Domain verification challenge failed

denisall · March 22, 2018, 2:50pm

Hello,

i do have an automatic scripts that ask for let’s encrypt certs.

I already use it hundred and hundreds of time without any trouble.

for only one domain (and only this one) i do have a challenge error. DNS is ok and all let’s encryts request are directed to the right directory as usual.

so only for this domain it is not working without any obvious reasons:

Domain: www.berry-savoie.com
Type: unauthorized
Detail: The key authorization file from the server did not match
this challenge
[JEu7WAw6WUIpMJWGUv3Xub5KIVvd3S0Z6rCpVxS_9iM.ADb-m5uCjdUb8UAInHnMxEScZIOWeofJPoJ3XQxzVqc]
!=
[JEu7WAw6WUIpMJWGUv3Xub5KIVvd3S0Z6rCpVxS_9iM.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8]

Domain: berry-savoie.com
Type: unauthorized
Detail: The key authorization file from the server did not match
this challenge
[QLToxtPwBFgw3AA2mY35ACRwE2u2eR34M890Fbg9mTk.ADb-m5uCjdUb8UAInHnMxEScZIOWeofJPoJ3XQxzVqc]
!=
[QLToxtPwBFgw3AA2mY35ACRwE2u2eR34M890Fbg9mTk.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8]

any clues, ideas.

Regards

sahsanu · March 22, 2018, 2:56pm

Hi @denisall,

Let’s Encrypt prefers IPv6 over IPv4 and your domain is advertising an AAAA record so Let’s Encrypt is trying to validate it using the IPv6 address but you are not serving the same content for IPv4 and IPv6.

Using IPv4:

$ curl -IkL4 www.berry-savoie.com
HTTP/1.1 200 OK
Date: Thu, 22 Mar 2018 14:53:41 GMT
Server: Apache/2.2.22 (Debian)
Set-Cookie: code_session_sysclic=1e0pt3mmapuzy; path=/; expires=Thu, 22-Mar-2018 18:53:42 GMT
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 7397
Content-Type: text/html; charset=ISO-8859-1
X-Varnish: 5574469
Age: 0
Via: 1.1 varnish (Varnish/5.0)
Connection: keep-alive

Using IPv6:

$ curl -IkL6 www.berry-savoie.com
HTTP/1.1 200 OK
Set-Cookie: cluster017BAK=R896106769; path=/; expires=Thu, 22-Mar-2018 16:02:10 GMT
Date: Thu, 22 Mar 2018 14:54:55 GMT
Content-Type: text/html;charset=ISO-8859-1
Set-Cookie: cluster017=R3592916364; path=/; expires=Thu, 22-Mar-2018 16:02:34 GMT
Server: Apache
X-IPLB-Instance: 17345

So you should take a look to your IPv6 conf or remove the AAAA record if you don’t need it.

Cheers,
sahsanu

denisall · March 22, 2018, 3:36pm

thanks, i am checking that.

Regards

system · April 21, 2018, 3:36pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.