I get "did not match this challenge" when requesting certificate - any idea why?

It the moment I use self-signed certificate. I wanted to get let’s encrypt certificate so I run “create signing request” and then “get certificate” on Let’s Encrypt virtualmin box.
Request is failed, because “already registered”. I have no idea what is it about. It’s not registered and I don’t know how to fix it. On another site on this server everything went smoothly.

If that matters, I get apache error for this site:

ssl:warn] [pid 1407] AH01906: stolarstwo-zywiec.pl:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

My domain is: http://www.stolarstwo-zywiec.pl/

I ran this command: used virtualmin

It produced this output:

Parsing account key…
Parsing CSR…
Registering account…
Already registered!
Verifying stolarstwo-zywiec.pl
Traceback (most recent call last):
File “/usr/share/webmin/webmin/acme_tiny.py”, line 235, in
main(sys.argv[1:])
File “/usr/share/webmin/webmin/acme_tiny.py”, line 231, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca)
File “/usr/share/webmin/webmin/acme_tiny.py”, line 184, in get_crt
domain, challenge_status))
ValueError: stolarstwo-zywiec.pl challenge did not pass: {u’status’: u’invalid’, u’validationRecord’: [{u’addressesResolved’: [u’51.254.37.160’, u’2001:41d0:1:1b00:87:98:239:3’], u’url’: u’http://stolarstwo-zywiec.pl/.well-known/acme-challenge/1UWO3F-Zhcd_Sez-XCdjZZaqQTJyun2p_svDsxvCqW8’, u’hostname’: u’stolarstwo-zywiec.pl’, u’addressesTried’: [], u’addressUsed’: u’2001:41d0:1:1b00:87:98:239:3’, u’port’: u’80’}], u’keyAuthorization’: u’1UWO3F-Zhcd_Sez-XCdjZZaqQTJyun2p_svDsxvCqW8.Nf-vcVOdnsnRcuZ-tDvMNej4TrSt90yIhRcTEHYI5mA’, u’uri’: u’https://acme-v01.api.letsencrypt.org/acme/challenge/bkltxcytaJxRuYl4K9CN8hzAEExhSwYMy38bMi2WkgY/2394015591’, u’token’: u’1UWO3F-Zhcd_Sez-XCdjZZaqQTJyun2p_svDsxvCqW8’, u’error’: {u’status’: 403, u’type’: u’urn:acme:error:unauthorized’, u’detail’: u’The key authorization file from the server did not match this challenge [1UWO3F-Zhcd_Sez-XCdjZZaqQTJyun2p_svDsxvCqW8.Nf-vcVOdnsnRcuZ-tDvMNej4TrSt90yIhRcTEHYI5mA] != [1UWO3F-Zhcd_Sez-XCdjZZaqQTJyun2p_svDsxvCqW8.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8]’}, u’type’: u’http-01’}

My web server is (include version): apache2 2.4.18-2ubuntu3.5

The operating system my web server runs on is (include version): Ubuntu Linux 16.04.3

My hosting provider, if applicable, is: ovh

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): webmin/virtualmin

this is most likely a virtulmin challenge so i suggest you raise this on their forums

this seems more like a certificate management problem (panel)

otherwise you can use certbot outside of virtulmin

Andrei

you already registered message is about the account not certificate

your error is that you can’t pass the challenge

ValueError: stolarstwo-zywiec.pl challenge did not pass:

Thanks, changed topic to match the issue better.
Is there anything in the output that would suggest why it didn’t pass the challenge? It’s gibberish to me.

EDIT: After looking closely:

u’detail’: u’The key authorization file from the server did not match this challenge [1UWO3F-Zhcd_Sez-XCdjZZaqQTJyun2p_svDsxvCqW8.Nf-vcVOdnsnRcuZ-tDvMNej4TrSt90yIhRcTEHYI5mA] != [1UWO3F-Zhcd_Sez-XCdjZZaqQTJyun2p_svDsxvCqW8.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8]’}, u’type’: u’http-01’}

What authorization key is it talking about? I also noticed that keys are matching to a certain point and the deviate.

[1UWO3F-Zhcd_Sez-XCdjZZaqQTJyun2p_svDsxvCqW8.Nf-vcVOdnsnRcuZ-tDvMNej4TrSt90yIhRcTEHYI5mA]
!=
[1UWO3F-Zhcd_Sez-XCdjZZaqQTJyun2p_svDsxvCqW8.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8

if you search on this forum this has been shown before

the most likely cause is a poorly written client where a previous owner has hard coded their key (hence the suggestion to take this to the virtualmin forum)

A) Every user has their own private key when they use lets encrypt
B) A challenge is a combination of what lets encrypt wants to see (review: https://tools.ietf.org/html/draft-ietf-acme-acme-07#section-8.3)
C) If there is a discrepancy with what you are showing and what let’s encrypt expects then it’s most likely to do with the client

Andrei

What key? What previous owner? Not sure what are you talking about.
I would prefer to know as much as possible from here before I take it to virtualmin forums, because the game looks “it’s not us, it’s them”. I’ve seen this often. Basically, none of the sites knows anything useful and point to others.

I just want to decipher the output so I would know where to look at.

On the site you posted I can read:

A client responds to this challenge by constructing a key
authorization from the “token” value provided in the challenge and
the client’s account key.

What is this mysterious client’s account key?

ok this is the bit where i jump off

https://tools.ietf.org/html/draft-ietf-acme-acme-07#section-8.3

everything you need to know is explained in the draft RFC above

you should also familarise yourself with the concept of clients. Virtualmin uses a client called acme_tiny which you can google about and review their github

https://letsencrypt.org/docs/client-options/

generally speaking if you want to know something either read someones github or the rfc :smiley:

Andrei

OK, thanks for info. Without it, I wouldn’t even know what to look for.

“key authorization file” is ACME jargon for the file that you put on your website to prove that you control it. It’s called that because it contains a fingerprint of your account key. It’s composed of two parts: One before the “.”, which is a random token, and one after the “.”, which is a fingerprint of an account key. In this case, the token is correct, but the fingerprint of an account key is wrong. Usually this is because there is a conflicting configuration in place that attempts to automatically respond to all validation requests using a fixed account key. This seems potentially connected to your ACME client’s message that an account is already registered.

I think @serverco had experience with Virtualmin and ACME. Any ideas?

the idea came from the acme.sh client and a lot of clients are adopting it however i think they are hardcoding the keys rather than updating them dynamically

Full explanation: Stateless Mode · acmesh-official/acme.sh Wiki · GitHub

Andrei

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.