Invalid key authorization: malformed token - out of ideas

gregski · March 27, 2016, 6:51am

Hi there,

I am using the manual HTTP method and I keep getting this error:

{“type”:“urn:acme:error:unauthorized”,“detail”:“Error parsing key authorization file: Invalid key authorization: malformed token”}

When I visit the URL in the browser I get exactly the same token as Let’s Encrypt is expecting as text/plain response:

HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Sun, 27 Mar 2016 06:32:35 GMT
Accept-Ranges: bytes
ETag: "eb281a73f287d11:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Sun, 27 Mar 2016 06:37:32 GMT
Content-Length: 90

I used a file compare program to make sure the contents of the file are what’s expected. I am at a loss to try to figure out what else it could be? Anyone has any ideas?

serverco · March 27, 2016, 7:47am

I assume you are using the official client ( if not, please let us know which one )

If you place a test text file in /.well-known/acme-challenge/testfile can you reach it OK with a browser ? and does it pick up as plain text ? are you happy to provide a URL link to that so we can test ( or to the real token if it’s still there )

gregski · March 27, 2016, 8:03am

Yes I can reach it OK with browser see below:

http://www.victorianseakayak.club/.well-known/acme-challenge/syyxU6-6cGJOzbABugidt--FZtEDfBdzcv5C68QzkFY

Is this the token below?

https://acme-v01.api.letsencrypt.org/acme/authz/h01b-b3-cCW4j9RbAa8Dg948zNml5SHNPL7oMsZnejM

I have used the instructions as per: github.com/ebekker/ACMESharp/wiki/Quick-Start

Happy to provide any other info.

Thank you.

serverco · March 27, 2016, 8:11am

Are you using ACMESharp for obtaining the certificate ? it’s not one I’ve used, so just reading though that methodology. At the moment, to me, it looks as if the contents of that file are incorrect ( difficult to be certain without out the various keys though - which you should NOT provide here and make public).

serverco · March 27, 2016, 8:29am

Can you provide the output to the “Complete-ACMEChallenge dns1 -ChallengeType http-01 -Handler manual” command that you did please ? which should look something like;

 == Manual Challenge Handler - HTTP ==
  * Handle Time:      [1/12/2016 1:16:34 PM]
  * Challenge Token:  [2yRd04TwqiZTh6TWLZ1azL15QIOGaiRmx8MjAoA5QH0]
To complete this Challenge please create a new file
under the server that is responding to the hostname
and path given with the following characteristics:
  * HTTP URL:     [http://myserver.example.com/.well-known/acme-challenge/2yRd04TwqiZTh6TWLZ1azL15QIOGaiRmx8MjAoA5QH0]
  * File Path:    [.well-known/acme-challenge/2yRd04TwqiZTh6TWLZ1azL15QIOGaiRmx8MjAoA5QH0]
  * File Content: [2yRd04TwqiZTh6TWLZ1azL15QIOGaiRmx8MjAoA5QH0.H3URk7qFUvhyYzqJySfc9eM25RTDN7bN4pwil37Rgms]
  * MIME Type:    [text/plain]

gregski · March 27, 2016, 9:50am

Yes, I am using ACMESharp…

I saved the output when I ran that command previously…

PS C:\WINDOWS\system32> Complete-ACMEChallenge dns4 -ChallengeType http-01 -Handler manual
== Manual Challenge Handler - HTTP ==

Handle Time: [27/03/2016 5:31:54 PM]
Challenge Token: [syyxU6-6cGJOzbABugidt–FZtEDfBdzcv5C68QzkFY]
To complete this Challenge please create a new file
under the server that is responding to the hostname
and path given with the following characteristics:
HTTP URL: [http://www.victorianseakayak.club/.well-known/acme-challenge/syyxU6-6cGJOzbABugidt--FZtEDfBdzcv5C68QzkFY]
File Path: [.well-known/acme-challenge/syyxU6-6cGJOzbABugidt–FZtEDfBdzcv5C68QzkFY]
File Content: [syyxU6-6cGJOzbABugidt–FZtEDfBdzcv5C68QzkFY.6SmpNEd9gUADMqnM5tsamsmj1ZPiz-eXohHtkvQyEbw]
MIME Type: [text/plain]

Chomps · March 29, 2016, 4:38pm

I had the same problem. I generated the challenge token file, but unfortunately I had a NewLine (CR/LF) at the end of the file. Letsencrypt is failing authorization, if there are any additional characters in the file. You won’t see it in a browser, but if you open the file in a text editor directly on the server, you can see, if there are any additional characters.

gregski · March 30, 2016, 10:08am

What solved it was changing the EOL character to be UNIX in the text editor…I was creating this file on a Windows machine.

Seriously? I think this system is waaaaay too picky…but anyway.

Thanks all for your help!

Now let’s see if I can actually generate a cert!

Nit · March 30, 2016, 11:40am

Hum, I think boulder should ignore white chars (\t \n \r \x20) in the beginning and the end of the challenge file. A bit like the "".strip() method do in python.

Maybe this should be declared as a bug at

pfg · March 30, 2016, 11:41am

Good point, I just created a Pull Request that should fix this issue!

github.com/letsencrypt/boulder

Ignore Carriage Return in http-01 validation

letsencrypt:master ← pfigel:master

opened 11:40AM - 30 Mar 16 UTC

pfigel

+3 -3

Windows uses `\r\n` as a new line character. This change should fix issues some …Windows users are seeing when they include a new line at the end of their challenge tokens. The [client implementation](https://github.com/letsencrypt/letsencrypt/blob/2bc0c31f2ef23bdb13d4ef0e4484670e74897b15/acme/acme/challenges.py#L231) treats `\r` as a whitespace character as well.

kelunik · March 30, 2016, 5:57pm

Just at the end. Forgot about \r in my original patch. Thanks @pfg!

system · April 29, 2016, 5:57pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.