Rewrite rules in htaccess cause an error: The client lacks sufficient authorization

[Dx3webs]

Getting.. (logged in as root user have tried admin user also)

Error: Let's Encrypt SSL certificate installation failed: Failed letsencrypt execution: 2015-12-04 18:52:36,802:WARNING:letsencrypt.cli:Root (sudo) is required to run most of letsencrypt functionality.
Failed authorization procedure. a_domain.co.uk (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://a_domain.co.uk.co.uk/.well-known/acme-challenge/0wPfl4lr8OFueUZVgmoJkBT97AE6i_1qG3P0tg0oetI [212.38.162.227]: 404
IMPORTANT NOTES:

• The following 'urn:acme:error:unauthorized' errors were reported by
  the server:

Domains: a_domain.co.uk.co.uk
Error: The client lacks sufficient authorization

[Liwindo]

The same goes for me, see: http://talk.plesk.com/threads/lets-encrypt-support.334195/

[Toolwheel]

Same Problem here.

[bajramemini]

Same problem here:

Error: Let's Encrypt SSL certificate installation failed: Failed letsencrypt execution: /usr/local/psa/var/modules/letsencrypt/venv.AC4u4/lib/python2.6/site-packages/cryptography/__init__.py:25: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python.
DeprecationWarning
2015-12-04 23:42:29,882:WARNING:letsencrypt.cli:Root (sudo) is required to run most of letsencrypt functionality.
/usr/local/psa/var/modules/letsencrypt/venv.AC4u4/lib/python2.6/site-packages/requests/packages/urllib3/connectionpool.py:789: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
Failed authorization procedure. domain.ch (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain.ch/.well-known/acme-challenge/MZkjqv9y_kiA3LYaxCTrSnX8TYoxmLts5qriBavwvaI [xx.xxx.xx.xxx]: 403
IMPORTANT NOTES:
- The following 'urn:acme:error:unauthorized' errors were reported by
the server:

Domains: fayaa.ch
Error: The client lacks sufficient authorization

Any solution or idea how to fix this?

[bajramemini]

According to the comments here: https://ext.plesk.com/packages/f6847e61-33a7-4104-8dc9-d26a0183a8dd-letsencrypt

Eugene Kazakov:
Make sure the domain is accessible via http and returns no error.
The problem might be caused by some specific .htaccess rewrite rules or configurations.
Try to put any file and download it from the direct URL.

So I just disabled my .htaccess file to install the certificate. It worked fine.

Regards

[Dx3webs]

argg.. the two domains I tested on were also tests for Cloud flare... another domain worked fine.

[Liwindo]

Changing the .htaccess worked but that's not a solution, 'cause I'm not willing to rename it every 90 days.

[jtherin]

Same problem when using BasicAuth.

[xgin]

Guys, could post here (or in gists) the content of your .htaccess files blocking the validation?

[Toolwheel]

Great it works if you delete the .htaccess file and create the certifikate. Than copy the .htaccess file back to the domain and it works.

[Liwindo]

<IfModule mod_headers.c>
  <IfModule mod_fcgid.c>
    <IfModule mod_setenvif.c>
       SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
       RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
    </IfModule>
  </IfModule>
  <IfModule mod_env.c>
    # Add security and privacy related headers
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Robots-Tag "none"
    Header set X-Frame-Options "SAMEORIGIN"
    SetEnv modHeadersAvailable true
  </IfModule>

  # Add cache control for CSS and JS files
  <FilesMatch "\.(css|js)$">
    Header set Cache-Control "max-age=7200, public"
  </FilesMatch>
</IfModule>
<IfModule mod_php5.c>
  php_value upload_max_filesize 512M
  php_value post_max_size 512M
  php_value memory_limit 512M
  php_value mbstring.func_overload 0
  php_value always_populate_raw_post_data -1
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true
  </IfModule>
</IfModule>
<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
  RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
  RewriteRule ^\.well-known/carddav /remote.php/carddav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/caldav/ [R=301,L]
  RewriteRule ^apps/calendar/caldav\.php remote.php/caldav/ [QSA,L]
  RewriteRule ^apps/contacts/carddav\.php remote.php/carddav/ [QSA,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteRule ^(\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>
<IfModule mod_mime.c>
  AddType image/svg+xml svg svgz
  AddEncoding gzip svgz
</IfModule>
<IfModule mod_dir.c>
  DirectoryIndex index.php index.html
</IfModule>
AddDefaultCharset utf-8
Options -Indexes
<IfModule pagespeed_module>
  ModPagespeed Off
</IfModule>

[djimno]

I have the same problem only on owncloud. And i don´t understand Liwindow´s last post .

[DavidAkroyd]

djimno - the own cloud .htaccess does indeed block LetsEncrypt - the temporary solution is move the .htaccess file to .htaccess.bak or similar, generate the certificate, then move it back (temporary outage)

LiWindow's post is a reply to:
"xgin commented 3 days ago
Guys, could post here (or in gists) the content of your .htaccess files blocking the validation?"

Feel free to post the .htaccess for your own ownCloud to help diagnose this

[djimno]

My .htaccess

# Version: 8.0.3
<IfModule mod_fcgid.c>
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
</IfModule>
</IfModule>
</IfModule>
<IfModule mod_php5.c>
php_value upload_max_filesize 50.1G
php_value post_max_size 50.1G
php_value memory_limit 512M
php_value mbstring.func_overload 0
php_value always_populate_raw_post_data -1
php_value default_charset 'UTF-8'
php_value output_buffering off
<IfModule mod_env.c>
  SetEnv htaccessWorking true
</IfModule>
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
RewriteRule ^\.well-known/carddav /remote.php/carddav/ [R]
RewriteRule ^\.well-known/caldav /remote.php/caldav/ [R]
RewriteRule ^apps/calendar/caldav\.php remote.php/caldav/ [QSA,L]
RewriteRule ^apps/contacts/carddav\.php remote.php/carddav/ [QSA,L]
RewriteRule ^remote/(.*) remote.php [QSA,L]
RewriteRule ^(build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
RewriteRule ^(\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>
<IfModule mod_mime.c>
AddType image/svg+xml svg svgz
AddEncoding gzip svgz
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php index.html
</IfModule>
AddDefaultCharset utf-8
Options -Indexes
<IfModule pagespeed_module>
        ModPagespeed Off
</IfModule>
<IfModule mod_headers.c>
  <FilesMatch "\.(css|js)$">
    Header set Cache-Control "max-age=7200, public"
  </FilesMatch>
</IfModule>

ErrorDocument 403 /core/templates/403.php
ErrorDocument 404 /core/templates/404.php

[xgin]

Guys, I'd like to have a proof of concept the proposed fix: put the file .well-known/acme-challenge/.htaccess (relative path from the domain's webroot) with the following content:

<IfModule mod_rewrite.c>
  RewriteEngine off
</IfModule>
Satisfy any

Please, write back about results: is the renewal successful?

[DavidAkroyd]

I "think" it works - unfortunately I just got an error message saying that it couldn't replace the current certificate, and when I fixed that I hit the limit for max certificates a day :(

However, the certificate was successfully issued (and placed in the folder) so this does appear to be a solution currently

[Liwindo]

The certificate is created but not added in the Plesk-GUI.

[tofi86]

Guys, I'd like to have a proof of concept the proposed fix: put the file .well-known/acme-challenge/.htaccess (relative path from the domain's webroot) with the following content:

Thanks @xgin, that works very well!
Note that the directories .well-known/acme-challenge/ need to have webserver user:group permissions and cannot be root:root...

[tofi86]

The message The client lacks sufficient authorization with error code 404 also happens for default wordpress installations installed via plesk.
@xgin would be nice to support these out of the box...

[Rar9]

+1 Same case with drupal installations.

[tofi86]

Great! Thanks for the .htaccess support! 👍

[einfallstoll]

Could this be due to the preferred domain setting, where you can select wether it should prefer "www.", without or "I don't care"?

[idflood]

I had the same issue with a drupal install and found that there is a default rule in the drupal 7 .htaccess file which forbid access to hidden directories:

# Block access to "hidden" directories whose names begin with a period. This
# includes directories used by version control systems such as Subversion or
# Git to store control files. [...]
RewriteRule "(^|/)\." - [F]

A workaround is to add a RewriteCond just before the rewrite rule but it would be better if we didn't have to alter the default .htaccess

RewriteCond %{REQUEST_URI} !(\.well-known) [NC]
RewriteRule "(^|/)\." - [F]