Http-01 challenge failed. please help

My domain is:

I ran this command:
sudo /usr/local/bin/certbot-auto certonly --apache --dry-run


sudo /usr/local/bin/certbot-auto certonly --dry-run --preferred-challenge http-01 -d --manual

I tried both auto and manual mode. neither of them passed the challenge.
in --manual mode, I created the file and accessed the token URL in my browser successfully.
but the command still returns “challenge failed”.

It produced this output:

Create a file containing just this data:


And make it available on your web server at this URL:

Press Enter to Continue
Waiting for verification…
Challenge failed for domain
http-01 challenge for
Cleaning up challenges
Some challenges have failed.


  • The following errors were reported by the server:

    Type: unauthorized
    Detail: The key authorization file from the server did not match
    this challenge

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version):
Apache/2.2.15 (Unix)

The operating system my web server runs on is (include version):
centos 6,

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 1.3.0

The error message is quite self-explanatory: the file contains the wrong contents.

When I surf to I get KXmkbyFCSc06UqXmVkuGSLMsorbLsXRnw.dkN2afar41LWUAkbjM5X25ijoT_Ip-gU_wHE8GtLhw4.

But according to your instructions, the contents needs to be k-YNLtpLBSKXmkbyFCSc06UqXmVkuGSLMsorbLsXRnw.dkN2afar41LWUAkbjM5X25ijoT_Ip-gU_wHE8GtLhw4.

I see you’ve got two IP addresses listed for Perhaps you’re doing DNS based round robin for two different webservers?

If so, the ‘best’ solution would be use just one server do all the challenges, make a separate hostname (for example pointing to only that IP address and redirect every request for /.well-known/acme-challenge/ on the other server to that new hostname, so that all requests for the challenges end up on just that one server.

1 Like

Hi @sonic1

if you have that error, you have two different ACME-clients (with two different account keys).

One manages /.well-known/acme-challenge/random-filename and blocks your certbot-auto.

Looks like an integrated solution, may be from your hoster.

So you can’t use your own certbot.

  • Find that solution and use it
  • Or switch to dns validation.

But it may be impossible to install the certificate, if there is already such an integrated solution.

PS: Sorry, false alarm.

The second part is the same, so you use the correct account key.

thanks for your reply @Osiris
Maybe I pasted a wrong string. and I did it again.
Please refer to screenshot below.

I have 2 IP on the same server, and DNS will choose a better line for the visitor.
is it ok for certbot?

Anyway, thank you so much for your quickly reply, @JuergenAuer

Is there any other possibility?

You have created the wrong content.

Content = filename + “.” + Account key.

So if your filename is k-YNLtpLBSKXmkbyFCSc06UqXmVkuGSLMsorbLsXRnw, your content can’t be


Your file name is correct -> Letsencrypt can find your file.

Try it again with a new combination.

Now you have a different error message: There are CAA records blocking Let’s Encrypt.                21600   IN      CAA     0 issue ""                21600   IN      CAA     0 iodef ""

You need to add a 0 issue "" record to, or


Yes, i pasted wrong string at first time.
then, I did tried several times. but all failed…

But there you see the different error: The CAA blocks Letsencrypt.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.