LetsEncrypt error:The client lacks sufficient authorization

NethServer Version: 7.3
Is there a how-to available for Let’sEncrypt for NethServer?
I have a NS that is accessible at office.mydomain.com from the web, and I need to get a certificate installed.
I need to use it for webtop, and nextcloud, does that matter to the certificate?

I enter office.mydomain.com in the Server Certificate section, and click Request Let’s Encrypt Certificate.
Sorry, I’m a newbie at certificates, and not sure where to start, and can’t find documentation.
I get the following error;

Registering without email! Failed authorization procedure. office.mydomain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://office.mydomain.com/.well-known/acme-challenge/ZuNQKWTtiUbxvcjqUv_wXDB8EUJXwA2fIGrDgP7Oe-o: " 404 Not Found

Not Found


There are some notes in the manual. Just make sure the conditions are met.

Thanks so much, that was easy.
I just had to open port 80 temporarily on my NS server.

Port 80 must be open for LE certificate auto-renewal too.

Can we force renewal when we get the renewal email from them?
Does NS handle auto-renewal once you have requested the original certificate, or is there any setup that needs to be done?
It is not safe to leave port 80 open is it?

NethServer will handle the renewal automatically without requiring user intervention.
The renewal can also be triggered manually from command line (I think it’s):

signal-event certificate-update

About open ports the less the better, but for some services to be accessible from WAN some ports have to be open.

@hucky, can you comment on how you handle it? I think it could be helpful. :slight_smile:

@dnutan i have closed it by firewall rules and dont have problems so far :slight_smile:

@hucky No problems with what?
You closed port 80 to WAN and the auto-renewal of LE still works?
I guess I will find out in 90 days, but this server will go into production before then, and was hoping to have this settled. It is my understanding that I can’t renew early, is this true, if so is there a way to just test?

The port 80 must be always open for LE renewal.

Ok, thanks, I assumed that.
Do you know if we still get the renewal email from LE when it’s auto-renewal?
Although it may be a pain to just open it when needed, but it might be an option.

Of course, if you enter your mail address inside the web interface, LE will warn you before the certificate expires.