Http-01 challenge failed. please help

My domain is: china.exed.hec.edu

I ran this command:
sudo /usr/local/bin/certbot-auto certonly --apache --dry-run

and

sudo /usr/local/bin/certbot-auto certonly --dry-run --preferred-challenge http-01 -d china.exed.hec.edu --manual

I tried both auto and manual mode. neither of them passed the challenge.
in --manual mode, I created the file and accessed the token URL in my browser successfully.
but the command still returns “challenge failed”.

It produced this output:

Create a file containing just this data:

k-YNLtpLBSKXmkbyFCSc06UqXmVkuGSLMsorbLsXRnw.dkN2afar41LWUAkbjM5X25ijoT_Ip-gU_wHE8GtLhw4

And make it available on your web server at this URL:

http://china.exed.hec.edu/.well-known/acme-challenge/k-YNLtpLBSKXmkbyFCSc06UqXmVkuGSLMsorbLsXRnw


Press Enter to Continue
Waiting for verification…
Challenge failed for domain china.exed.hec.edu
http-01 challenge for china.exed.hec.edu
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: china.exed.hec.edu
    Type: unauthorized
    Detail: The key authorization file from the server did not match
    this challenge
    “k-YNLtpLBSKXmkbyFCSc06UqXmVkuGSLMsorbLsXRnw.dkN2afar41LWUAkbjM5X25ijoT_Ip-gU_wHE8GtLhw4”
    !=
    “KXmkbyFCSc06UqXmVkuGSLMsorbLsXRnw.dkN2afar41LWUAkbjM5X25ijoT_Ip-gU_wHE8GtLhw4”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version):
Apache/2.2.15 (Unix)

The operating system my web server runs on is (include version):
centos 6,
2.6.32-754.23.1.el6.x86_64

My hosting provider, if applicable, is:
NA

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 1.3.0

The error message is quite self-explanatory: the file contains the wrong contents.

When I surf to http://china.exed.hec.edu/.well-known/acme-challenge/k-YNLtpLBSKXmkbyFCSc06UqXmVkuGSLMsorbLsXRnw I get KXmkbyFCSc06UqXmVkuGSLMsorbLsXRnw.dkN2afar41LWUAkbjM5X25ijoT_Ip-gU_wHE8GtLhw4.

But according to your instructions, the contents needs to be k-YNLtpLBSKXmkbyFCSc06UqXmVkuGSLMsorbLsXRnw.dkN2afar41LWUAkbjM5X25ijoT_Ip-gU_wHE8GtLhw4.

I see you’ve got two IP addresses listed for china.exed.hec.edu. Perhaps you’re doing DNS based round robin for two different webservers?

If so, the ‘best’ solution would be use just one server do all the challenges, make a separate hostname (for example acme.china.exed.hec.edu) pointing to only that IP address and redirect every request for /.well-known/acme-challenge/ on the other server to that new hostname, so that all requests for the challenges end up on just that one server.

1 Like

Hi @sonic1

if you have that error, you have two different ACME-clients (with two different account keys).

One manages /.well-known/acme-challenge/random-filename and blocks your certbot-auto.

Looks like an integrated solution, may be from your hoster.

So you can’t use your own certbot.

  • Find that solution and use it
  • Or switch to dns validation.

But it may be impossible to install the certificate, if there is already such an integrated solution.


PS: Sorry, false alarm.

The second part is the same, so you use the correct account key.

thanks for your reply @Osiris
Maybe I pasted a wrong string. and I did it again.
Please refer to screenshot below.

I have 2 IP on the same server, and DNS will choose a better line for the visitor.
is it ok for certbot?

Anyway, thank you so much for your quickly reply, @JuergenAuer

Is there any other possibility?

You have created the wrong content.

Content = filename + “.” + Account key.

So if your filename is k-YNLtpLBSKXmkbyFCSc06UqXmVkuGSLMsorbLsXRnw, your content can’t be

KXmkbyFCSc06UqXmVkuGSLMsorbLsXRnw.dkN2afar41LWUAkbjM5X25ijoT_Ip-gU_wHE8GtLhw4

Your file name is correct -> Letsencrypt can find your file.

Try it again with a new combination.

Now you have a different error message: There are CAA records blocking Let’s Encrypt.

hec.edu.                21600   IN      CAA     0 issue "digicert.com"
hec.edu.                21600   IN      CAA     0 iodef "mailto:sysrxadm@hec.edu"

You need to add a 0 issue "letsencrypt.org" record to hec.edu, exed.hec.edu or china.exed.hec.edu.

2 Likes

Yes, i pasted wrong string at first time.
then, I did tried several times. but all failed…

But there you see the different error: The CAA blocks Letsencrypt.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.