Failed authorization procedure key mismatch

My domain is:

I ran this command: sudo certbot certonly --standalone

It produced this output:

   Type:   unauthorized
   Detail: The key authorization file from the server did not match
   this challenge
   != "ACME client standalone challenge solver"

My web server is (include version): nginx, not sure what version as it’s configured by Bitwarden

The operating system my web server runs on is (include version): Windows 10 Pro 1903

My hosting provider, if applicable, is: self-hosted

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.27.0

For some additional background, I am attempting to self-host Bitwarden on my machine. I eventually plan to migrate this to a dedicated ubuntu server, but for now I’m just running this service on my personal Windows machine running in docker. Bitwarden offers to generate the cert for me using certbot, however during this step certbot throws the following error:

certbot: error: unrecognized arguments: -encodedCommand MAA= xml -outputFormat text

I’ve seem others with this issue online and no resolution, so I’ve decided to just create the certificate myself which is how I’ve landed in this key mismatch situation. I’m attempting to generate the cert using the WSL with the steps described above.

The bitwarden subdomain is configured via a CNAME entry as my server is behind a dynamic IP so I needed to use a CNAME for the redirect. I believe this may be part of the issue, but my inexperience in this area has me a bit lost. Any ideas what may be causing this key mismatch behavior?

That is not enough information.
Please provide more of the text leading to that message (or clear out the log file and run it again and provide the entire log file).

And the auth type is unclear… is it HTTP or DNS?
I don’t see a TXT record, so I’m thinking HTTP.
If so, can you place a test text file in the expected challenge folder and see if it is reachable from the Internet.
[ensure the file type and naming convention is similar to the ones LE uses]

Hi @alexwaibel

that says: You use a special solution that handles /.well-known/acme-challenge/random-filename - the “ACME client standalone challenge solver”.

So that subdirectory is blocked, so you can’t use Certbot with http validation.

But checking your domain there is a completely different result -

A redirect to

And there is already a correct Letsencrypt certificate:
expires in 89 days - 1 entry

But wrong redirects https -> http - Grade F.

wrong redirect https - http - never redirect https to http


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.