This issue only occurs on cert issuance for eglijona.ch since 2018-01-11 07:01AM - it works for every other domain. First suspected this to be related to the ACME TLS-SNI-01 verification lockdown, but we were never using TLS-SNI-01, always using HTTP verification instead.
I ran this command:
certbot certonly -t -n --webroot -w /var/www/html/ -d eglijona.ch -d www.eglijona.ch
It produced this output:
$ certbot certonly -t -n --webroot -w /var/www/html/ -d eglijona.ch -d www.eglijona.ch
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for eglijona.ch
http-01 challenge for www.eglijona.ch
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. eglijona.ch (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge [3vTyU919pHT_g445_bVy1Kd9ECp7CCo5jQmyu29UwPY.0yNq4ojWJuCW7vur81eSwkdH-XOdbv0sMv_exGcLoeM] != 
- The following errors were reported by the server:
Detail: The key authorization file from the server did not match
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
during HTTP verification, the following challenges are created and correctly pruned afterwards (seems a bit weird that there were 2 challenges):
$ tree /var/www/html/.well-known/
the domains correctly resolve to the webserver:
$ dig +noall +answer eglijona.ch @22.214.171.124
eglijona.ch. 299 IN A 126.96.36.199
$ dig +noall +answer www.eglijona.ch @188.8.131.52
www.eglijona.ch. 295 IN CNAME web.onlime.ch.
web.onlime.ch. 1795 IN A 184.108.40.206
certbot delete --cert-name eglijona.ch doesn’t help. In
/etc/letsencrypt/ there are no certs/keys for eglijona.ch, also checked whole content with recursive grep. Not even
@josh helped me out here (thx!) but issue could not yet be resolved.
My web server is: Apache/2.4.25 (Debian)
Certbot version: 0.10.2
My hosting provider: Onlime Webhosting - https://www.onlime.ch
The operating system my web server runs on is: Debian Stretch 9.3
I can login to a root shell on my machine: yes
I’m using a control panel to manage my site: no