Certbot - The key authorization file from the server did not match error


#1

Hi,

This one is driving me up the wall :frowning: I have multiple sites on the same server, all with the exact same configuration, and they all work. This one (school-clip-art.com) I moved over to the server 5 days ago now, and the DNS has been updated as well (5 days ago), yet I still get an error:

/usr/local/letsencrypt/certbot-auto certonly --staging --webroot -w /home/admin/web/school-clip-art.com/public_html -d school-clip-art.com -d www.school-clip-art.com

Requesting root privileges to run certbot...
  /home/admin/.local/share/letsencrypt/bin/letsencrypt certonly --staging --webroot -w /home/admin/web/school-clip-art.com/public_html -d school-clip-art.com -d www.school-clip-art.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for school-clip-art.com
http-01 challenge for www.school-clip-art.com
Using the webroot path /home/admin/web/school-clip-art.com/public_html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Unable to clean up challenge directory /home/admin/web/school-clip-art.com/public_html/.well-known/acme-challenge
Failed authorization procedure. www.school-clip-art.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge [vyqi_55zrRezBBW4282yRy8hmFXez9IXs464jim0EO0.9tWJ04WclPHsE6tJ8fH-o4oQE_C-dr55xuchHHq3mEI] != [vyqi_55zrRezBBW4282yRy8hmFXez9IXs464jim0EO0.jovWtVw8hQo48B0oVNH2HtMnU6dasUd0_8jh4cxgALE], school-clip-art.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge [I5nqSObuI0Oq2A5x4o8jJJIppC8R2Hm7KY0PDQhXF9w.9tWJ04WclPHsE6tJ8fH-o4oQE_C-dr55xuchHHq3mEI] != [I5nqSObuI0Oq2A5x4o8jJJIppC8R2Hm7KY0PDQhXF9w.jovWtVw8hQo48B0oVNH2HtMnU6dasUd0_8jh4cxgALE]

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.school-clip-art.com
   Type:   unauthorized
   Detail: The key authorization file from the server did not match
   this challenge
   [vyqi_55zrRezBBW4282yRy8hmFXez9IXs464jim0EO0.9tWJ04WclPHsE6tJ8fH-o4oQE_C-dr55xuchHHq3mEI]
   !=
   [vyqi_55zrRezBBW4282yRy8hmFXez9IXs464jim0EO0.jovWtVw8hQo48B0oVNH2HtMnU6dasUd0_8jh4cxgALE]

   Domain: school-clip-art.com
   Type:   unauthorized
   Detail: The key authorization file from the server did not match
   this challenge
   [I5nqSObuI0Oq2A5x4o8jJJIppC8R2Hm7KY0PDQhXF9w.9tWJ04WclPHsE6tJ8fH-o4oQE_C-dr55xuchHHq3mEI]
   !=
   [I5nqSObuI0Oq2A5x4o8jJJIppC8R2Hm7KY0PDQhXF9w.jovWtVw8hQo48B0oVNH2HtMnU6dasUd0_8jh4cxgALE]

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

Is there a way to see the IP addresses that LE is using? I just don’t get why its not working (I’ve confirmed the folder is accessible from the web, and also works with the default text/plain mime)

Anything else I can try / check?

Thanks!

Andy


#2

Hi @steampunkjnkies,

if i try to browse your site: www.school-clip-art.com
i receive a redirect to https.

Can you create a http vhost that accepts connection for school-clip-art.com + www.school-clip-art.com and rerun your command:

/usr/local/letsencrypt/certbot-auto certonly --staging --webroot -w /home/admin/web/school-clip-art.com/public_html -d school-clip-art.com -d www.school-clip-art.com

greetz Sm3rT


#3

Hi,

It will do that :slight_smile: Thats how the site works (redirects all traffic to SSL). The non-ssl version only work within the acme-challenge folder:

http://school-clip-art.com/.well-known/acme-challenge/test

As you can see, that one works fine. Any other ideas?

Thanks

Andy


#4

Hey @steampunkjnkies,

can you try the following command:

/usr/local/letsencrypt/certbot-auto certonly --webroot /home/admin/web/school-clip-art.com/public_html -d school-clip-art.com -d www.school-clip-art.com

Greetz Sm3rT


#5

Same thing I’m afraid :frowning:

Performing the following challenges:
http-01 challenge for school-clip-art.com
http-01 challenge for www.school-clip-art.com
Using the webroot path /home/admin/web/school-clip-art.com/public_html for all unmatched domains.
Waiting for verification...



Cleaning up challenges
Unable to clean up challenge directory /home/admin/web/school-clip-art.com/public_html/.well-known/acme-challenge
Failed authorization procedure. school-clip-art.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge [bxHvcRvJwBG-CDxhczJ4etStHjGtwFg_WEmvl6ZITnA.QOHPDOM39nXOn7vMCwxuoSYRMc3icfYIIOtd8JI45Q8] != [bxHvcRvJwBG-CDxhczJ4etStHjGtwFg_WEmvl6ZITnA.jovWtVw8hQo48B0oVNH2HtMnU6dasUd0_8jh4cxgALE], www.school-clip-art.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge [evmpxWckSzIS09Xcm-oqUJPpJ5YOlgKVXF6TQRJB1Q4.QOHPDOM39nXOn7vMCwxuoSYRMc3icfYIIOtd8JI45Q8] != [evmpxWckSzIS09Xcm-oqUJPpJ5YOlgKVXF6TQRJB1Q4.jovWtVw8hQo48B0oVNH2HtMnU6dasUd0_8jh4cxgALE]

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: school-clip-art.com
   Type:   unauthorized
   Detail: The key authorization file from the server did not match
   this challenge
   [bxHvcRvJwBG-CDxhczJ4etStHjGtwFg_WEmvl6ZITnA.QOHPDOM39nXOn7vMCwxuoSYRMc3icfYIIOtd8JI45Q8]
   !=
   [bxHvcRvJwBG-CDxhczJ4etStHjGtwFg_WEmvl6ZITnA.jovWtVw8hQo48B0oVNH2HtMnU6dasUd0_8jh4cxgALE]

   Domain: www.school-clip-art.com
   Type:   unauthorized
   Detail: The key authorization file from the server did not match
   this challenge
   [evmpxWckSzIS09Xcm-oqUJPpJ5YOlgKVXF6TQRJB1Q4.QOHPDOM39nXOn7vMCwxuoSYRMc3icfYIIOtd8JI45Q8]
   !=
   [evmpxWckSzIS09Xcm-oqUJPpJ5YOlgKVXF6TQRJB1Q4.jovWtVw8hQo48B0oVNH2HtMnU6dasUd0_8jh4cxgALE]

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

#6

Is this the Server from where you doing the request?

school-clip-art.com. 300 IN A 45.33.45.212

And have the acme folder following permission: 755 ?

Greetz Sm3rT


#7

I would suggest following this link: Letsencrypt-vesta Client Error - The key authorization file from the server did not match

it’s a weird one - there seems to be a disconnect between the challenge files and what LetsEncrypt is expecting

Andrei


#8

Yes and yes… but still no joy :frowning:

@ahaw021 - thanks, that does sound a lot like the issue. @StephDotNet is also using VestaCP (like me).It also has only happened to me on one domain so far (I’ve done 3 or 4 fine). Really odd :tired_face:

Cheers

andy


#9

Just confirming, as I said in the other thread, same here - using VestaCP - but even manually its failing on one domain only. My root domain as it happens - 5 others have worked fine, 3 via Vesta’s plugin and 2 via the command line.

Regards,

Mark.


#10

Please also see the discussion at Letsencrypt-vesta Client Error - The key authorization file from the server did not match

It will be useful to figure out if this is something VestaCP-specific.


#11

@schoen


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.