Key authorization file from server did not match this challenge

Client dev
1

Dear Community,

Trying staging environment via custom ACME client based on PHP.
Apache Server

The digest for HTTP challenge is retrieved as below,

$privateKey = openssl_pkey_get_private(file_get_contents($PRIVATEKEYFILE));
    $details = openssl_pkey_get_details($privateKey);

    $header = array(
      "e" => LEFunctions::Base64UrlSafeEncode($details["rsa"]["e"]),
      "kty" => "RSA",
      "n" => LEFunctions::Base64UrlSafeEncode($details["rsa"]["n"])
    );
    $digest = LEFunctions::Base64UrlSafeEncode(hash('sha256', json_encode($header), true));

The digest retrieved is different than the one expected by ACME even though same private key is used to signRequestJWK and signRequestKid. The difference in digest causing "Key authorization file from server did not match this challenge" as below,

Domain covered:
["beok.world","www.beok.world"]

[27-03-2023 08:48:39] :
No account found, attempting to create account.

[27-03-2023 08:48:41] :
LEClient finished constructing

[27-03-2023 08:48:41] :
No order found for 'beok.world'. Creating new order.

[27-03-2023 08:48:42] :
create order is {"request":"POST https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/new-order","header":"HTTP\/2 201 \r\nserver: nginx\r\ndate: Mon, 27 Mar 2023 08:48:42 GMT\r\ncontent-type: application\/json\r\ncontent-length: 489\r\nboulder-requester: 95312624\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nlocation: https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/order\/95312624\/7967804384\r\nreplay-nonce: A272eBHNDIFaHtooEttDZUhFLBJzmEE636gnEn7n2H19gys\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":201,"body":{"status":"pending","expires":"2023-04-03T08:48:42Z","identifiers":[{"type":"dns","value":"beok.world"},{"type":"dns","value":"www.beok.world"}],"authorizations":["https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/authz-v3\/5896133234","https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/authz-v3\/5896133244"],"finalize":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/finalize\/95312624\/7967804384"}}

[27-03-2023 08:48:43] :
update auths is [{"authorizationURL":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/authz-v3\/5896133234","identifier":{"type":"dns","value":"beok.world"},"status":"pending","expires":"2023-04-03T08:48:42Z","challenges":[{"type":"http-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133234\/7dqKRA","token":"HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo"},{"type":"dns-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133234\/qQuyrw","token":"HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo"},{"type":"tls-alpn-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133234\/2knFzw","token":"HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo"}]},{"authorizationURL":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/authz-v3\/5896133244","identifier":{"type":"dns","value":"www.beok.world"},"status":"pending","expires":"2023-04-03T08:48:42Z","challenges":[{"type":"http-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133244\/5ggN_A","token":"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo"},{"type":"dns-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133244\/vFyVwQ","token":"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo"},{"type":"tls-alpn-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133244\/neqmeA","token":"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo"}]}]

[27-03-2023 08:48:43] :
Created order for 'beok.world'.

[27-03-2023 08:48:43] :
Pending auths is [{"type":"http-01","identifier":"beok.world","filename":"HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo","content":"HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo.7VOXAW7fRarPQT4ujHOkD51cisNINrKmwL1AsL6xCIE"},{"type":"http-01","identifier":"www.beok.world","filename":"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo","content":"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo.7VOXAW7fRarPQT4ujHOkD51cisNINrKmwL1AsL6xCIE"}]

[27-03-2023 08:48:43] :
Pending auths is [{"type":"dns-01","identifier":"beok.world","DNSDigest":"nG6ulUC4Fz_VYixI6eHbTF13v3CrYBqqDLTgHUE9lDs"},{"type":"dns-01","identifier":"www.beok.world","DNSDigest":"DPi4YPDxBkiUAmX12UHtgLM_o-ReRSpyVpNOVFrvN1U"}]

[27-03-2023 08:48:43] :
Pending auths is [{"type":"http-01","identifier":"beok.world","filename":"HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo","content":"HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo.7VOXAW7fRarPQT4ujHOkD51cisNINrKmwL1AsL6xCIE"},{"type":"http-01","identifier":"www.beok.world","filename":"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo","content":"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo.7VOXAW7fRarPQT4ujHOkD51cisNINrKmwL1AsL6xCIE"}]

Creating HTTP challenge file http://beok.world/.well-known/acme-challenge/HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo
[27-03-2023 08:48:53] :
verify auths is [{"authorizationURL":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/authz-v3\/5896133234","identifier":{"type":"dns","value":"beok.world"},"status":"pending","expires":"2023-04-03T08:48:42Z","challenges":[{"type":"http-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133234\/7dqKRA","token":"HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo"},{"type":"dns-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133234\/qQuyrw","token":"HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo"},{"type":"tls-alpn-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133234\/2knFzw","token":"HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo"}]},{"authorizationURL":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/authz-v3\/5896133244","identifier":{"type":"dns","value":"www.beok.world"},"status":"pending","expires":"2023-04-03T08:48:42Z","challenges":[{"type":"http-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133244\/5ggN_A","token":"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo"},{"type":"dns-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133244\/vFyVwQ","token":"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo"},{"type":"tls-alpn-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133244\/neqmeA","token":"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo"}]}]

[27-03-2023 08:48:54] :
HTTP challenge for 'beok.world' valid.

[27-03-2023 08:48:58] :
Pending auths is [{"type":"dns-01","identifier":"www.beok.world","DNSDigest":"DPi4YPDxBkiUAmX12UHtgLM_o-ReRSpyVpNOVFrvN1U"}]

[27-03-2023 08:48:58] :
Pending auths is [{"type":"http-01","identifier":"www.beok.world","filename":"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo","content":"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo.7VOXAW7fRarPQT4ujHOkD51cisNINrKmwL1AsL6xCIE"}]

Creating HTTP challenge file http://www.beok.world/.well-known/acme-challenge/CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo
[27-03-2023 08:49:08] :
verify auths is [{"authorizationURL":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/authz-v3\/5896133234","identifier":{"type":"dns","value":"beok.world"},"status":"invalid","expires":"2023-04-03T08:48:42Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"The key authorization file from the server did not match this challenge \"HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo.7VOXAW7fRarPQT4ujHOkD51cisNINrKmwL1AsL6xCIE\" != \"HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8\"","status":403},"url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133234\/7dqKRA","token":"HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo","validationRecord":[{"url":"http:\/\/beok.world\/.well-known\/acme-challenge\/HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo","hostname":"beok.world","port":"80","addressesResolved":["178.32.77.113","2001:41d0:301:3::30"],"addressUsed":"2001:41d0:301:3::30"}],"validated":"2023-03-27T08:48:54Z"}]},{"authorizationURL":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/authz-v3\/5896133244","identifier":{"type":"dns","value":"www.beok.world"},"status":"pending","expires":"2023-04-03T08:48:42Z","challenges":[{"type":"http-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133244\/5ggN_A","token":"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo"},{"type":"dns-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133244\/vFyVwQ","token":"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo"},{"type":"tls-alpn-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133244\/neqmeA","token":"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo"}]}]

[27-03-2023 08:49:09] :
HTTP challenge for 'www.beok.world' valid.

Finalizing the order
[27-03-2023 08:49:12] :
update auths is [{"authorizationURL":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/authz-v3\/5896133234","identifier":{"type":"dns","value":"beok.world"},"status":"invalid","expires":"2023-04-03T08:48:42Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"The key authorization file from the server did not match this challenge \"HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo.7VOXAW7fRarPQT4ujHOkD51cisNINrKmwL1AsL6xCIE\" != \"HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8\"","status":403},"url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133234\/7dqKRA","token":"HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo","validationRecord":[{"url":"http:\/\/beok.world\/.well-known\/acme-challenge\/HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo","hostname":"beok.world","port":"80","addressesResolved":["178.32.77.113","2001:41d0:301:3::30"],"addressUsed":"2001:41d0:301:3::30"}],"validated":"2023-03-27T08:48:54Z"}]},{"authorizationURL":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/authz-v3\/5896133244","identifier":{"type":"dns","value":"www.beok.world"},"status":"invalid","expires":"2023-04-03T08:48:42Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"The key authorization file from the server did not match this challenge \"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo.7VOXAW7fRarPQT4ujHOkD51cisNINrKmwL1AsL6xCIE\" != \"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8\"","status":403},"url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133244\/5ggN_A","token":"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo","validationRecord":[{"url":"http:\/\/www.beok.world\/.well-known\/acme-challenge\/CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo","hostname":"www.beok.world","port":"80","addressesResolved":["178.32.77.113","2001:41d0:301:3::30"],"addressUsed":"2001:41d0:301:3::30"}],"validated":"2023-03-27T08:49:09Z"}]}]

[27-03-2023 08:49:12] :
Order status for 'beok.world' is 'invalid'. Cannot finalize order.

Can you please check the request and help us identify why ACME is expecting different digest??..

Regards,
~Shyam

2

not sure but maybe some type thing resulting slitght different json structer?

4 Likes
3

Observations: believe the redirects have issues

$ curl -Ii http://www.beok.world/.well-known/acme-challenge/sometestfile
HTTP/1.1 301 Moved Permanently
date: Mon, 27 Mar 2023 14:42:16 GMT
content-type: text/html; charset=UTF-8
server: Apache
x-powered-by: PHP/7.4
set-cookie: abcgoDeiOEj=EHIm2RO9f%5DeUNQ4; expires=Tue, 28-Mar-2023 14:42:15 GMT; Max-Age=86400; path=/
set-cookie: aSDuLtxyshCvl=yTj3.CirWk; expires=Tue, 28-Mar-2023 14:42:15 GMT; Max-Age=86400; path=/
set-cookie: tCnBvOZYzI=P3mIsC; expires=Tue, 28-Mar-2023 14:42:15 GMT; Max-Age=86400; path=/
expires: Wed, 11 Jan 1984 05:00:00 GMT
cache-control: no-cache, must-revalidate, max-age=0
x-redirect-by: WordPress
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
location: http://beok.world/.well-known/acme-challenge/sometestfile
x-iplb-request-id: 62F6FFE6:E818_B2204D71:0050_6421AB47_6E56:2B82D
x-iplb-instance: 38297

$ curl -Ii http://beok.world/.well-known/acme-challenge/sometestfile
HTTP/1.1 302 Found
date: Mon, 27 Mar 2023 14:43:10 GMT
content-type: text/html; charset=UTF-8
server: Apache
x-powered-by: PHP/7.4
set-cookie: abcgoDeiOEj=EHIm2RO9f%5DeUNQ4; expires=Tue, 28-Mar-2023 14:43:09 GMT; Max-Age=86400; path=/
set-cookie: aSDuLtxyshCvl=yTj3.CirWk; expires=Tue, 28-Mar-2023 14:43:09 GMT; Max-Age=86400; path=/
set-cookie: tCnBvOZYzI=P3mIsC; expires=Tue, 28-Mar-2023 14:43:09 GMT; Max-Age=86400; path=/
expires: Wed, 11 Jan 1984 05:00:00 GMT
cache-control: no-cache, must-revalidate, max-age=0
link: <https://beok.world/wp-json/>; rel="https://api.w.org/"
x-redirect-by: WordPress
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
location: https://beok.world/boutique/?redirect_to=http%3A%2F%2Fbeok.world%2F.well-known%2Facme-challenge%2Fsometestfile
x-iplb-request-id: 62F6FFE6:AB20_B2204D71:0050_6421AB7D_9A09:2B830
x-iplb-instance: 38297

$ curl -II https://beok.world/boutique/?redirect_to=http%3A%2F%2Fbeok.world%2F.well-known%2Facme-challenge%2Fsometestfile
HTTP/2 200
date: Mon, 27 Mar 2023 14:44:27 GMT
content-type: text/html; charset=UTF-8
server: Apache
x-powered-by: PHP/7.4
set-cookie: abcgoDeiOEj=EHIm2RO9f%5DeUNQ4; expires=Tue, 28-Mar-2023 14:44:27 GMT; Max-Age=86400; path=/; secure
set-cookie: aSDuLtxyshCvl=yTj3.CirWk; expires=Tue, 28-Mar-2023 14:44:27 GMT; Max-Age=86400; path=/; secure
set-cookie: tCnBvOZYzI=P3mIsC; expires=Tue, 28-Mar-2023 14:44:27 GMT; Max-Age=86400; path=/; secure
link: <https://beok.world/wp-json/>; rel="https://api.w.org/"
link: <https://beok.world/wp-json/wp/v2/pages/1232>; rel="alternate"; type="application/json"
link: <https://beok.world/?p=1232>; rel=shortlink
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
vary: Accept-Encoding

Also using this online tool https://www.redirect-checker.org/ with http://www.beok.world/.well-known/acme-challenge/sometestfile as the input yielded these results

Result

http://www.beok.world/.well-known/acme-challenge/sometestfile
301 Moved Permanently
http://beok.world/.well-known/acme-challenge/sometestfile
302 Found
https://beok.world/boutique/?redirect_to=http%3A%2F%2Fbeok.world%2F.well-known%2Facme-challenge%2Fsometestfile
200 OK
Problems found:

    You use 301 and 302 redirect at the same time. This might be confusing for search engine. Generally, please do not use 301 and 302 redirects at the same time.
    You use a 302 redirect. This means, that the actually content is temporary not reachable and will come back soon. To use a 302 redirection for generally moved pages is a bad idea. Search engine bot might not follow it or handle it as temporary. For SEO this is also a bad idea, because no link juice will be transferred to the linked page. 


HTTP Headers

>>> http://www.beok.world/.well-known/acme-challenge/sometestfile

> --------------------------------------------
> 301 Moved Permanently
> --------------------------------------------
Status:	301 Moved Permanently
Code:	301
date:	Mon, 27 Mar 2023 14:42:08 GMT
content-type:	text/html; charset=UTF-8
server:	Apache
x-powered-by:	PHP/7.4
set-cookie:	tCnBvOZYzI=P3mIsC; expires=Tue, 28-Mar-2023 14:42:06 GMT; Max-Age=86400; path=/
expires:	Wed, 11 Jan 1984 05:00:00 GMT
cache-control:	no-cache, must-revalidate, max-age=0
x-redirect-by:	WordPress
x-content-type-options:	nosniff
x-frame-options:	SAMEORIGIN
Location:	http://beok.world/.well-known/acme-challenge/sometestfile
x-iplb-request-id:	5CCD33A5:A300_B2204D71:0050_6421AB3C_2E925:2813A
x-iplb-instance:	37649
connection:	close



>>> http://beok.world/.well-known/acme-challenge/sometestfile

> --------------------------------------------
> 302 Found
> --------------------------------------------
Status:	302 Found
Code:	302
date:	Mon, 27 Mar 2023 14:42:08 GMT
content-type:	text/html; charset=UTF-8
server:	Apache
x-powered-by:	PHP/7.4
set-cookie:	tCnBvOZYzI=P3mIsC; expires=Tue, 28-Mar-2023 14:42:08 GMT; Max-Age=86400; path=/
expires:	Wed, 11 Jan 1984 05:00:00 GMT
cache-control:	no-cache, must-revalidate, max-age=0
link:	<https://beok.world/wp-json/>; rel="https://api.w.org/"
x-redirect-by:	WordPress
x-content-type-options:	nosniff
x-frame-options:	SAMEORIGIN
Location:	https://beok.world/boutique/?redirect_to=http%3A%2F%2Fbeok.world%2F.well-known%2Facme-challenge%2Fsometestfile
x-iplb-request-id:	5CCD33A5:A302_B2204D71:0050_6421AB40_4ACBF:2813B
x-iplb-instance:	37649
connection:	close



>>> https://beok.world/boutique/?redirect_to=http%3A%2F%2Fbeok.world%2F.well-known%2Facme-challenge%2Fsometestfile

> --------------------------------------------
> 200 OK
> --------------------------------------------
Status:	200 OK
Code:	200
Date:	Mon, 27 Mar 2023 14:42:10 GMT
Content-Type:	text/html; charset=UTF-8
Connection:	close
Server:	Apache
X-Powered-By:	PHP/7.4
Set-Cookie:	tCnBvOZYzI=P3mIsC; expires=Tue, 28-Mar-2023 14:42:09 GMT; Max-Age=86400; path=/; secure
Link:	<https://beok.world/?p=1232>; rel=shortlink
X-Content-Type-Options:	nosniff
X-Frame-Options:	SAMEORIGIN
Vary:	Accept-Encoding
2 Likes
4

Here a list of issued certificates crt.sh | beok.world, the latest being 2023-02-02.

Your server is still serving this certificate

$ openssl s_client -showcerts -servername beok.world -connect beok.world:443 < /dev/null
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = www.beok.world
verify return:1
---
Certificate chain
 0 s:CN = www.beok.world
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb  2 18:58:30 2023 GMT; NotAfter: May  3 18:58:29 2023 GMT
-----BEGIN CERTIFICATE-----
1 Like
5

For debugging purposes, can you try a known ACME client temporarlly? Trying to eliminate complexity by seperating the pieces, the divide and conquer method.

1 Like
6

Thanks for all your replies.. I got rid of those redirects, the local check of HTTP challenge succeeds but ACME still expects different digest as below:

Domain covered:
["beok.world","www.beok.world"]

[30-03-2023 12:48:37] :
{"request":"GET https:\/\/acme-v02.api.letsencrypt.org\/directory","header":"HTTP\/2 200 \r\nserver: nginx\r\ndate: Thu, 30 Mar 2023 12:48:37 GMT\r\ncontent-type: application\/json\r\ncontent-length: 756\r\ncache-control: public, max-age=0, no-cache\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":200,"body":{"QuCEOIpZImA":"https:\/\/community.letsencrypt.org\/t\/adding-random-entries-to-the-directory\/33417","keyChange":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/key-change","meta":{"caaIdentities":["letsencrypt.org"],"termsOfService":"https:\/\/letsencrypt.org\/documents\/LE-SA-v1.3-September-21-2022.pdf","website":"https:\/\/letsencrypt.org"},"newAccount":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/new-acct","newNonce":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/new-nonce","newOrder":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/new-order","renewalInfo":"https:\/\/acme-v02.api.letsencrypt.org\/get\/draft-ietf-acme-ari-00\/renewalInfo\/","revokeCert":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/revoke-cert"}}[30-03-2023 12:48:38] :
{"request":"HEAD https:\/\/acme-v02.api.letsencrypt.org\/acme\/new-nonce","header":"HTTP\/2 200 \r\nserver: nginx\r\ndate: Thu, 30 Mar 2023 12:48:38 GMT\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nreplay-nonce: 327CK4Iwah1u7wqv6ZiO7D3qhISVkTyGzh6QnmAe_j8Mu9E\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":200,"body":""}[30-03-2023 12:48:38] :
No account found, attempting to create account.

[30-03-2023 12:48:39] :
{"request":"POST https:\/\/acme-v02.api.letsencrypt.org\/acme\/new-acct","header":"HTTP\/2 201 \r\nserver: nginx\r\ndate: Thu, 30 Mar 2023 12:48:39 GMT\r\ncontent-type: application\/json\r\ncontent-length: 901\r\nboulder-requester: 1035084527\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nlink: ;rel=\"terms-of-service\"\r\nlocation: https:\/\/acme-v02.api.letsencrypt.org\/acme\/acct\/1035084527\r\nreplay-nonce: C4000kk6H4JGB9fbkLiSih5SYVgpJUVtRA9Zol5GDep3qTY\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":201,"body":{"key":{"kty":"RSA","n":"84sl3dYmt96blAGPL7shfB6kI93pTI2xC52dxED43CaC4HKD43AJ1h7chdUBHUmXs26p3bx4-u33rf8S8BjU8HzbMuDYEGOvcyXWMSJC5tPldZi_KGD6plq06Td6GBc1pluOvuVm4fhXpcxcCBVbxRA_a7pkhzHaJO5bEHRhA8PaJQLy8LG6dLcPYF9erQc2n_rtTWqG-VFDh6qutrL8gBZyoNfn-qLnhtrn2NZ10BPkPpoNjQt6WLU7wkeFFpxrlNoQiLxwgtiLaAQ_ehznF1KxvKSLuzg_z4FLBKP0dEuriQaBktEWGHA65Z7oiKXxtBBAWcxvNWxyR_byChPCU8LddmEOS93gp4_-_JmHL1piqaT2nBo5fMhm-Bk_V0K1D5toOrpTDes1xxW-ZTTbzBSHvHmQUXNcLgQSWcJfyFzug9PMVq0sxFnYFdxzdVAtNQVXSvUvuJcshkAnEIIWqeYqId93POquDncq8X3-WzVqNSTsJjNACUD2T4Nljf6U5WDjJnPWfRUkAqaIXheCMoad5YengoxscnDOHMhbm0HaPhhoXN1ERxsXIoYxq2I-s1HS6tu2UqDAp97tqT0d_xbSPsfhSfMvbUhsEZsAdziJBY0mN0Ak0VWyXrj031lol1seJegpjdR5LnCcm6U7hZBwY938M-Aod6fY55z4vms","e":"AQAB"},"contact":["mailto:alisa@beok.world"],"initialIp":"51.178.146.199","createdAt":"2023-03-30T12:48:39.408640695Z","status":"valid"}}[30-03-2023 12:48:39] :
{"request":"POST https:\/\/acme-v02.api.letsencrypt.org\/acme\/acct\/1035084527","header":"HTTP\/2 200 \r\nserver: nginx\r\ndate: Thu, 30 Mar 2023 12:48:39 GMT\r\ncontent-type: application\/json\r\ncontent-length: 891\r\nboulder-requester: 1035084527\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nlink: ;rel=\"terms-of-service\"\r\nreplay-nonce: 4397FckFG83yjykD9lSQcdIsnCKmmCjYHI2ZlGI4wE4myCk\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":200,"body":{"key":{"kty":"RSA","n":"84sl3dYmt96blAGPL7shfB6kI93pTI2xC52dxED43CaC4HKD43AJ1h7chdUBHUmXs26p3bx4-u33rf8S8BjU8HzbMuDYEGOvcyXWMSJC5tPldZi_KGD6plq06Td6GBc1pluOvuVm4fhXpcxcCBVbxRA_a7pkhzHaJO5bEHRhA8PaJQLy8LG6dLcPYF9erQc2n_rtTWqG-VFDh6qutrL8gBZyoNfn-qLnhtrn2NZ10BPkPpoNjQt6WLU7wkeFFpxrlNoQiLxwgtiLaAQ_ehznF1KxvKSLuzg_z4FLBKP0dEuriQaBktEWGHA65Z7oiKXxtBBAWcxvNWxyR_byChPCU8LddmEOS93gp4_-_JmHL1piqaT2nBo5fMhm-Bk_V0K1D5toOrpTDes1xxW-ZTTbzBSHvHmQUXNcLgQSWcJfyFzug9PMVq0sxFnYFdxzdVAtNQVXSvUvuJcshkAnEIIWqeYqId93POquDncq8X3-WzVqNSTsJjNACUD2T4Nljf6U5WDjJnPWfRUkAqaIXheCMoad5YengoxscnDOHMhbm0HaPhhoXN1ERxsXIoYxq2I-s1HS6tu2UqDAp97tqT0d_xbSPsfhSfMvbUhsEZsAdziJBY0mN0Ak0VWyXrj031lol1seJegpjdR5LnCcm6U7hZBwY938M-Aod6fY55z4vms","e":"AQAB"},"contact":["mailto:alisa@beok.world"],"initialIp":"51.178.146.199","createdAt":"2023-03-30T12:48:39Z","status":"valid"}}[30-03-2023 12:48:39] :
LEClient finished constructing

[30-03-2023 12:48:39] :
No order found for 'beok.world'. Creating new order.

[30-03-2023 12:48:40] :
{"request":"POST https:\/\/acme-v02.api.letsencrypt.org\/acme\/new-order","header":"HTTP\/2 201 \r\nserver: nginx\r\ndate: Thu, 30 Mar 2023 12:48:40 GMT\r\ncontent-type: application\/json\r\ncontent-length: 473\r\nboulder-requester: 1035084527\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nlocation: https:\/\/acme-v02.api.letsencrypt.org\/acme\/order\/1035084527\/173173861347\r\nreplay-nonce: 1DFA4KPZn2VSEwyxpt7AdYBYJGJ35oEl_1rOY4J9B71Kt2M\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":201,"body":{"status":"pending","expires":"2023-04-06T12:48:40Z","identifiers":[{"type":"dns","value":"beok.world"},{"type":"dns","value":"www.beok.world"}],"authorizations":["https:\/\/acme-v02.api.letsencrypt.org\/acme\/authz-v3\/215248971597","https:\/\/acme-v02.api.letsencrypt.org\/acme\/authz-v3\/215248971607"],"finalize":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/finalize\/1035084527\/173173861347"}}[30-03-2023 12:48:41] :
{"request":"POST https:\/\/acme-v02.api.letsencrypt.org\/acme\/authz-v3\/215248971597","header":"HTTP\/2 200 \r\nserver: nginx\r\ndate: Thu, 30 Mar 2023 12:48:41 GMT\r\ncontent-type: application\/json\r\ncontent-length: 794\r\nboulder-requester: 1035084527\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nreplay-nonce: A5FEjPLms-jOIIU3vbt3o0DO91sCxgsu8tNZLAVA14TC71s\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":200,"body":{"identifier":{"type":"dns","value":"beok.world"},"status":"pending","expires":"2023-04-06T12:48:40Z","challenges":[{"type":"http-01","status":"pending","url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/215248971597\/_ZDOAg","token":"4nmpqpT5Rmg-PVfe-LLxmJ7nj6iEsyNouh3gKLd0XyY"},{"type":"dns-01","status":"pending","url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/215248971597\/BLO6mw","token":"4nmpqpT5Rmg-PVfe-LLxmJ7nj6iEsyNouh3gKLd0XyY"},{"type":"tls-alpn-01","status":"pending","url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/215248971597\/8tJJUg","token":"4nmpqpT5Rmg-PVfe-LLxmJ7nj6iEsyNouh3gKLd0XyY"}]}}[30-03-2023 12:48:41] :
{"request":"POST https:\/\/acme-v02.api.letsencrypt.org\/acme\/authz-v3\/215248971607","header":"HTTP\/2 200 \r\nserver: nginx\r\ndate: Thu, 30 Mar 2023 12:48:41 GMT\r\ncontent-type: application\/json\r\ncontent-length: 798\r\nboulder-requester: 1035084527\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nreplay-nonce: C878WF8fDwC1HTc3_iLIsqYTzYHOG4CzAfHh3h0pBGtP3iM\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":200,"body":{"identifier":{"type":"dns","value":"www.beok.world"},"status":"pending","expires":"2023-04-06T12:48:40Z","challenges":[{"type":"http-01","status":"pending","url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/215248971607\/DC0x7Q","token":"tJxo2xKfsCYCpHSmWNx-BCj0k3OVpdkIbf0cTHcvli0"},{"type":"dns-01","status":"pending","url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/215248971607\/drQ4lg","token":"tJxo2xKfsCYCpHSmWNx-BCj0k3OVpdkIbf0cTHcvli0"},{"type":"tls-alpn-01","status":"pending","url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/215248971607\/Er4K3w","token":"tJxo2xKfsCYCpHSmWNx-BCj0k3OVpdkIbf0cTHcvli0"}]}}[30-03-2023 12:48:41] :
Created order for 'beok.world'.

Creating HTTP challenge file http://beok.world/.well-known/acme-challenge/4nmpqpT5Rmg-PVfe-LLxmJ7nj6iEsyNouh3gKLd0XyY
[30-03-2023 12:48:51] :
{"request":"POST https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/215248971597\/_ZDOAg","header":"HTTP\/2 200 \r\nserver: nginx\r\ndate: Thu, 30 Mar 2023 12:48:51 GMT\r\ncontent-type: application\/json\r\ncontent-length: 187\r\nboulder-requester: 1035084527\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nlink: ;rel=\"up\"\r\nlocation: https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/215248971597\/_ZDOAg\r\nreplay-nonce: C878bw1K5FolXMfvYU8dVCpZOCD_lqHxH_LkzKM5r0mE4Qo\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":200,"body":{"type":"http-01","status":"pending","url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/215248971597\/_ZDOAg","token":"4nmpqpT5Rmg-PVfe-LLxmJ7nj6iEsyNouh3gKLd0XyY"}}[30-03-2023 12:48:51] :
HTTP challenge for 'beok.world' valid.

[30-03-2023 12:48:53] :
{"request":"POST https:\/\/acme-v02.api.letsencrypt.org\/acme\/authz-v3\/215248971597","header":"HTTP\/2 200 \r\nserver: nginx\r\ndate: Thu, 30 Mar 2023 12:48:53 GMT\r\ncontent-type: application\/json\r\ncontent-length: 1177\r\nboulder-requester: 1035084527\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nreplay-nonce: 327CupMcdb2UOn-kyn1hDsFidFcEeghmH0UnSQEhslAmjkE\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":200,"body":{"identifier":{"type":"dns","value":"beok.world"},"status":"invalid","expires":"2023-04-06T12:48:40Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"The key authorization file from the server did not match this challenge \"4nmpqpT5Rmg-PVfe-LLxmJ7nj6iEsyNouh3gKLd0XyY.l9fvHsq7FWblJjsHQUuY8FNuy6QGYWqu3gMJ0Y1vnwE\" != \"4nmpqpT5Rmg-PVfe-LLxmJ7nj6iEsyNouh3gKLd0XyY.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8\"","status":403},"url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/215248971597\/_ZDOAg","token":"4nmpqpT5Rmg-PVfe-LLxmJ7nj6iEsyNouh3gKLd0XyY","validationRecord":[{"url":"http:\/\/beok.world\/.well-known\/acme-challenge\/4nmpqpT5Rmg-PVfe-LLxmJ7nj6iEsyNouh3gKLd0XyY","hostname":"beok.world","port":"80","addressesResolved":["178.32.77.113","2001:41d0:301:3::30"],"addressUsed":"2001:41d0:301:3::30"}],"validated":"2023-03-30T12:48:51Z"}]}}Creating HTTP challenge file http://www.beok.world/.well-known/acme-challenge/tJxo2xKfsCYCpHSmWNx-BCj0k3OVpdkIbf0cTHcvli0
[30-03-2023 12:49:03] :
{"request":"POST https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/215248971607\/DC0x7Q","header":"HTTP\/2 200 \r\nserver: nginx\r\ndate: Thu, 30 Mar 2023 12:49:03 GMT\r\ncontent-type: application\/json\r\ncontent-length: 187\r\nboulder-requester: 1035084527\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nlink: ;rel=\"up\"\r\nlocation: https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/215248971607\/DC0x7Q\r\nreplay-nonce: C400ltIVQjLD1F_84hPUi9zb3Of7n99PWnF4Bd16DuBmgzk\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":200,"body":{"type":"http-01","status":"pending","url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/215248971607\/DC0x7Q","token":"tJxo2xKfsCYCpHSmWNx-BCj0k3OVpdkIbf0cTHcvli0"}}[30-03-2023 12:49:03] :
HTTP challenge for 'www.beok.world' valid.

[30-03-2023 12:49:05] :
{"request":"POST https:\/\/acme-v02.api.letsencrypt.org\/acme\/authz-v3\/215248971607","header":"HTTP\/2 200 \r\nserver: nginx\r\ndate: Thu, 30 Mar 2023 12:49:05 GMT\r\ncontent-type: application\/json\r\ncontent-length: 1189\r\nboulder-requester: 1035084527\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nreplay-nonce: 4397x6TwA7MCVF64aG7SMfHr9ZdxI03Hqfo5LcXJmZeqDdM\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":200,"body":{"identifier":{"type":"dns","value":"www.beok.world"},"status":"invalid","expires":"2023-04-06T12:48:40Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"The key authorization file from the server did not match this challenge \"tJxo2xKfsCYCpHSmWNx-BCj0k3OVpdkIbf0cTHcvli0.l9fvHsq7FWblJjsHQUuY8FNuy6QGYWqu3gMJ0Y1vnwE\" != \"tJxo2xKfsCYCpHSmWNx-BCj0k3OVpdkIbf0cTHcvli0.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8\"","status":403},"url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/215248971607\/DC0x7Q","token":"tJxo2xKfsCYCpHSmWNx-BCj0k3OVpdkIbf0cTHcvli0","validationRecord":[{"url":"http:\/\/www.beok.world\/.well-known\/acme-challenge\/tJxo2xKfsCYCpHSmWNx-BCj0k3OVpdkIbf0cTHcvli0","hostname":"www.beok.world","port":"80","addressesResolved":["178.32.77.113","2001:41d0:301:3::30"],"addressUsed":"2001:41d0:301:3::30"}],"validated":"2023-03-30T12:49:03Z"}]}}

## THERE ARE SOME PENDING VERIFICATIONS. IF NEW DNS RECORDS WERE ADDED, PLEASE RUN THIS INSTALLATION AGAIN AFTER 5-10MINS

Any thoughts on why the digest is changing here even though the private key sent in request is same?

1 Like
7

You have almost certainly done something wrong in the ACME sequence.

I moved this thread to Client Dev to attract volunteers who specialize in ACME client programming

5 Likes
8

I think this would be much easier to debug with known private key, how about example localhost key from pebble? pebble/key.pem at main · letsencrypt/pebble · GitHub

5 Likes
9

These challenge requests:

curl -6 http://beok.world/.well-known/acme-challenge/4nmpqpT5Rmg-PVfe-LLxmJ7nj6iEsyNouh3gKLd0XyY
curl -6 http://www.beok.world/.well-known/acme-challenge/tJxo2xKfsCYCpHSmWNx-BCj0k3OVpdkIbf0cTHcvli0

Return these replies:

4nmpqpT5Rmg-PVfe-LLxmJ7nj6iEsyNouh3gKLd0XyY.l9fvHsq7FWblJjsHQUuY8FNuy6QGYWqu3gMJ0Y1vnwE
tJxo2xKfsCYCpHSmWNx-BCj0k3OVpdkIbf0cTHcvli0.l9fvHsq7FWblJjsHQUuY8FNuy6QGYWqu3gMJ0Y1vnwE

It seems like something in your process is reusing some of the previous content [cached/unsynced]
"l9fvHsq7FWblJjsHQUuY8FNuy6QGYWqu3gMJ0Y1vnwE"

I also see a load-balancer involved.

3 Likes
10

This looks like the same issue as a recent other thread.

The second part of the token value (after the dot .) is the account thumbprint. You can see the first part matches, but the second part is different. In that previous thread, it wouldn't matter what you threw at the server as the request token, it responded with the token combined with the account thumbprint.

However, I don't see that behaviour on this server. If you change just a tiny bit in the challenge token, it doesn't return an ACME challenge response. That said, it's possible to mix the two challenges from Rudy above: if you use the challenge token from the beok.world URI for the www.beok.world request, it does return a valid ACME challenge reponse. And vica versa.

So perhaps the server remembers ACME tokens and reponds only when it recognises one? Without checking the actual hostname? If so, it might "intercept" ACME challenges and respond with its own account, which is invalid with regard to the ACME client used by OP.

3 Likes
11

Thanks for all your replies and help!. Very much appreciated :slight_smile:

I decided to use known private key as per @orangepizza suggestion above. The account thumbprint a.k.a digest is 99Car8XBoAssNNq10FIj1HecN532gCsVA3hxrbUd6Jw whereas expected second parameter from ACME is again different than the thumbprint of private key.

Custom ACME client being used is GitHub - yourivw/LEClient: An easy-to-use PHP ACME v2 client library, designed to be used with LetsEncrypt.

Latest response is as below:

Domain covered:
["beok.world","www.beok.world"]

[31-03-2023 09:37:22] :
{"request":"GET https:\/\/acme-v02.api.letsencrypt.org\/directory","header":"HTTP\/2 200 \r\nserver: nginx\r\ndate: Fri, 31 Mar 2023 09:37:22 GMT\r\ncontent-type: application\/json\r\ncontent-length: 756\r\ncache-control: public, max-age=0, no-cache\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":200,"body":{"R4-L_OWACBk":"https:\/\/community.letsencrypt.org\/t\/adding-random-entries-to-the-directory\/33417","keyChange":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/key-change","meta":{"caaIdentities":["letsencrypt.org"],"termsOfService":"https:\/\/letsencrypt.org\/documents\/LE-SA-v1.3-September-21-2022.pdf","website":"https:\/\/letsencrypt.org"},"newAccount":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/new-acct","newNonce":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/new-nonce","newOrder":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/new-order","renewalInfo":"https:\/\/acme-v02.api.letsencrypt.org\/get\/draft-ietf-acme-ari-00\/renewalInfo\/","revokeCert":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/revoke-cert"}}[31-03-2023 09:37:23] :
{"request":"HEAD https:\/\/acme-v02.api.letsencrypt.org\/acme\/new-nonce","header":"HTTP\/2 200 \r\nserver: nginx\r\ndate: Fri, 31 Mar 2023 09:37:23 GMT\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nreplay-nonce: F977qQqeF-T6gBz-B1Cbtm_EtZdCvk98Y7T0kfOm4Nb9a9U\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":200,"body":""}[31-03-2023 09:37:23] :
{"request":"POST https:\/\/acme-v02.api.letsencrypt.org\/acme\/new-acct","header":"HTTP\/2 200 \r\nserver: nginx\r\ndate: Fri, 31 Mar 2023 09:37:23 GMT\r\ncontent-type: application\/json\r\ncontent-length: 550\r\nboulder-requester: 1036569257\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nlocation: https:\/\/acme-v02.api.letsencrypt.org\/acme\/acct\/1036569257\r\nreplay-nonce: 5CA2TKJ87Ftg7uH4vtj-0OwcwEKyVWC77hElUXe1t8iDeaI\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":200,"body":{"key":{"kty":"RSA","n":"mxTFtw113RK70H9pQmdKs9AxhFmnQ6BdDtp3jOZlWlUO0BltMXOUML5905etgtCbcC6RdKRtgSAiDfgx3VWiFMJH--4gUtnaB9SN8GhNSPBpFfSa2JhWPo9HQNUsAZqlGTV4SzcGRqtWvdZxUiOfQ2TcvyXIqsaD19ivvqI1NhT6bl3tredTZlzLLM6Wvkw6hfyHrJAPQP8LOlCIeDM4YIce6Gstv6qo9iCD4wJiY4u95HVL7RK8t8JpZAb7VR-dPhbHEvVpjwuYd5Q05OZ280gFyrhbrKLbqst104GOQT4kQMJGWxGONyTX6np0Dx6O5jU7dvYvjVVawbJwGuaL6w","e":"AQAB"},"contact":["mailto:alisa@beok.world"],"initialIp":"51.178.146.199","createdAt":"2023-03-31T09:35:29Z","status":"valid"}}[31-03-2023 09:37:23] :
{"request":"POST https:\/\/acme-v02.api.letsencrypt.org\/acme\/acct\/1036569257","header":"HTTP\/2 200 \r\nserver: nginx\r\ndate: Fri, 31 Mar 2023 09:37:23 GMT\r\ncontent-type: application\/json\r\ncontent-length: 550\r\nboulder-requester: 1036569257\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nlink: ;rel=\"terms-of-service\"\r\nreplay-nonce: C8786We1rZMG70_KqfK30hTB3xaZWR-Hw_UmwRPMb5xXBww\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":200,"body":{"key":{"kty":"RSA","n":"mxTFtw113RK70H9pQmdKs9AxhFmnQ6BdDtp3jOZlWlUO0BltMXOUML5905etgtCbcC6RdKRtgSAiDfgx3VWiFMJH--4gUtnaB9SN8GhNSPBpFfSa2JhWPo9HQNUsAZqlGTV4SzcGRqtWvdZxUiOfQ2TcvyXIqsaD19ivvqI1NhT6bl3tredTZlzLLM6Wvkw6hfyHrJAPQP8LOlCIeDM4YIce6Gstv6qo9iCD4wJiY4u95HVL7RK8t8JpZAb7VR-dPhbHEvVpjwuYd5Q05OZ280gFyrhbrKLbqst104GOQT4kQMJGWxGONyTX6np0Dx6O5jU7dvYvjVVawbJwGuaL6w","e":"AQAB"},"contact":["mailto:alisa@beok.world"],"initialIp":"51.178.146.199","createdAt":"2023-03-31T09:35:29Z","status":"valid"}}[31-03-2023 09:37:23] :
LEClient finished constructing

[31-03-2023 09:37:24] :
{"request":"POST https:\/\/acme-v02.api.letsencrypt.org\/acme\/order\/1036569257\/173344161997","header":"HTTP\/2 200 \r\nserver: nginx\r\ndate: Fri, 31 Mar 2023 09:37:24 GMT\r\ncontent-type: application\/json\r\ncontent-length: 473\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nreplay-nonce: C878fq66XY50lpEkPuGbIx5TmHxpd-jB2JD2qk6hV-CMCIA\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":200,"body":{"status":"invalid","expires":"2023-04-07T09:35:30Z","identifiers":[{"type":"dns","value":"beok.world"},{"type":"dns","value":"www.beok.world"}],"authorizations":["https:\/\/acme-v02.api.letsencrypt.org\/acme\/authz-v3\/215486019067","https:\/\/acme-v02.api.letsencrypt.org\/acme\/authz-v3\/215486019077"],"finalize":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/finalize\/1036569257\/173344161997"}}[31-03-2023 09:37:24] :
Order object is {"status":"invalid","expires":"2023-04-07T09:35:30Z","identifiers":[{"type":"dns","value":"beok.world"},{"type":"dns","value":"www.beok.world"}],"authorizations":["https:\/\/acme-v02.api.letsencrypt.org\/acme\/authz-v3\/215486019067","https:\/\/acme-v02.api.letsencrypt.org\/acme\/authz-v3\/215486019077"],"finalize":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/finalize\/1036569257\/173344161997"}

[31-03-2023 09:37:24] :
Order data for 'beok.world' invalid. Deleting order data and creating new order. Order exception is Order status is invalid.

[31-03-2023 09:37:24] :
{"request":"POST https:\/\/acme-v02.api.letsencrypt.org\/acme\/new-order","header":"HTTP\/2 201 \r\nserver: nginx\r\ndate: Fri, 31 Mar 2023 09:37:24 GMT\r\ncontent-type: application\/json\r\ncontent-length: 473\r\nboulder-requester: 1036569257\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nlocation: https:\/\/acme-v02.api.letsencrypt.org\/acme\/order\/1036569257\/173344395517\r\nreplay-nonce: A5FE_X3NMypNs1Q1W7Q2w_lmetZRFRAcBMtBMSwUya7SshA\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":201,"body":{"status":"pending","expires":"2023-04-07T09:37:24Z","identifiers":[{"type":"dns","value":"beok.world"},{"type":"dns","value":"www.beok.world"}],"authorizations":["https:\/\/acme-v02.api.letsencrypt.org\/acme\/authz-v3\/215486361267","https:\/\/acme-v02.api.letsencrypt.org\/acme\/authz-v3\/215486361277"],"finalize":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/finalize\/1036569257\/173344395517"}}[31-03-2023 09:37:25] :
{"request":"POST https:\/\/acme-v02.api.letsencrypt.org\/acme\/authz-v3\/215486361267","header":"HTTP\/2 200 \r\nserver: nginx\r\ndate: Fri, 31 Mar 2023 09:37:25 GMT\r\ncontent-type: application\/json\r\ncontent-length: 794\r\nboulder-requester: 1036569257\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nreplay-nonce: A5FENGPM4BvuK_UOwuD0RvnPY6WlbSUnqH6IILIxbF9qHpA\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":200,"body":{"identifier":{"type":"dns","value":"beok.world"},"status":"pending","expires":"2023-04-07T09:37:24Z","challenges":[{"type":"http-01","status":"pending","url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/215486361267\/WXDr6g","token":"uB_7cz1bXaV0GMz4Yb12RtfKBRiXywemIYgDFDNzXjk"},{"type":"dns-01","status":"pending","url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/215486361267\/-pbulw","token":"uB_7cz1bXaV0GMz4Yb12RtfKBRiXywemIYgDFDNzXjk"},{"type":"tls-alpn-01","status":"pending","url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/215486361267\/N4E7Iw","token":"uB_7cz1bXaV0GMz4Yb12RtfKBRiXywemIYgDFDNzXjk"}]}}[31-03-2023 09:37:25] :
{"request":"POST https:\/\/acme-v02.api.letsencrypt.org\/acme\/authz-v3\/215486361277","header":"HTTP\/2 200 \r\nserver: nginx\r\ndate: Fri, 31 Mar 2023 09:37:25 GMT\r\ncontent-type: application\/json\r\ncontent-length: 798\r\nboulder-requester: 1036569257\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nreplay-nonce: A5FEWXI6VCrxPmm6J5865AJbs2Nj29jkjceMeDsOU7iZHlc\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":200,"body":{"identifier":{"type":"dns","value":"www.beok.world"},"status":"pending","expires":"2023-04-07T09:37:24Z","challenges":[{"type":"http-01","status":"pending","url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/215486361277\/p2Z7qg","token":"lYCO7Yv4EfAuJgWSLPYGSzkzGmOk2j6Z3FMfreAnx7w"},{"type":"dns-01","status":"pending","url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/215486361277\/uth8tQ","token":"lYCO7Yv4EfAuJgWSLPYGSzkzGmOk2j6Z3FMfreAnx7w"},{"type":"tls-alpn-01","status":"pending","url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/215486361277\/WJ-Xyg","token":"lYCO7Yv4EfAuJgWSLPYGSzkzGmOk2j6Z3FMfreAnx7w"}]}}[31-03-2023 09:37:25] :
Created order for 'beok.world'.

Creating HTTP challenge file http://beok.world/.well-known/acme-challenge/uB_7cz1bXaV0GMz4Yb12RtfKBRiXywemIYgDFDNzXjk
[31-03-2023 09:37:36] :
{"request":"POST https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/215486361267\/WXDr6g","header":"HTTP\/2 200 \r\nserver: nginx\r\ndate: Fri, 31 Mar 2023 09:37:36 GMT\r\ncontent-type: application\/json\r\ncontent-length: 187\r\nboulder-requester: 1036569257\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nlink: ;rel=\"up\"\r\nlocation: https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/215486361267\/WXDr6g\r\nreplay-nonce: C400JU6ozQzr_ybV8LSP1ntAU7inagvSyU6s45pN4_ZtDvI\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":200,"body":{"type":"http-01","status":"pending","url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/215486361267\/WXDr6g","token":"uB_7cz1bXaV0GMz4Yb12RtfKBRiXywemIYgDFDNzXjk"}}[31-03-2023 09:37:36] :
HTTP challenge for 'beok.world' valid.

[31-03-2023 09:37:37] :
{"request":"POST https:\/\/acme-v02.api.letsencrypt.org\/acme\/authz-v3\/215486361267","header":"HTTP\/2 200 \r\nserver: nginx\r\ndate: Fri, 31 Mar 2023 09:37:37 GMT\r\ncontent-type: application\/json\r\ncontent-length: 1177\r\nboulder-requester: 1036569257\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nreplay-nonce: F977uBfiQQsOoio-MotbR03o4rid-aoYWoAPogOYg9nHHS8\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":200,"body":{"identifier":{"type":"dns","value":"beok.world"},"status":"invalid","expires":"2023-04-07T09:37:24Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"The key authorization file from the server did not match this challenge \"uB_7cz1bXaV0GMz4Yb12RtfKBRiXywemIYgDFDNzXjk.99Car8XBoAssNNq10FIj1HecN532gCsVA3hxrbUd6Jw\" != \"uB_7cz1bXaV0GMz4Yb12RtfKBRiXywemIYgDFDNzXjk.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8\"","status":403},"url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/215486361267\/WXDr6g","token":"uB_7cz1bXaV0GMz4Yb12RtfKBRiXywemIYgDFDNzXjk","validationRecord":[{"url":"http:\/\/beok.world\/.well-known\/acme-challenge\/uB_7cz1bXaV0GMz4Yb12RtfKBRiXywemIYgDFDNzXjk","hostname":"beok.world","port":"80","addressesResolved":["178.32.77.113","2001:41d0:301:3::30"],"addressUsed":"2001:41d0:301:3::30"}],"validated":"2023-03-31T09:37:36Z"}]}}Creating HTTP challenge file http://www.beok.world/.well-known/acme-challenge/lYCO7Yv4EfAuJgWSLPYGSzkzGmOk2j6Z3FMfreAnx7w
[31-03-2023 09:37:48] :
{"request":"POST https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/215486361277\/p2Z7qg","header":"HTTP\/2 200 \r\nserver: nginx\r\ndate: Fri, 31 Mar 2023 09:37:48 GMT\r\ncontent-type: application\/json\r\ncontent-length: 187\r\nboulder-requester: 1036569257\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nlink: ;rel=\"up\"\r\nlocation: https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/215486361277\/p2Z7qg\r\nreplay-nonce: F977h9Z9iiUT8AEW0nEJ7qJCfiGvfz3ob5svgeVO7q5feso\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":200,"body":{"type":"http-01","status":"pending","url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/215486361277\/p2Z7qg","token":"lYCO7Yv4EfAuJgWSLPYGSzkzGmOk2j6Z3FMfreAnx7w"}}[31-03-2023 09:37:48] :
HTTP challenge for 'www.beok.world' valid.

[31-03-2023 09:37:49] :
{"request":"POST https:\/\/acme-v02.api.letsencrypt.org\/acme\/authz-v3\/215486361277","header":"HTTP\/2 200 \r\nserver: nginx\r\ndate: Fri, 31 Mar 2023 09:37:49 GMT\r\ncontent-type: application\/json\r\ncontent-length: 1189\r\nboulder-requester: 1036569257\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nreplay-nonce: A5FEEJ5EhEBy0ovXi2cMDREoRV3J7v5mmQTe76V5q0JmIZ4\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":200,"body":{"identifier":{"type":"dns","value":"www.beok.world"},"status":"invalid","expires":"2023-04-07T09:37:24Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"The key authorization file from the server did not match this challenge \"lYCO7Yv4EfAuJgWSLPYGSzkzGmOk2j6Z3FMfreAnx7w.99Car8XBoAssNNq10FIj1HecN532gCsVA3hxrbUd6Jw\" != \"lYCO7Yv4EfAuJgWSLPYGSzkzGmOk2j6Z3FMfreAnx7w.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8\"","status":403},"url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/215486361277\/p2Z7qg","token":"lYCO7Yv4EfAuJgWSLPYGSzkzGmOk2j6Z3FMfreAnx7w","validationRecord":[{"url":"http:\/\/www.beok.world\/.well-known\/acme-challenge\/lYCO7Yv4EfAuJgWSLPYGSzkzGmOk2j6Z3FMfreAnx7w","hostname":"www.beok.world","port":"80","addressesResolved":["178.32.77.113","2001:41d0:301:3::30"],"addressUsed":"2001:41d0:301:3::30"}],"validated":"2023-03-31T09:37:48Z"}]}}

## THERE ARE SOME PENDING VERIFICATIONS. IF NEW DNS RECORDS WERE ADDED, PLEASE RUN THIS INSTALLATION AGAIN AFTER 5-10MINS
1 Like
12

Please test each name separately using the staging environment and show us both results.

2 Likes
13

Please find Non-www domain request below. The digest is same and perfect whereas the digest expected by API response is again different.

Domain covered:
["beok.world"]

[31-03-2023 16:41:21] :
{"request":"GET https:\/\/acme-staging-v02.api.letsencrypt.org\/directory","header":"HTTP\/2 200 \r\nserver: nginx\r\ndate: Fri, 31 Mar 2023 16:41:21 GMT\r\ncontent-type: application\/json\r\ncontent-length: 830\r\ncache-control: public, max-age=0, no-cache\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":200,"body":{"UWn9SQYlIgg":"https:\/\/community.letsencrypt.org\/t\/adding-random-entries-to-the-directory\/33417","keyChange":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/key-change","meta":{"caaIdentities":["letsencrypt.org"],"termsOfService":"https:\/\/letsencrypt.org\/documents\/LE-SA-v1.3-September-21-2022.pdf","website":"https:\/\/letsencrypt.org\/docs\/staging-environment\/"},"newAccount":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/new-acct","newNonce":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/new-nonce","newOrder":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/new-order","renewalInfo":"https:\/\/acme-staging-v02.api.letsencrypt.org\/get\/draft-ietf-acme-ari-00\/renewalInfo\/","revokeCert":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/revoke-cert"}}[31-03-2023 16:41:22] :
{"request":"HEAD https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/new-nonce","header":"HTTP\/2 200 \r\nserver: nginx\r\ndate: Fri, 31 Mar 2023 16:41:22 GMT\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nreplay-nonce: 8F05T42MYgWpLqoj01RBqx21PuCSh8IvA527HzyGOy9x-to\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":200,"body":""}[31-03-2023 16:41:22] :
No account found, attempting to create account.

[31-03-2023 16:41:23] :
{"request":"POST https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/new-acct","header":"HTTP\/2 201 \r\nserver: nginx\r\ndate: Fri, 31 Mar 2023 16:41:23 GMT\r\ncontent-type: application\/json\r\ncontent-length: 560\r\nboulder-requester: 96078104\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nlink: ;rel=\"terms-of-service\"\r\nlocation: https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/acct\/96078104\r\nreplay-nonce: 8F05BB6mspOs14nrqES-te7Bw_tujQ5tl3t4yLkiJ4BALUU\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":201,"body":{"key":{"kty":"RSA","n":"mxTFtw113RK70H9pQmdKs9AxhFmnQ6BdDtp3jOZlWlUO0BltMXOUML5905etgtCbcC6RdKRtgSAiDfgx3VWiFMJH--4gUtnaB9SN8GhNSPBpFfSa2JhWPo9HQNUsAZqlGTV4SzcGRqtWvdZxUiOfQ2TcvyXIqsaD19ivvqI1NhT6bl3tredTZlzLLM6Wvkw6hfyHrJAPQP8LOlCIeDM4YIce6Gstv6qo9iCD4wJiY4u95HVL7RK8t8JpZAb7VR-dPhbHEvVpjwuYd5Q05OZ280gFyrhbrKLbqst104GOQT4kQMJGWxGONyTX6np0Dx6O5jU7dvYvjVVawbJwGuaL6w","e":"AQAB"},"contact":["mailto:alisa@beok.world"],"initialIp":"51.178.146.199","createdAt":"2023-03-31T16:41:23.015186786Z","status":"valid"}}[31-03-2023 16:41:23] :
{"request":"POST https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/acct\/96078104","header":"HTTP\/2 200 \r\nserver: nginx\r\ndate: Fri, 31 Mar 2023 16:41:23 GMT\r\ncontent-type: application\/json\r\ncontent-length: 550\r\nboulder-requester: 96078104\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nlink: ;rel=\"terms-of-service\"\r\nreplay-nonce: B37CiFuSTJU4PWXx5ASvcZKfDz2O1MIYTJ7dDUQcDjroJeY\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":200,"body":{"key":{"kty":"RSA","n":"mxTFtw113RK70H9pQmdKs9AxhFmnQ6BdDtp3jOZlWlUO0BltMXOUML5905etgtCbcC6RdKRtgSAiDfgx3VWiFMJH--4gUtnaB9SN8GhNSPBpFfSa2JhWPo9HQNUsAZqlGTV4SzcGRqtWvdZxUiOfQ2TcvyXIqsaD19ivvqI1NhT6bl3tredTZlzLLM6Wvkw6hfyHrJAPQP8LOlCIeDM4YIce6Gstv6qo9iCD4wJiY4u95HVL7RK8t8JpZAb7VR-dPhbHEvVpjwuYd5Q05OZ280gFyrhbrKLbqst104GOQT4kQMJGWxGONyTX6np0Dx6O5jU7dvYvjVVawbJwGuaL6w","e":"AQAB"},"contact":["mailto:alisa@beok.world"],"initialIp":"51.178.146.199","createdAt":"2023-03-31T16:41:23Z","status":"valid"}}[31-03-2023 16:41:23] :
LEClient finished constructing

[31-03-2023 16:41:23] :
No order found for 'beok.world'. Creating new order.

[31-03-2023 16:41:23] :
{"request":"POST https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/new-order","header":"HTTP\/2 201 \r\nserver: nginx\r\ndate: Fri, 31 Mar 2023 16:41:23 GMT\r\ncontent-type: application\/json\r\ncontent-length: 346\r\nboulder-requester: 96078104\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nlocation: https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/order\/96078104\/8042297524\r\nreplay-nonce: 8F05x8Ow4_b7VY1k92L6xwUq-_JHHKsY4GOB9SB87n4MUcs\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":201,"body":{"status":"pending","expires":"2023-04-07T16:41:23Z","identifiers":[{"type":"dns","value":"beok.world"}],"authorizations":["https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/authz-v3\/5950233404"],"finalize":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/finalize\/96078104\/8042297524"}}[31-03-2023 16:41:24] :
{"request":"POST https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/authz-v3\/5950233404","header":"HTTP\/2 200 \r\nserver: nginx\r\ndate: Fri, 31 Mar 2023 16:41:24 GMT\r\ncontent-type: application\/json\r\ncontent-length: 812\r\nboulder-requester: 96078104\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nreplay-nonce: A272FMiuB8dCuxBnMw_eW7IwZGcjiKkRGsXcO_U2o-ZxXYg\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":200,"body":{"identifier":{"type":"dns","value":"beok.world"},"status":"pending","expires":"2023-04-07T16:41:23Z","challenges":[{"type":"http-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5950233404\/Wt8Frg","token":"K8j9HH46slDz-0pwYSMUFrt1l9OtzNbYdpZyj9qk_QM"},{"type":"dns-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5950233404\/K_8-4A","token":"K8j9HH46slDz-0pwYSMUFrt1l9OtzNbYdpZyj9qk_QM"},{"type":"tls-alpn-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5950233404\/TT_bzg","token":"K8j9HH46slDz-0pwYSMUFrt1l9OtzNbYdpZyj9qk_QM"}]}}[31-03-2023 16:41:24] :
Created order for 'beok.world'.

Creating HTTP challenge file http://beok.world/.well-known/acme-challenge/K8j9HH46slDz-0pwYSMUFrt1l9OtzNbYdpZyj9qk_QM
[31-03-2023 16:41:34] :
{"request":"POST https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5950233404\/Wt8Frg","header":"HTTP\/2 200 \r\nserver: nginx\r\ndate: Fri, 31 Mar 2023 16:41:34 GMT\r\ncontent-type: application\/json\r\ncontent-length: 193\r\nboulder-requester: 96078104\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nlink: ;rel=\"up\"\r\nlocation: https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5950233404\/Wt8Frg\r\nreplay-nonce: B37CN9GfBLsmVfz9gruaCpg6o42GS8imMI5Q0RXox3cOC_g\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":200,"body":{"type":"http-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5950233404\/Wt8Frg","token":"K8j9HH46slDz-0pwYSMUFrt1l9OtzNbYdpZyj9qk_QM"}}[31-03-2023 16:41:34] :
HTTP challenge for 'beok.world' valid.

[31-03-2023 16:41:36] :
{"request":"POST https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/authz-v3\/5950233404","header":"HTTP\/2 200 \r\nserver: nginx\r\ndate: Fri, 31 Mar 2023 16:41:36 GMT\r\ncontent-type: application\/json\r\ncontent-length: 1183\r\nboulder-requester: 96078104\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nreplay-nonce: A2721bnt4ETCPOwMOq62Ykp1IS_emr58l0bn9EJLyOXSCFc\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":200,"body":{"identifier":{"type":"dns","value":"beok.world"},"status":"invalid","expires":"2023-04-07T16:41:23Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"The key authorization file from the server did not match this challenge \"K8j9HH46slDz-0pwYSMUFrt1l9OtzNbYdpZyj9qk_QM.99Car8XBoAssNNq10FIj1HecN532gCsVA3hxrbUd6Jw\" != \"K8j9HH46slDz-0pwYSMUFrt1l9OtzNbYdpZyj9qk_QM.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8\"","status":403},"url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5950233404\/Wt8Frg","token":"K8j9HH46slDz-0pwYSMUFrt1l9OtzNbYdpZyj9qk_QM","validationRecord":[{"url":"http:\/\/beok.world\/.well-known\/acme-challenge\/K8j9HH46slDz-0pwYSMUFrt1l9OtzNbYdpZyj9qk_QM","hostname":"beok.world","port":"80","addressesResolved":["178.32.77.113","2001:41d0:301:3::30"],"addressUsed":"2001:41d0:301:3::30"}],"validated":"2023-03-31T16:41:34Z"}]}}
1 Like
14

The request for www domain is provided below:

Domain covered:
["www.beok.world"]

[31-03-2023 16:46:05] :
{"request":"GET https:\/\/acme-staging-v02.api.letsencrypt.org\/directory","header":"HTTP\/2 200 \r\nserver: nginx\r\ndate: Fri, 31 Mar 2023 16:46:05 GMT\r\ncontent-type: application\/json\r\ncontent-length: 830\r\ncache-control: public, max-age=0, no-cache\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":200,"body":{"SSUimtzPujM":"https:\/\/community.letsencrypt.org\/t\/adding-random-entries-to-the-directory\/33417","keyChange":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/key-change","meta":{"caaIdentities":["letsencrypt.org"],"termsOfService":"https:\/\/letsencrypt.org\/documents\/LE-SA-v1.3-September-21-2022.pdf","website":"https:\/\/letsencrypt.org\/docs\/staging-environment\/"},"newAccount":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/new-acct","newNonce":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/new-nonce","newOrder":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/new-order","renewalInfo":"https:\/\/acme-staging-v02.api.letsencrypt.org\/get\/draft-ietf-acme-ari-00\/renewalInfo\/","revokeCert":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/revoke-cert"}}[31-03-2023 16:46:06] :
{"request":"HEAD https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/new-nonce","header":"HTTP\/2 200 \r\nserver: nginx\r\ndate: Fri, 31 Mar 2023 16:46:06 GMT\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nreplay-nonce: A272l9WNHHnEYixsPlcRHmjvEhzSvlk7iWci9UCmNI54h2s\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":200,"body":""}[31-03-2023 16:46:06] :
{"request":"POST https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/new-acct","header":"HTTP\/2 200 \r\nserver: nginx\r\ndate: Fri, 31 Mar 2023 16:46:06 GMT\r\ncontent-type: application\/json\r\ncontent-length: 550\r\nboulder-requester: 96078104\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nlocation: https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/acct\/96078104\r\nreplay-nonce: A2722iOGiw3zM4EDjWbU0DZLUjF4bYEZvk0NiEy6fyzCJa8\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":200,"body":{"key":{"kty":"RSA","n":"mxTFtw113RK70H9pQmdKs9AxhFmnQ6BdDtp3jOZlWlUO0BltMXOUML5905etgtCbcC6RdKRtgSAiDfgx3VWiFMJH--4gUtnaB9SN8GhNSPBpFfSa2JhWPo9HQNUsAZqlGTV4SzcGRqtWvdZxUiOfQ2TcvyXIqsaD19ivvqI1NhT6bl3tredTZlzLLM6Wvkw6hfyHrJAPQP8LOlCIeDM4YIce6Gstv6qo9iCD4wJiY4u95HVL7RK8t8JpZAb7VR-dPhbHEvVpjwuYd5Q05OZ280gFyrhbrKLbqst104GOQT4kQMJGWxGONyTX6np0Dx6O5jU7dvYvjVVawbJwGuaL6w","e":"AQAB"},"contact":["mailto:alisa@beok.world"],"initialIp":"51.178.146.199","createdAt":"2023-03-31T16:41:23Z","status":"valid"}}[31-03-2023 16:46:06] :
{"request":"POST https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/acct\/96078104","header":"HTTP\/2 200 \r\nserver: nginx\r\ndate: Fri, 31 Mar 2023 16:46:06 GMT\r\ncontent-type: application\/json\r\ncontent-length: 550\r\nboulder-requester: 96078104\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nlink: ;rel=\"terms-of-service\"\r\nreplay-nonce: A2726iwCxKJhj7vcqR-yVfFWxZTeJG96Q046_Z-TO00_KIk\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":200,"body":{"key":{"kty":"RSA","n":"mxTFtw113RK70H9pQmdKs9AxhFmnQ6BdDtp3jOZlWlUO0BltMXOUML5905etgtCbcC6RdKRtgSAiDfgx3VWiFMJH--4gUtnaB9SN8GhNSPBpFfSa2JhWPo9HQNUsAZqlGTV4SzcGRqtWvdZxUiOfQ2TcvyXIqsaD19ivvqI1NhT6bl3tredTZlzLLM6Wvkw6hfyHrJAPQP8LOlCIeDM4YIce6Gstv6qo9iCD4wJiY4u95HVL7RK8t8JpZAb7VR-dPhbHEvVpjwuYd5Q05OZ280gFyrhbrKLbqst104GOQT4kQMJGWxGONyTX6np0Dx6O5jU7dvYvjVVawbJwGuaL6w","e":"AQAB"},"contact":["mailto:alisa@beok.world"],"initialIp":"51.178.146.199","createdAt":"2023-03-31T16:41:23Z","status":"valid"}}[31-03-2023 16:46:06] :
LEClient finished constructing

[31-03-2023 16:46:07] :
{"request":"POST https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/order\/96078104\/8042338164","header":"HTTP\/2 200 \r\nserver: nginx\r\ndate: Fri, 31 Mar 2023 16:46:07 GMT\r\ncontent-type: application\/json\r\ncontent-length: 349\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nreplay-nonce: 4994_aQoo_Ak2d1SZYmHgGePASJmJW99CrZfxubZ2og9k6o\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":200,"body":{"status":"pending","expires":"2023-04-07T16:44:59Z","identifiers":[{"type":"dns","value":"wwwbeok.world"}],"authorizations":["https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/authz-v3\/5950264764"],"finalize":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/finalize\/96078104\/8042338164"}}[31-03-2023 16:46:07] :
Order object is {"status":"pending","expires":"2023-04-07T16:44:59Z","identifiers":[{"type":"dns","value":"wwwbeok.world"}],"authorizations":["https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/authz-v3\/5950264764"],"finalize":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/finalize\/96078104\/8042338164"}

[31-03-2023 16:46:07] :
Domains do not match order data. Renaming current files and creating new order.

[31-03-2023 16:46:07] :
{"request":"POST https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/new-order","header":"HTTP\/2 201 \r\nserver: nginx\r\ndate: Fri, 31 Mar 2023 16:46:07 GMT\r\ncontent-type: application\/json\r\ncontent-length: 350\r\nboulder-requester: 96078104\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nlocation: https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/order\/96078104\/8042349194\r\nreplay-nonce: 8F05qlmV1vvpnaFPgdlyNKtADQCF2k4AUX9J9Ed5-rrejqU\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":201,"body":{"status":"pending","expires":"2023-04-07T16:46:07Z","identifiers":[{"type":"dns","value":"www.beok.world"}],"authorizations":["https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/authz-v3\/5950272624"],"finalize":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/finalize\/96078104\/8042349194"}}[31-03-2023 16:46:08] :
{"request":"POST https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/authz-v3\/5950272624","header":"HTTP\/2 200 \r\nserver: nginx\r\ndate: Fri, 31 Mar 2023 16:46:08 GMT\r\ncontent-type: application\/json\r\ncontent-length: 816\r\nboulder-requester: 96078104\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nreplay-nonce: 4994Gn6B9KsWYhOTamPo4bLV81YuEQYemEbBnIC2gbR2y2k\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":200,"body":{"identifier":{"type":"dns","value":"www.beok.world"},"status":"pending","expires":"2023-04-07T16:46:07Z","challenges":[{"type":"http-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5950272624\/2oyw4g","token":"gcLVYnJMVjG9LEI9IvQFcxhWEL5eVri46TnTE7NG1GE"},{"type":"dns-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5950272624\/Mh7GQQ","token":"gcLVYnJMVjG9LEI9IvQFcxhWEL5eVri46TnTE7NG1GE"},{"type":"tls-alpn-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5950272624\/dsMglg","token":"gcLVYnJMVjG9LEI9IvQFcxhWEL5eVri46TnTE7NG1GE"}]}}[31-03-2023 16:46:08] :
Created order for 'beok.world'.

Creating HTTP challenge file http://www.beok.world/.well-known/acme-challenge/gcLVYnJMVjG9LEI9IvQFcxhWEL5eVri46TnTE7NG1GE
[31-03-2023 16:46:19] :
{"request":"POST https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5950272624\/2oyw4g","header":"HTTP\/2 200 \r\nserver: nginx\r\ndate: Fri, 31 Mar 2023 16:46:19 GMT\r\ncontent-type: application\/json\r\ncontent-length: 193\r\nboulder-requester: 96078104\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nlink: ;rel=\"up\"\r\nlocation: https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5950272624\/2oyw4g\r\nreplay-nonce: 8F05RJQjgq4civRvNR2vY6peVwcDXVSPQ9yqn96227OOFxc\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":200,"body":{"type":"http-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5950272624\/2oyw4g","token":"gcLVYnJMVjG9LEI9IvQFcxhWEL5eVri46TnTE7NG1GE"}}[31-03-2023 16:46:19] :
HTTP challenge for 'www.beok.world' valid.

[31-03-2023 16:46:20] :
{"request":"POST https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/authz-v3\/5950272624","header":"HTTP\/2 200 \r\nserver: nginx\r\ndate: Fri, 31 Mar 2023 16:46:20 GMT\r\ncontent-type: application\/json\r\ncontent-length: 1195\r\nboulder-requester: 96078104\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nreplay-nonce: 4994LMnPzcTPDFTaIrNdsOz5psuvHUNzUjxil0bchjIx2gw\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":200,"body":{"identifier":{"type":"dns","value":"www.beok.world"},"status":"invalid","expires":"2023-04-07T16:46:07Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"The key authorization file from the server did not match this challenge \"gcLVYnJMVjG9LEI9IvQFcxhWEL5eVri46TnTE7NG1GE.99Car8XBoAssNNq10FIj1HecN532gCsVA3hxrbUd6Jw\" != \"gcLVYnJMVjG9LEI9IvQFcxhWEL5eVri46TnTE7NG1GE.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8\"","status":403},"url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5950272624\/2oyw4g","token":"gcLVYnJMVjG9LEI9IvQFcxhWEL5eVri46TnTE7NG1GE","validationRecord":[{"url":"http:\/\/www.beok.world\/.well-known\/acme-challenge\/gcLVYnJMVjG9LEI9IvQFcxhWEL5eVri46TnTE7NG1GE","hostname":"www.beok.world","port":"80","addressesResolved":["178.32.77.113","2001:41d0:301:3::30"],"addressUsed":"2001:41d0:301:3::30"}],"validated":"2023-03-31T16:46:19Z"}]}}
1 Like
15

@rg305 @orangepizza @Osiris Any thoughts on above ACME executions?

16

This is definitely OVH's ACME account key. I think there is some weird proxying/load balancing/caching shenanigans going on.

It would also help if your ACME client logs logged the contents of the challenge file they were writing. It should be evident at that point that your web server is returning a different answer than the file you wrote.

5 Likes
17

@_az Thanks for your reply.. That makes much more sense now!.. Looks like OVH host is proxying & overriding the request and thus a different thumbprint (second part of challenge) is expected.

The contents of the challenge file writtens is in above request itself i.e., gcLVYnJMVjG9LEI9IvQFcxhWEL5eVri46TnTE7NG1GE.99Car8XBoAssNNq10FIj1HecN532gCsVA3hxrbUd6Jw whereas the expected content is gcLVYnJMVjG9LEI9IvQFcxhWEL5eVri46TnTE7NG1GE.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8

Is there any possible way to determine the 4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8 part prior to authorization validation so that we could update the contents of challenge file accordingly before validating?.

Also, I have another side question - Is it possible to run certbot via shell_exec() php function?.

1 Like
18

I think this is the wrong way around. 99Car8XBoAssNNq10FIj1HecN532gCsVA3hxrbUd6Jw is your ACME account thumbprint, right? So that is the expected content.

OVH's ACME account thumbprint shouldn't be there, since you don't have OVH's ACME account.

Sure, but I don't think it would solve your problem here.

4 Likes
19

What if content of my challenge file was as above (with OVH account thumbprint)?. That would complete the validation successfully or still fail with account mismatch?.

20

Let's Encrypt wants the response to be your ACME account thumbprint:

gcLVYnJMVjG9LEI9IvQFcxhWEL5eVri46TnTE7NG1GE.99Car8XBoAssNNq10FIj1HecN532gCsVA3hxrbUd6Jw

However, when Let's Encrypt makes the request, it sees OVH's account thumbprint:

gcLVYnJMVjG9LEI9IvQFcxhWEL5eVri46TnTE7NG1GE.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8

Your problem is that you need to make your website respond with the top response, not the bottom response.

4 Likes