Lets Encrypt Error "urn:acme:error:unauthorized"

Question

I use Lets Encrypt and get error: urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Error parsing key authorization file: Invalid key authorization: malformed token

I try: sudo service nginx stop but get error: nginx service not loaded

Answer 1

So I had a lot of trouble with this stuff. Basically, the error means that certbot was unable to find the file it was looking for when testing that you owned the site. This has a number of potential causes, so I'll try to summarize because I encountered most of them when I set this up. For more reference material, I found the github readme much more useful than the docs.

First thing to note is that the nginx service needs to be running for the acme authorization to work. It looks like you're saying it's not, so start by spinning that up.

sudo service nginx start

With that going, everything here is based on the file location of the website you're trying to create a certificate for. If you don't know where that is, it will be in the relevant configuration file under /etc/nginx which depends largely on your version of NGINX, but is usually under /etc/nginx/nginx.conf or /etc/nginx/sites-enabled/[site-name] or /etc/nginx/conf/[something].conf. Note that the configuration file should be listed (or at least it's directory) under /etc/nginx/nginx.conf so you might start there.

This is an important folder, because this is the folder that certbot needs to modify. It needs to create some files in a nested folder structure that the URL it tries to read from returns the data from those files. The folder it tries to create will be under the root directory you give it under the folder:

/.well-known/acme-challenge

It will then try to create a file with an obscure name (I think it's a GUID), and read that file from the URL. Something like:

http://example.com/.well-known/acme-challenge/abcdefgh12345678

This is important, because if your root directory is poorly configured, the url will not match the folder and the authorization will fail. And if certbot does not have write permissions to the folders when you run it, the file will not be created, so the authorization will fail. I encountered both of these issues.

Additionally, you may have noticed that the above URL is http not https. This is also important. I was using an existing encryption tool, so I had to configure NGINX to allow me to view the ./well-known folder tree under port 80 instead of 443 while still keeping most of my data under the secure https url. These two things make for a somewhat complicated NGINX file, so here is an example configuration to reference.

server {
        listen 80;

        server_name     example.com;

        location '/.well-known/acme-challenge' {
                default_type "text/plain";
                root /home/example;
        }

        location '/' {
                return  301 https://$server_name$request_uri;
        }
}

This allows port 80 for everything related to the certbot challenges, while retaining security for the rest of my website. You can modify the directory permissions to ensure that certbot has access to write the files, or simply run it as root:

sudo ./certbot-auto certonly

After you get the certificate, you'll have to set it up in your config as well, but that's outside the scope of this question, so here's a link.