Just a PSA, and perhaps a request to make the error message a bit more helpful, I’ve concluded (hopefully correctly) that if an AAAA record is available for the domain, you are requesting (or in my case renewing) a cert for, it will try the challenge over ipv6. However, if the challenge fails, the error message only mentions an A record. This put me on a wild goose chase. In the end it turned out to be an ipv6 configuration error.
I was trying to renew my certificate and got this error:
Domain: dmc.covle.com
Type: unauthorized
Detail: The key authorization file from the server did not match
this challenge
[26Hno7hRKeNJjD-uHc4q4Qh-RRBS5cVuvopcaxUQ1hg.z6QCPIu03BH-PbRvQ0WB7ORCk1fiV6ItK6tOSPzfgag]
!= [<h1>Bessyyy</h1>
working]
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
The response was from a different domain on the same server. This confused me immensely, but after a bunch of testing I realized I hadn’t told nginx to listen on ipv6 for this domain. After I fixed that the renew worked perfectly.
I conclude from this that if your A record points to the right server, but your AAAA record does not, letsencrypt will fail the challenge. The error message should reflect that. (The fact that I misconfigured ipv6 was the equivalent of having my AAAA record point somewhere else.)
Hopefully it helps someone!