This issue only occurs on cert issuance for eglijona.ch since 2018-01-11 07:01AM - it works for every other domain. First suspected this to be related to the ACME TLS-SNI-01 verification lockdown, but we were never using TLS-SNI-01, always using HTTP verification instead.
I ran this command:
certbot certonly -t -n --webroot -w /var/www/html/ -d eglijona.ch -d www.eglijona.ch
It produced this output:
$ certbot certonly -t -n --webroot -w /var/www/html/ -d eglijona.ch -d www.eglijona.ch Saving debug log to /var/log/letsencrypt/letsencrypt.log Obtaining a new certificate Performing the following challenges: http-01 challenge for eglijona.ch http-01 challenge for www.eglijona.ch Using the webroot path /var/www/html for all unmatched domains. Waiting for verification... Cleaning up challenges Failed authorization procedure. eglijona.ch (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge [3vTyU919pHT_g445_bVy1Kd9ECp7CCo5jQmyu29UwPY.0yNq4ojWJuCW7vur81eSwkdH-XOdbv0sMv_exGcLoeM] !=  IMPORTANT NOTES: - The following errors were reported by the server: Domain: eglijona.ch Type: unauthorized Detail: The key authorization file from the server did not match this challenge [3vTyU919pHT_g445_bVy1Kd9ECp7CCo5jQmyu29UwPY.0yNq4ojWJuCW7vur81eSwkdH-XOdbv0sMv_exGcLoeM] !=  To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
during HTTP verification, the following challenges are created and correctly pruned afterwards (seems a bit weird that there were 2 challenges):
$ tree /var/www/html/.well-known/ /var/www/html/.well-known/ └── acme-challenge ├── 3vTyU919pHT_g445_bVy1Kd9ECp7CCo5jQmyu29UwPY └── 8VX3ofkYzi8dasuUTqnsYr4VA2LzzqG6cLN6h6YGmJQ
the domains correctly resolve to the webserver:
$ dig +noall +answer eglijona.ch @18.104.22.168 eglijona.ch. 299 IN A 22.214.171.124 $ dig +noall +answer www.eglijona.ch @126.96.36.199 www.eglijona.ch. 295 IN CNAME web.onlime.ch. web.onlime.ch. 1795 IN A 188.8.131.52
certbot delete --cert-name eglijona.ch doesn’t help. In
/etc/letsencrypt/ there are no certs/keys for eglijona.ch, also checked whole content with recursive grep. Not even
@josh helped me out here (thx!) but issue could not yet be resolved.
My web server is: Apache/2.4.25 (Debian)
Certbot version: 0.10.2
My hosting provider: Onlime Webhosting - https://www.onlime.ch
The operating system my web server runs on is: Debian Stretch 9.3
I can login to a root shell on my machine: yes
I’m using a control panel to manage my site: no