Installed beta09le and ran auto WP setup and selected to get the LetsEncrypt SSL ad at the end I get: What does it mean lacks sufficient authorization? I thought they were in public beta now?
2 reasons this could happen 1. the .well-know url isn't working properly in Centmin Mod's Nginx implementation i.e. 403 error is permission denied 2. you're hitting LE server side rate limits set during public beta see SSL - Letsencrypt Free SSL Public Beta December 3th 6PM GMT | Centmin Mod Community so if wphstest3.xyz domain and subdomains total more than 5 per 7 days, you'll hit a rate limit. So if you have main wphstest3.xyz and 4 subdomains off it, you would hit 5 certs per domain limit per 7 days.
I've only run this once. This is my first time ever trying to use LetsEncrypt so it must be option #1?
try verbose manual run with -v and see Code: /root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos7-webroot --webroot-path /home/nginx/domains/wphstest3.xyz/public -d wphstest3.xyz -d www.wphstest3.xyz certonly -v see what the output shows - post to gist or pastebin
The whole thing: Code: [root@vultr ~]# /root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos7-webroot --webroot-path /home/nginx/domains/wphstest3.xyz/public -d wphstest3.xyz -d wphstest3.xyz certonly -v 2015-12-07 03:32:27,693:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log 2015-12-07 03:32:27,716:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org 2015-12-07 03:32:28,102:INFO:letsencrypt.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-letsencrypt.pem 2015-12-07 03:32:28,106:INFO:letsencrypt.crypto_util:Creating CSR: /etc/letsencrypt/csr/0001_csr-letsencrypt.pem 2015-12-07 03:32:28,108:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org 2015-12-07 03:32:28,192:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org 2015-12-07 03:32:28,322:INFO:letsencrypt.auth_handler:Performing the following challenges: 2015-12-07 03:32:28,322:INFO:letsencrypt.auth_handler:http-01 challenge for wphstest3.xyz 2015-12-07 03:32:28,330:INFO:letsencrypt.auth_handler:Waiting for verification... 2015-12-07 03:32:28,337:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org 2015-12-07 03:32:31,456:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org 2015-12-07 03:32:31,539:INFO:letsencrypt.reporter:Reporting to user: The following 'urn:acme:error:unauthorized' errors were reported by the server: Domains: wphstest3.xyz Error: The client lacks sufficient authorization 2015-12-07 03:32:31,540:INFO:letsencrypt.auth_handler:Cleaning up challenges Failed authorization procedure. wphstest3.xyz (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://wphstest3.xyz/.well-known/acme-challenge/jzYdRsFj6wRXsUzrQ68uISRrv1HiBdEJyt9givOGBqc [108.61.119.113]: 403
you can wipe the test nginx vhost using the generated output at bottom when you created a nginx vhost, you would of gotten some rm -rf lines which remove the nginx vhost etc so you can try same domain again also post the output for your /usr/local/nginx/conf/staticfiles.conf file which has the .well-know url support added which allows LE validations i.e. Code: # prepare for letsencrypt # https://community.centminmod.com/posts/17774/ location ~ ^/.well-known { location ~ ^/.well-known/acme-challenge/(.*) { default_type text/plain; charset off; } }
also post your contents in CODE tags for your /usr/local/nginx/conf/conf.d/wphstest3.xyz.ssl.conf and /usr/local/nginx/conf/conf.d/wphstest3.xyz.conf vhost config files
yes it's required before LE can work as self-signed ssl creates ssl nginx vhost structure and config first and LE utilises that and replaces self-signed ssl cert with LE SSL cert when successful. If LE validation fails, then self-signed ssl cert is left in place
/usr/local/nginx/conf/staticfiles.conf had this at the top: Code: # Centmin Mod Getting Started Guide # must read http://centminmod.com/getstarted.html # For SPDY SSL Setup # read http://centminmod.com/nginx_configure_https_ssl_spdy.html # redirect from www to non-www forced SSL # uncomment, save file and restart Nginx to enable # if unsure use return 302 before using return 301 # server { # server_name wphstest3.xyz www.wphstest3.xyz; # return 302 https://$server_name$request_uri; # } server { listen 443 ssl http2; server_name wphstest3.xyz www.wphstest3.xyz; ssl_dhparam /usr/local/nginx/conf/ssl/wphstest3.xyz/dhparam.pem; ssl_certificate /usr/local/nginx/conf/ssl/wphstest3.xyz/wphstest3.xyz.crt; ssl_certificate_key /usr/local/nginx/conf/ssl/wphstest3.xyz/wphstest3.xyz.key; include /usr/local/nginx/conf/ssl_include.conf; # mozilla recommended ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM$ ssl_prefer_server_ciphers on; #add_header Alternate-Protocol 443:npn-spdy/3; # HTTP Public Key Pinning Header uncomment only one that applies include or exclude domains. # You'd want to include subdomains if you're using SSL wildcard certificates # include subdomain #add_header Public-Key-Pins 'pin-sha256="Xy8HBUE2Myob4Xs7CvS2/uwBGc1OE9PCM+1p1QxhidA="; pin-sha256="iVRmyhRfMry8GSSM8d+bGh8aIzAFbfe2RtesQ0gDS0c="; max-age=86400; includeSubDomains'; # exclude subdomains #add_header Public-Key-Pins 'pin-sha256="Xy8HBUE2Myob4Xs7CvS2/uwBGc1OE9PCM+1p1QxhidA="; pin-sha256="iVRmyhRfMry8GSSM8d+bGh8aIzAFbfe2RtesQ0gDS0c="; max-age=86400'; #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; #add_header X-Content-Type-Options "nosniff"; #add_header X-Frame-Options DENY; #spdy_headers_comp 5; ssl_buffer_size 1400; ssl_session_tickets on; # enable ocsp stapling #resolver 8.8.8.8 8.8.4.4 valid=10m; #resolver_timeout 10s; #ssl_stapling on; #ssl_stapling_verify on; #ssl_trusted_certificate /usr/local/nginx/conf/ssl/wphstest3.xyz/wphstest3.xyz-trusted.crt; Code: # Centmin Mod Getting Started Guide # must read http://centminmod.com/getstarted.html # redirect from non-www to www # uncomment, save file and restart Nginx to enable # if unsure use return 302 before using return 301 #server { # listen 80; # server_name wphstest3.xyz; # return 301 $scheme://www.wphstest3.xyz$request_uri; # } server { server_name wphstest3.xyz www.wphstest3.xyz; # ngx_pagespeed & ngx_pagespeed handler #include /usr/local/nginx/conf/pagespeed.conf; #include /usr/local/nginx/conf/pagespeedhandler.conf; #include /usr/local/nginx/conf/pagespeedstatslog.conf; # limit_conn limit_per_ip 16; # ssi on; access_log /home/nginx/domains/wphstest3.xyz/log/access.log combined buffer=256k$ error_log /home/nginx/domains/wphstest3.xyz/log/error.log; root /home/nginx/domains/wphstest3.xyz/public; # prevent access to ./directories and files #location ~ (?:^|/)\. { # deny all; #} include /usr/local/nginx/conf/wpsupercache_wphstest3.xyz.conf; # https://community.centminmod.com/posts/18828/ #include /usr/local/nginx/conf/rediscache_wphstest3.xyz.conf; location / { # Enables directory listings when index file not found #autoindex on; # for wordpress super cache plugin try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $ur$ # Wordpress Permalinks #try_files $uri $uri/ /index.php?q=$uri&$args; # Nginx level redis Wordpress # https://community.centminmod.com/posts/18828/ #try_files $uri $uri/ /index.php?$args; } location ~* /(wp-login\.php) { limit_req zone=xwplogin burst=1 nodelay; #limit_conn xwpconlimit 30; auth_basic "Private";
The second run had the same output: Code: letsencrypt client is installed at: /root/.local/share/letsencrypt/bin/letsencrypt ---------------------------------------------------- obtaining Letsencrypt SSL certificate via webroot authentication... /root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --usphstest3.xyz/public -d wphstest3.xyz -d www.wphstest3.xyz certonly Failed authorization procedure. wphstest3.xyz (http-01): urn:acme:error:unauthorizehttp://wphstest3.xyz/.well-known/acme-challenge/O-p-5iUF1Ww9Fu9uIQQ4THoHpu_Zy3lCia1ror:unauthorized :: The client lacks sufficient authorization :: Invalid response fqz1-BsW3WB1JcnmIicfiniEHK7c [IP]: 403 IMPORTANT NOTES: - The following 'urn:acme:error:unauthorized' errors were reported by the server: Domains: wphstest3.xyz, www.wphstest3.xyz Error: The client lacks sufficient authorization
did you enable drop.conf include in your vhost as that's the only other place I know with dot prefix file and directory blocking which could interfere with .well-known uri access by LE servers for validation
It's enabled in both ssl.conf and the non conf - should I comment them then re run: Code: /root/.local/share/letsencrypt/bin/letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos7-webroot --webroot-path /home/nginx/domains/wphstest3.xyz/public -d wphstest3.xyz -d www.wphstest3.xyz certonly -v
oh you're using cloudflare intoDNS: wphstest3.xyz - check DNS server and mail server health ? won't work with cloudflare in front of server! i added a check for that in 123.09beta01le maybe you didn't get that update yet update letsencrypt integration add cloudflare check · centminmod/centminmod@8366122 · GitHub ? also cloudflare note at SSL - Letsencrypt Free SSL Public Beta December 3th 6PM GMT | Centmin Mod Community
I turned Cloudflare off " Clicked the cloud off" but forgot to turn it completely off and only use the DNS I'll try again in 10-15 minutes I'm only using the DNS on Cloudflare. You can use the DNS only right?