talk to your hosting company.


#7

Something I should have said initially, sorry.

I’m using a shared webhost which is using Apache. I use my Raspberry to connect to the webspace and place the challenge into the webserver.

these are the commands I run:

[code]

curlftpfs -o ssl,no_verify_hostname ftp://username:password@ftp.domain.de /mnt/ftp.domain.de
letsencrypt-auto certonly --agree-tos --renew-by-default --text --rsa-key-size 4096 --webroot --webroot-path /mnt/ftp.domain.de/domain.de/subdomain.domain.de --email letsencrypt@domain.de -d subdomain.domain.de
fusermount -u /mnt/ftp.domain.de[/code]

There should be no re-directs (using .htaccess) for this folder, but to be 100% sure I temporarily removed the existing .htaccess and tried again but the webserver still returns a blank page each time.

I just ran some test on a domain with 100% no redirect and found the same, so this must be configured on the webserver.
Maybe my hosting company wants to block LE certificates from beeing used…


#8

I just got the confirmation from my hosting company All-Inkl.com that they are currently working on implementing le certificatees themself and therefore it’s not possible to use it.

Which is good new I guess :slightly_smiling:
Thanks for your help


#9

Any word from all-inkl when official support for Let’s Encrypt will be available from within KAS? They are aware that Let’s Encrypt might be in beta for a long time?

Still, I find it sad they the sabotage the webroot method. Why already lock the validation path when official support is not available?


#10

Well, you must accept that they want to implement it as well - fully automated - Therefore no further tempering with external tools ! I think that this is a good plan ! Yes it means that we can’t use this for the time being, but the result is that we all get free certificates with just one mouse click.

try StartSSL in the meantime or ask the support for creating new certificates for you


#11

Sure, when support in KAS will be finally available, it will a good thing. But until then (and nobody knows when this will be, it could be a long time), no automated solution seems to be available since they locked the validation folder and their solution does not provide automated renewal yet.

Having to ask support for each activation or renewal feels a bit silly, if I could have automated it easily myself. I don’t think there is an absolute technical requirement to lock the validation folder.


#12

Again, ther are alternatives, which are still working fine. StartSSL offers Certificates which are valid for one year !

I understand that you are a bit frustrated, and I got the same information that All-Inkls le support won’t be available in Beta, but I’m sure as soon as they believe that they got a stable Implementation and le won’t come out of Beta quickly, they will allow us to use the feature.
This might take till end of Jan, but again. Its a simple mail you need to send to support each 2 1/2 Month… I don’t thnink that this will kill anyone.
As well, as soon as they are swamped with renewals mails, they will clearly release it sooner then later :slight_smile: