Cannot create new certificate


Please fill out the fields below so we can help you better.

My domain is: (among other sub domains)

I ran this command:
certbot certonly --expand --standalone --preferred-challenges http-01 -m <redacted> --agree-tos --http-01-port 31337

It produced this output:
- The following errors were reported by the server:

   Type:   unauthorized
   Detail: The key authorization file from the server did not match
   this challenge
   != []

My operating system is (include version):
Linux ha-01 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u2 (2016-10-19) x86_64 GNU/Linux

My web server is (include version):
HAProxy / Standalone
I’m using HAProxy to forward requests to acme-challenges at port 80 to the standalone server at port 31337

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


You need to use port 80 for the http-01 challenge - not port 31337


I use HAProxy, which forwards the requests from port 80 to the standalone servers port 31337.


The error is essentially saying that when the external Let’s Encrypt server tries to verify your domain at…jnk2Gc-Y

it doesn’t get a simple, correct, text reply.

If I try to go to that URL I get a redirect to login pages. is there anything else running?


Yes, the directory “/well-known/” should be “/.well-known/”, and since the standalone server only runs when I’m running the command, it’s only reporting a 503 (Service unavailable)-page.

But when I check the log, it gets a 200 HTTP code when it tries to fetch the challenge.

2017-01-05 11:36:16,590:DEBUG:acme.standalone: - - Incoming request
2017-01-05 11:36:16,590:DEBUG:acme.standalone: - - Serving HTTP01 with token u'VCOzuNfQgPYQX9j4zivuEEjyhUqC-PaKb1aS2eG_8AU'
2017-01-05 11:36:16,591:DEBUG:acme.standalone: - - "GET /.well-known/acme-challenge/VCOzuNfQgPYQX9j4zivuEEjyhUqC-PaKb1aS2eG_8AU HTTP/1.1" 200 -

This command works well for other domains, but this specific domain have been issued before, on another server.

I have revoked the old certificates. If I try to revoke them again, it tells me they’re already revoked.


Unless the old certs have been compromised ( hopefully not) you shouldn’t need to revoke them.

Maybe if @cpu can see if there is any additional info on the Let’s Encrypt logs as to why it looks as if it was giving a correct 200 page but Let’s Encrypt was rejecting it.


Correct! Thanks @serverco. @NoLifeKing, please don’t revoke certificates unless you suspect them compromised. It’s unnecessary and doesn’t accomplish much due to the inherent problems with revocation.

Sure thing!

@NoLifeKing Looking at the logs from our end it appears like HAProxy or the origin webserver behind it are producing a 200 response to the validation HTTP request, but with an empty response body. Is there anything in your configuration that might suggest why?

E.g. for the most recent failed attempt I see:

"detail":"The key authorization file from the server did not match this challenge [nckax...] != []"

The first portion [nckax...] is what we expected to find. The second portion [] is the whitespace trimmed response body from the HTTP request.

I see the same error for the QKvAHb... authorization shared in this thread:

"detail":"The key authorization file from the server did not match this challenge [QKvAHb...] != []"

Can you verify that you can externally CURL a file from the /.well-known/acme-challenge directory through HAProxy and receive the correct response body?

Hope this helps!

Does revocation cause additional load?

A post was split to a new topic: Does revocation cause additional load?


@cpu It works well, when I try and create/renew certs for another domain (

But when I try and run the exact same command, but with either of my domains, it always fails.

Is there some way I can attach the log, without it being compromised, I’m not sure what information is “dangerous” to post. :slight_smile:


Right, but what about the domain that’s failing? Can you verify you can access a file from the /.well-known/acme-challenge directory for that domain through HAProxy?

I don’t think there is anything particularly sensitive to worry about here. I’d normally suggest emailing sensitive information to me directly but in this case I’m confident it’s not a server-side issue and I’m afraid I don’t have the cycles today to help debug anything non-Boulder related this week. Sharing in the forum is the best way for someone to help you with your HAProxy/webserver configuration.


Here’s the log for the combined command for all domains.

letsencrypt.txt (117.1 KB)

Since I’m using standalone create my certificates, it’s quite bothersome to see if I can access the file through the HAProxy, since by the time I know what URL I’m supposed to go to, the server is already closed down.

Is there some way to keep the standalone server up for a while longer?

This is the first time I’m using certbot on linux, so I don’t know if there is anything I can do to fix this. :slight_smile:


That’s giving the same issue as before ( by the look of the logs). i.e. the Let’s Encrypt server is obtaining a null response.

What’s the device you are running certbot on in standalone ? Is it possible to place a really simple web server there and check that everything is going through the HAproxy correctly ?

Also, whilst not finding the cause of this specific issue) would the DNS-01 challenge be better for you ? that just requires an API to your DNS to add a specific text entry for Let’s Encrypt to verify.


I’ll try with a small nginx tomorrow and post the results.

Edit: Thank you for all your help, it’s really helpful with people who doesn’t just go “RTFM” :slight_smile:


You’re welcome :slight_smile: If you have python on there it may be as easy to test with “python -m SimpleHTTPServer 80” since that will give you a webserver in a one-liner ( just do it in a directory that only has a test file in it :wink: )


Using nginx to handle all incoming requests worked fine!

Thanks @cpu and @serverco for your help.

Strange that the standalone one presented empty challenges for, when works though :slight_smile:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.