(DC) ACME Error when requesting certificates
Description
Attempts to use the provided ACME credentials to request a certificate using certbot for a specific host FQDN with a domain, and an error of "The client lacks sufficient authorization..." is given.
Table of Contents
Problem
The following error message is displayed upon certificate request using certbot:
Error message on command line
An unexpected error occurred:The client lacks sufficient authorization :: The identifiers are not all linked to the same preauthorized Subject organization name/address. Please see the logfiles in /var/log/letsencrypt for more details.
/var/log/letsencrypt/error.log
Error: urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: The identifiers are not all linked to the same preauthorized Subject organization name/address2022-06-29 11:29:24,615:ERROR:certbot._internal.log:An unexpected error occurred:2022-06-29 11:29:24,615:ERROR:certbot._internal.log:The client lacks sufficient authorization :: The identifiers are not all linked to the same preauthorized Subject organization name/address
Resolution
Ensure that the appropriate entries for an FQDN are given in the list of domains for an ACME account.
Generally, you do NOT need to specify the entry for "*.domain....", this does not mean "wildcard" or "all hosts", instead it refers to subdomains, which is not automatically given and can be confusing.
(domain).utexas.edu
The domain ‘http://domain.com ’ will issue certificates for "Any FQDN (wildcard or non-wildcard) under that domain, plus that domain itself"
If the domain is not listed in the Available domains section, then you must add the domain, perform DCV, and delegate it to your Organization/Department. This is usually a request that must be completed by ISO.
Examples
domain.com
it.domain.com
*.domain.com
it.abc.domain.com
| xyz.domain.com
abc.xyz.domain.com
*.xyz.domain.com
acmetest.abc.xyz.domain.comWill not work for: domain.com
abc.domain.com
acmetest.domain.com
*.domain.com |