Get Free Linux Server Security, Performance & Troubleshooting Tips

Let’s Encrypt: The client lacks sufficient authorization :: Invalid response

Let’s Encrypt: The client lacks sufficient authorization :: Invalid response
5 (100%) 3 votes

Recently I started using Let’s Encrypt SSL certificates for my site cPanelTips.com. Let’s face it, Let’s Encrypt has changed the way we install SSL certificates.

The old days when you had to fill in your company and personal details, generate the CSR code, and then submit to the SSL registrar, to finally wait for the CRT code ware now gone.

Let’s Encrypt is an easy and fast way to install SSL certificates for both, cPanel and plain Linux servers. In my case, this SSL Certificates were installed on CentOS 7.x 64 bits and they work perfectly until the due date for the SSL renewal came up.




However, when the time of renewing the Let’s Encrypt ssl certificate was about to come, I noticed something weird while running the ‘renew’ option using ‘certbot’ command. See below.

[root@server.nixcp.com:~]/usr/bin/certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert is due for renewal, auto-renewing...
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for nixcp.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/nixcp.com.conf produced an unexpected error: Failed authorization procedure. nixcp.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://nixcp.com/.well-known/acme-challenge/qtxjYi0a3FYNWpvqW-WTyZZzj848Yr0J6Sfx-75xDrg

The error was clear:

The client lacks sufficient authorization :: Invalid response from http://nixcp.com/.well-known/acme-challenge/

On the same renewal process I also saw another error on another website I manage:




All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/mysecondsite.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: mysecondsite.com
   Type:   unauthorized
   Detail: Invalid response from
   http://mysecondsite.com/.well-known/acme-challenge/YjP9PAcIEANeX50kZJ9vJ-lARkryYs7yFSLhKBU9Y_M:
   404 Not Found

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. The A records were configured ok at the DNS server, and the first thing that came to my mind was that certbot was trying to connect to http://, instead of https://.

I had configured those two domains to use a 301 redirect from http to https, I tested this running curl against http to see if there was a problem with the 301 redirection, but that wasn’t the issue as far as I see.

curl -I http://nixcp.com/.well-known/acme-challenge/

Returned a 301 redirect OK state, then why certbot is not able to reach the final URL?

I don’t know, but there is something that worked out. I created an exception for the 301 redirect from http to https, and that made certbot renewal process to run without problems for both domains.

This was the code I used to redirect 301 all from http to https except for the .well-known directory used by Let’s Encrypt:

server {
   listen 80;
   server_name www.nixcp.com nixcp.com;
   
    # Redirect all requests to https
    location / {
        return 301 https://nixcp.com$request_uri;
    }

    # This rule excludes the .well-known directory from the 301 redirect.
    location /.well-known {
        root /var/www/nixcp.com;
    }
}

Leaving the .well-known directory accesible using http was the key to run the certbot renewal process without issues. After that, I ensured myself that the verification directory used by certbot was indeed created:

mkdir -p /var/www/caneltips.com/.well-known/acme-challenge

After that I run the renewal command again, and this was the result:

Let's Encrypt SSL Server Test for nixcp.com

It was renewed OK for another 3 months period! 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *