Invalid challenge while generating certificate


#1

My domain is: rc-truck.cz

We provide domain registrations for our users and most of certificates work without any problems. Well, some of them are really tricky, including this one. We use PHP 7.1 on nginx and sign a lot of certificates through our service. In this case it does not work - we try to request new authorization (https://acme-v01.api.letsencrypt.org/new-authz), which returns few challenges. We chose http-01 from them, prepare token on correct URL (http://rc-truck.cz/.well-known/acme-challenge/_WDLwRN2Zkk1lakBww5bd_59Wt_uxJLlRhLZbjeOd-A, not working at the moment, but I checked properly earlier, it works), that means whole payload, not just token from challenge. Then we send request back to LE (https://acme-v01.api.letsencrypt.org/challenge) but the response is invalid - token is absolutely different from that one provided us in challenges (new-authz response). I have really no idea what to do - LE provides us different token than expects in challenge. I will be really happy for any help or advice.
Thanks in advance


#2

Hi @jfkwnd

please share your complete error message.

What client do you use?


#3

Hi, thanks for quick response. We do not use any client that can be found on your list, it is some library which some of my colleagues got few years ago so I am not able to tell it exactly. Anyway, it works for most of our domains.
In this case, we reiceved this response (in json):
{“identifier”:{“type”:“dns”,“value”:“rc-truck.cz”},“status”:“invalid”,“expires”:“2018-11-14T14:38:28Z”,“challenges”:[{“type”:“tls-alpn-01”,“status”:“invalid”,“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/KEy5iiEMrjMcjdd3cVN_hUgwDwrtWjTvlOHbmZZAI5E/9049905271",“token”:“LMu8CaDKJ23iIosYQsgrPj4rlNgnH_iaGLsDNUP3ZtI”},{“type”:“http-01”,“status”:“invalid”,“error”:{“type”:“urn:acme:error:unauthorized”,“detail”:"The key authorization file from the server did not match this challenge [_WDLwRN2Zkk1lakBww5bd_59Wt_uxJLlRhLZbjeOd-A.iAu-y_uJ6cbjgQsupIGAnzXoE4R-nrpbeRgboZ9AcoE] != [\ufeff_WDLwRN2Zkk1lakBww5bd_59Wt_uxJLlRhLZbjeOd-A.iAu-y_uJ6cbjgQsupIGAnzXoE4R-nrpbeRgboZ9AcoE]”,“status”:403},“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/KEy5iiEMrjMcjdd3cVN_hUgwDwrtWjTvlOHbmZZAI5E/9049905272",“token”:"_WDLwRN2Zkk1lakBww5bd_59Wt_uxJLlRhLZbjeOd-A",“validationRecord”:[{“url”:“http://rc-truck.cz/.well-known/acme-challenge/_WDLwRN2Zkk1lakBww5bd_59Wt_uxJLlRhLZbjeOd-A”,“hostname”:“rc-truck.cz”,“port”:“80”,“addressesResolved”:[“77.78.119.21”],“addressUsed”:“77.78.119.21”}]},{“type”:“dns-01”,“status”:“invalid”,“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/KEy5iiEMrjMcjdd3cVN_hUgwDwrtWjTvlOHbmZZAI5E/9049905273”,“token”:“5mHzn9VTScz4uAyMkwifdaSPUqAzpCleCWrST4vNrKU”},{“type”:“tls-sni-01”,“status”:“invalid”,“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/KEy5iiEMrjMcjdd3cVN_hUgwDwrtWjTvlOHbmZZAI5E/9049905274”,“token”:“ga572-B-DklBpeXQPeumoBzA8-3ZhhRpaSt2NM0z6yk”}],"combinations”:[[0],[2],[3],[1]]}

I hope it will help to find out where is the problem.
Kind regards.


#4

This is an amazing error. See the two strings:

_WDLwRN2Zkk1lakBww5bd_59Wt_uxJLlRhLZbjeOd-A.iAu-y_uJ6cbjgQsupIGAnzXoE4R-nrpbeRgboZ9AcoE

\ufeff_WDLwRN2Zkk1lakBww5bd_59Wt_uxJLlRhLZbjeOd-A.iAu-y_uJ6cbjgQsupIGAnzXoE4R-nrpbeRgboZ9AcoE

Or corrected:

_WDLwRN2Zkk1lakBww5bd_59Wt_uxJLlRhLZbjeOd-A.iAu-y_uJ6cbjgQsupIGAnzXoE4R-nrpbeRgboZ9AcoE

_WDLwRN2Zkk1lakBww5bd_59Wt_uxJLlRhLZbjeOd-A.iAu-y_uJ6cbjgQsupIGAnzXoE4R-nrpbeRgboZ9AcoE

The strings are identical - with one exception: There is a starting \ufeff. This is the Byte Order Mark of UTF-16 (Unicode-coding).

It may be a problem creating the file or sending the file. But the file should be saved without a Byte Order Mark.

So the two strings are different -> invalide validation.

So first check your file, if the file is wrong (you need a hex editor). If the file is correct, your webserver adds the BOM.


#5

Hi @JuergenAuer, thanks a lot, your advice really helped me. I was so deep in the problem and could not see this quite obvious issue. So another point of view can be very helpful. Anyway, it was not the webserver issue, I found one file that was broken. After fix it works properly. Regards.