Certificates installed but dry-run fails

So certs are current and valid for domain free-maths.games and some sub-domains. Dry-run fails citing insufficient authorisation - possibly I created the certs .pem as root then blocked root access and am attempting dry-run as sudo user (I can’t remember the exact chronology), or there is a different issue?

My domain is:free-maths.games

I ran this command: sudo certbot renew --dry-run

It produced this output:Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for au.free-maths.games
http-01 challenge for ca.free-maths.games
http-01 challenge for free-maths.games
http-01 challenge for uk.free-maths.games
http-01 challenge for us.free-maths.games
http-01 challenge for www.free-maths.games
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (free-maths.games) from /etc/letsencrypt/renewal/free-maths.games.conf produced an unexpected error: Failed authorization procedure. us.free-maths.games (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge “uiGQHPCPcEftlFitnsCjPjQxHEcAlBYxVF80vhVcVvk.1cClhWZ2kmBMPOf26RByH4mhlE6TYT7pkSM1l_iWUoU” != “”, ca.free-maths.games (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge “XqnCZYFjCm8dmmU3QPWhrVi4ChlhMMelq7MBbYIxw8o.1cClhWZ2kmBMPOf26RByH4mhlE6TYT7pkSM1l_iWUoU” != “”, free-maths.games (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge “waxvQQsFfOijwt3AZY7agSfhkJjCcR80IIG6PuNNjQg.1cClhWZ2kmBMPOf26RByH4mhlE6TYT7pkSM1l_iWUoU” != “”, au.free-maths.games (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge “semph7knb1wg1-FQA8QOfapAH4A91_jU2O92DBb0Kbs.1cClhWZ2kmBMPOf26RByH4mhlE6TYT7pkSM1l_iWUoU” != “”, uk.free-maths.games (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge “TZ4iFhW0CkeJlUAdzs5HlpsjYNgOgsV0env7QSBvi0A.1cClhWZ2kmBMPOf26RByH4mhlE6TYT7pkSM1l_iWUoU” != “”, www.free-maths.games (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge “5Lsfs-FZKStGV1hOyFrvfVeYT5ZvS0DmxNjQE1BPc6s.1cClhWZ2kmBMPOf26RByH4mhlE6TYT7pkSM1l_iWUoU” != “”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/free-maths.games/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/free-maths.games/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: us.free-maths.games
    Type: unauthorized
    Detail: The key authorization file from the server did not match
    this challenge
    “uiGQHPCPcEftlFitnsCjPjQxHEcAlBYxVF80vhVcVvk.1cClhWZ2kmBMPOf26RByH4mhlE6TYT7pkSM1l_iWUoU”
    != “”

    Domain: ca.free-maths.games
    Type: unauthorized
    Detail: The key authorization file from the server did not match
    this challenge
    “XqnCZYFjCm8dmmU3QPWhrVi4ChlhMMelq7MBbYIxw8o.1cClhWZ2kmBMPOf26RByH4mhlE6TYT7pkSM1l_iWUoU”
    != “”

    Domain: free-maths.games
    Type: unauthorized
    Detail: The key authorization file from the server did not match
    this challenge
    “waxvQQsFfOijwt3AZY7agSfhkJjCcR80IIG6PuNNjQg.1cClhWZ2kmBMPOf26RByH4mhlE6TYT7pkSM1l_iWUoU”
    != “”

    Domain: au.free-maths.games
    Type: unauthorized
    Detail: The key authorization file from the server did not match
    this challenge
    “semph7knb1wg1-FQA8QOfapAH4A91_jU2O92DBb0Kbs.1cClhWZ2kmBMPOf26RByH4mhlE6TYT7pkSM1l_iWUoU”
    != “”

    Domain: uk.free-maths.games
    Type: unauthorized
    Detail: The key authorization file from the server did not match
    this challenge
    “TZ4iFhW0CkeJlUAdzs5HlpsjYNgOgsV0env7QSBvi0A.1cClhWZ2kmBMPOf26RByH4mhlE6TYT7pkSM1l_iWUoU”
    != “”

    Domain: www.free-maths.games
    Type: unauthorized
    Detail: The key authorization file from the server did not match
    this challenge
    “5Lsfs-FZKStGV1hOyFrvfVeYT5ZvS0DmxNjQE1BPc6s.1cClhWZ2kmBMPOf26RByH4mhlE6TYT7pkSM1l_iWUoU”
    != “”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): apache2

The operating system my web server runs on is (include version): Debian 9

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don’t know): no, root access blocked by sshd config and ufw

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0

Hi @TomasLewis

checking your domain - https://check-your-website.server-daten.de/?q=free-maths.games

You see: http + /.well-known/acme-challenge/random-filename doesn’t answer with the expected result http status 404 - Not Found. Instead, there is a http status 200.

Looks like there is an application or your ufw or something else that answers. So the validation file is invisible -> that’s your dry-run-result.

Thanks for that.
I have manually created the .well-known/acme-challenge directory chain and can access files within (200), and get 404 generated if file is absent, but what files should be in that folder? Can I create them manually? Maybe I am better off deleting the cert then regenerating and relying on certbot to generate the files correctly?

Perhaps you have an additional configuration, so your apache plugin doesn’t work.

But if you have the correct webroot, use --webroot instead of --apache as authenticator.

Thanks for your help.
“certbot run -a webroot -i apache -w /var/www/…” works and can be --dry-run renewed.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.