Invalid key authorization: malformed token - out of ideas


#1

Hi there,

I am using the manual HTTP method and I keep getting this error:

{“type”:“urn:acme:error:unauthorized”,“detail”:“Error parsing key authorization file: Invalid key authorization: malformed token”}

When I visit the URL in the browser I get exactly the same token as Let’s Encrypt is expecting as text/plain response:

HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Sun, 27 Mar 2016 06:32:35 GMT
Accept-Ranges: bytes
ETag: "eb281a73f287d11:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Sun, 27 Mar 2016 06:37:32 GMT
Content-Length: 90

I used a file compare program to make sure the contents of the file are what’s expected. I am at a loss to try to figure out what else it could be? Anyone has any ideas?


#2

I assume you are using the official client ( if not, please let us know which one )

If you place a test text file in /.well-known/acme-challenge/testfile can you reach it OK with a browser ? and does it pick up as plain text ? are you happy to provide a URL link to that so we can test ( or to the real token if it’s still there )


#3

Yes I can reach it OK with browser see below:

http://www.victorianseakayak.club/.well-known/acme-challenge/syyxU6-6cGJOzbABugidt--FZtEDfBdzcv5C68QzkFY

Is this the token below?

https://acme-v01.api.letsencrypt.org/acme/authz/h01b-b3-cCW4j9RbAa8Dg948zNml5SHNPL7oMsZnejM

I have used the instructions as per: github.com/ebekker/ACMESharp/wiki/Quick-Start

Happy to provide any other info.

Thank you.


#4

Are you using ACMESharp for obtaining the certificate ? it’s not one I’ve used, so just reading though that methodology. At the moment, to me, it looks as if the contents of that file are incorrect ( difficult to be certain without out the various keys though - which you should NOT provide here and make public).


#5

Can you provide the output to the “Complete-ACMEChallenge dns1 -ChallengeType http-01 -Handler manual” command that you did please ? which should look something like;

 == Manual Challenge Handler - HTTP ==
  * Handle Time:      [1/12/2016 1:16:34 PM]
  * Challenge Token:  [2yRd04TwqiZTh6TWLZ1azL15QIOGaiRmx8MjAoA5QH0]
To complete this Challenge please create a new file
under the server that is responding to the hostname
and path given with the following characteristics:
  * HTTP URL:     [http://myserver.example.com/.well-known/acme-challenge/2yRd04TwqiZTh6TWLZ1azL15QIOGaiRmx8MjAoA5QH0]
  * File Path:    [.well-known/acme-challenge/2yRd04TwqiZTh6TWLZ1azL15QIOGaiRmx8MjAoA5QH0]
  * File Content: [2yRd04TwqiZTh6TWLZ1azL15QIOGaiRmx8MjAoA5QH0.H3URk7qFUvhyYzqJySfc9eM25RTDN7bN4pwil37Rgms]
  * MIME Type:    [text/plain]

#6

Yes, I am using ACMESharp…

I saved the output when I ran that command previously…

PS C:\WINDOWS\system32> Complete-ACMEChallenge dns4 -ChallengeType http-01 -Handler manual
== Manual Challenge Handler - HTTP ==

  • Handle Time: [27/03/2016 5:31:54 PM]
  • Challenge Token: [syyxU6-6cGJOzbABugidt–FZtEDfBdzcv5C68QzkFY]
    To complete this Challenge please create a new file
    under the server that is responding to the hostname
    and path given with the following characteristics:
  • HTTP URL: [http://www.victorianseakayak.club/.well-known/acme-challenge/syyxU6-6cGJOzbABugidt--FZtEDfBdzcv5C68QzkFY]
  • File Path: [.well-known/acme-challenge/syyxU6-6cGJOzbABugidt–FZtEDfBdzcv5C68QzkFY]
  • File Content: [syyxU6-6cGJOzbABugidt–FZtEDfBdzcv5C68QzkFY.6SmpNEd9gUADMqnM5tsamsmj1ZPiz-eXohHtkvQyEbw]
  • MIME Type: [text/plain]


#7

I had the same problem. I generated the challenge token file, but unfortunately I had a NewLine (CR/LF) at the end of the file. Letsencrypt is failing authorization, if there are any additional characters in the file. You won’t see it in a browser, but if you open the file in a text editor directly on the server, you can see, if there are any additional characters.


#8

What solved it was changing the EOL character to be UNIX in the text editor…I was creating this file on a Windows machine.

Seriously? I think this system is waaaaay too picky…but anyway.

Thanks all for your help!

Now let’s see if I can actually generate a cert!


#9

Hum, I think boulder should ignore white chars (\t \n \r \x20) in the beginning and the end of the challenge file. A bit like the "".strip() method do in python.

Maybe this should be declared as a bug at


#10

Good point, I just created a Pull Request that should fix this issue!


#11

Just at the end. Forgot about \r in my original patch. Thanks @pfg!


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.