Cannot Renew Certificate: The key authorization file from the server did not match this challenge

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mkhomeserver.feste-ip.net

I ran this command: sudo /etc/letsencrypt/letsencrypt-auto certonly --agree-tos --renew-by-default -a webroot --webroot-path /var/www/html/ -d mkhomeserver.feste-ip.net

It produced this output:
Failed authorization procedure. mkhomeserver.feste-ip.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge “1dRE_FDP8oMefWCaorSvaKFPPKyYBAxkSLdcswvJrHU.yQoLV4gbSa2tVkwPmlEkXTMed7p-lOW7N08IBC5WXSI” != “1dRE_FDP8oMefWCaorSvaKFPPKyYBAxkSLdcswvJrHU.oBNd5smO5vYJ4JXg-7VH8ZPOOgURgOqPb-Ffq1bGeKA”

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: mkhomeserver.feste-ip.net
    Type: unauthorized
    Detail: The key authorization file from the server did not match
    this challenge
    “1dRE_FDP8oMefWCaorSvaKFPPKyYBAxkSLdcswvJrHU.yQoLV4gbSa2tVkwPmlEkXTMed7p-lOW7N08IBC5WXSI”
    !=
    “1dRE_FDP8oMefWCaorSvaKFPPKyYBAxkSLdcswvJrHU.oBNd5smO5vYJ4JXg-7VH8ZPOOgURgOqPb-Ffq1bGeKA”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): Apache 2.4.38

The operating system my web server runs on is (include version): Raspbian 10 Buster (Linux 4.19.75-v7+)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

I am running my server on a DS-Lite connection. Therefore I am using a portmapper and http(s) proxy by feste-ip.net to access my server from the web. I have placed a file named testfile in /.well-known/acme-challenge/testfile. When accessed via https://mkhomeserver.feste-ip.net/.well-known/acme-challenge/testfile it correctly displays “hello you”. When accessed via http://mkhomeserver.feste-ip.net/.well-known/acme-challenge/testfile it displays testfile.oBNd5smO5vYJ4JXg-7VH8ZPOOgURgOqPb-Ffq1bGeKA. This behavior is shown with every filename, even with ones that do not exist on this path. The string here is the same one in the failed certiface renewal challenge.

My 000-default.conf is:
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.

	ServerName mkhomeserver.feste-ip.net

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf

	RewriteEngine on
	RewriteCond %{SERVER_NAME} =mkhomeserver.feste-ip.net
	RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
<Directory /var/www/html/>
 Options +FollowSymlinks
 AllowOverride All
</Directory>

And my 000-default-le-ssl.conf is:

<VirtualHost *:443>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf


	ServerName mkhomeserver.feste-ip.net
	Include /etc/letsencrypt/options-ssl-apache.conf
	SSLCertificateFile /etc/letsencrypt/live/mkhomeserver.feste-ip.net/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/mkhomeserver.feste-ip.net/privkey.pem
	Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

<Directory /var/www/html/>
 Options +FollowSymlinks
 AllowOverride All
</Directory>

Additionally, there is an .htaccess file in my webroot:
>
>
>
> SetEnvIfNoCase ^Authorization$ “(.+)” XAUTHORIZATION=$1
> RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
>
>
> SetEnvIfNoCase Authorization “(.+)” HTTP_AUTHORIZATION=1 > </IfModule> > </IfModule> > > <IfModule mod_env.c> > # Add security and privacy related headers > Header always set Referrer-Policy "no-referrer" > Header always set X-Content-Type-Options "nosniff" > Header always set X-Download-Options "noopen" > Header always set X-Frame-Options "SAMEORIGIN" > Header always set X-Permitted-Cross-Domain-Policies "none" > Header always set X-Robots-Tag "none" > Header always set X-XSS-Protection "1; mode=block" > SetEnv modHeadersAvailable true > </IfModule> > > # Add cache control for static resources > <FilesMatch "\.(css|js|svg|gif)">
> Header set Cache-Control “max-age=15778463”
>
>
> # Let browsers cache WOFF files for a week
> <FilesMatch ".woff2?"> > Header set Cache-Control "max-age=604800" > </FilesMatch> > </IfModule> > <IfModule mod_php7.c> > php_value mbstring.func_overload 0 > php_value default_charset 'UTF-8' > php_value output_buffering 0 > <IfModule mod_env.c> > SetEnv htaccessWorking true > </IfModule> > </IfModule> > <IfModule mod_rewrite.c> > RewriteEngine on > RewriteCond %{HTTP_USER_AGENT} DavClnt > RewriteRule ^ /remote.php/webdav/ [L,R=302]
> RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
> RewriteRule ^.well-known/host-meta /public.php?service=host-meta [QSA,L]
> RewriteRule ^.well-known/host-meta.json /public.php?service=host-meta-json [QSA,L]
> RewriteRule ^.well-known/webfinger /public.php?service=webfinger [QSA,L]
> RewriteRule ^.well-known/nodeinfo /public.php?service=nodeinfo [QSA,L]
> RewriteRule ^.well-known/carddav /remote.php/dav/ [R=301,L]
> RewriteRule ^.well-known/caldav /remote.php/dav/ [R=301,L]
> RewriteRule ^remote/(.) remote.php [QSA,L]
> RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.
- [R=404,L]
> #RewriteCond %{REQUEST_URI} !^/.well-known/(acme-challenge|pki-validation)/.*
> #RewriteRule ^(?:.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
>
>
> AddType image/svg+xml svg svgz
> AddEncoding gzip svgz
>
>
> DirectoryIndex index.php index.html
>
> AddDefaultCharset utf-8
> Options -Indexes
>
> ModPagespeed Off
>
> #### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####
>
> ErrorDocument 403 //
> ErrorDocument 404 //

Hi @mkhs

there is a check of your domain - https://check-your-website.server-daten.de/?q=mkhomeserver.feste-ip.net

You are doing something wrong.

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2019-11-22 2020-02-20 mkhomeserver.feste-ip.net - 1 entries duplicate nr. 1
Let's Encrypt Authority X3 2019-10-28 2020-01-26 mkhomeserver.feste-ip.net - 1 entries
Let's Encrypt Authority X3 2019-10-24 2020-01-22 mkhomeserver.feste-ip.net - 1 entries
Let's Encrypt Authority X3 2019-10-23 2020-01-21 mkhomeserver.feste-ip.net - 1 entries
Let's Encrypt Authority X3 2019-10-23 2020-01-21 mkhomeserver.feste-ip.net - 1 entries
Let's Encrypt Authority X3 2019-10-22 2020-01-20 mkhomeserver.feste-ip.net - 1 entries
Let's Encrypt Authority X3 2019-10-21 2020-01-19 mkhomeserver.feste-ip.net - 1 entries
Let's Encrypt Authority X3 2019-10-17 2020-01-15 mkhomeserver.feste-ip.net - 1 entries
Let's Encrypt Authority X3 2019-10-16 2020-01-14 mkhomeserver.feste-ip.net - 1 entries
Let's Encrypt Authority X3 2019-10-15 2020-01-13 mkhomeserver.feste-ip.net - 1 entries
Let's Encrypt Authority X3 2019-10-15 2020-01-13 mkhomeserver.feste-ip.net - 1 entries

Too much certificates. The last is 88 days valid, you use it.

Why do you create so much certificates? Create one certificate, then use it 60 - 85 days, then create the next.

And checking http + /.well-known/acme-challenge/random-filename there is a typical answer:

http://mkhomeserver.feste-ip.net/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
185.248.148.13
Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0	200
	
Html is minified: 100,00 %	0.043
	A
Visible Content: check-your-website-dot-server-daten-dot-de.oBNd5smO5vYJ4JXg-7VH8ZPOOgURgOqPb-Ffq1bGeKA

There is a standard output file name + hash value of the account key.

So there is a Control Panel with an integrated Letsencrypt solution.

Please read the comment:

A http://mkhomeserver.feste-ip.net/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 185.248.148.13
200
Good: Acme-Check - Answer looks like a correct keyAuthorization - String: Filename + "." + base64url(Thumbprint(accountKey)). So creating a Letsencrypt certificate using that integrated solution should work. Don't use another client (like Certbot). Don't mix integrated solutions with own ACME-clients, that may not work. Trouble creating a certificate? Use https://community.letsencrypt.org/ to ask.

Never, never and never mix such integrated solutions with an own client.

You do that:

So that can't work.

Thank you very much for your fast response. I’m sorry, I am (obviously) not very experienced at running a server like this.

I am not sure how this happened. I’ve been dealing with this renewal-problem for several weeks now and appearantly my server must have somehow managed to receive a lot of new certificates. Originally, my last certificate was supposed to expire by Dec. 4th… One one hand, that is a good thing (latest one expires in February) on the other hand, yes, this is way too many and I do not know what happened.

Does this mean there is some other program than certbot running certificate renewals (and therefore creating that large number of certificates)? What could this be? I’m running Nextcloud (not Nextcloudpi or anything) but I’m not aware of an integrated Letsencrypt solution…

It's your server. So check your system to understand, what there is running. And don't create certificates the next 60 - 80 days. Then check your server if the certificate is renewed.

You have something that creates working certificates and blocks /.well-known/acme-challenge. But that's ok, if it works -> as written: Don't use additional clients.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.