Key authorization file from the server did not match this challenge (for Apache with WSGI on Ubuntu VPS running Webmin/Virtualmin)

Web server: Apache/2.4.29 (Ubuntu)
O/S: Ubuntu 18.04.6 LTS
Control panel: Webmin / Virtualmin + root access
Certbot version: certbot 0.27.0


I am having trouble renewing my Let's Encrypt certificate on a Ubuntu server running apache2.

The certificate was first installed three months ago and the website has been running fine. But autorenew today failed. I read somewhere that WSGI, which the website uses, does not work well with Let's Encrypt. So I disabled WSGI and restarted apache2 with a very simple config

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

and a barebone index.html:


and ran

    % letsencrypt renew --test-cert --break-my-certs --agree-tos --email EMAIL@ADDRESS

The response was:

    Invalid response from 404

I then tried the following experiment by redirecting all URLs to the homepage (such that all URLs can be found):

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    RewriteEngine on
    RewriteCond %{REQUEST_URI} !^/index.html$
    RewriteRule . /index.html [R=302,L]

Let's Encrypt then gave the following response:

    The key authorization file from the server did not match this challenge "FrQHNG5lZQSdsYYJi0siJIy9Acfz5V7gE23xwu2TxeQ.dR2g1kFtm2-3gDYi3sRFEFtf3Nhi2GpS62UpayyLBp0" != "<html>\n\t<head>\n\t</head>\n\t<body>\n\t</body>\n</html>"

I am guessing there must be something straightforward that a beginner such as I have overlooked. Please help.


[This issue has been resolved with help from @MikeMcQ. Please see reply below for the steps.]

1 Like

Welcome to the community @newtoletsencrypt

Yes, I think so :slight_smile:

Can you show us the contents of the renewal conf file for this cert in this folder


It looks like there was a config change to your server since you last renewed your cert. Your server is responding to the acme challenge URL with a "200 OK" response and just a few html tags. I can reproduce that but now we need to see why that is.


Nice to meet you @MikeMcQ.

Content of the /etc/letsenrypt/renewal/DOMAIN.con.conf file as follows:

    # renew_before_expiry = 30 days
    version = 0.27.0
    archive_dir = /etc/letsencrypt/archive/
    cert = /etc/letsencrypt/live/
    privkey = /etc/letsencrypt/live/
    chain = /etc/letsencrypt/live/
    fullchain = /etc/letsencrypt/live/
    # Options used in the renewal process
    account = dd0878faedc98c103e9e195a7ea39189
    rsa_key_size = 2048
    authenticator = webroot
    manual_public_ip_logging_ok = True
    webroot_path = /home/DOMAIN/public_html,
    server =
    [[webroot_map]] = /home/DOMAIN/public_html = /home/DOMAIN/public_html
1 Like

Is this still the DocumentRoot folder in Apache for this domain?

webroot_path = /home/babblingbabel/public_html

The DocumentRoot folder in Apache is now


To experiment, I replaced all instances of /home/DOMAIN/public_html by /var/www/html in the renewal conf file, restarted Apache, and reran letsencrypt, but to no avail:

The key authorization file from the server did not match this challenge "4v0HxkKCosEhJKltM6y6Wid7CXJlWwho6EDobm0ADbw.dR2g1kFtm2-3gDYi3sRFEFtf3Nhi2GpS62UpayyLBp0" != "<html>\n\t<head>\n\t</head>\n\t<body>\n\t</body>\n</html>

Oh, sorry, I see the likely problem now

My test HTTP Challenge URL gets redirected to your index.html file which is just an empty stub page. I'm not sure why that is but check redirects in your VirtualHost and maybe even .htaccess file.

The only thing I'm not sure of is whether you redirect every page request or are just using a 302 redirect instead of a 404 Not Found. You shouldn't do a 302 for 404 but sometimes people do. In any case, you should really fix this faulty redirect first

curl -i

HTTP/1.1 302 Found
Server: Apache

Here's another example unrelated to the HTTP Challenge that should get 404

curl -i
HTTP/1.1 302 Found
Server: Apache

Thanks very much for your help, @MikeMcQ. The steps I have taken are outlined as follows (some may be superfluous):

Let's Encrypt renewal for Apache with WSGI on Ubuntu VPS
running Webmin/Virtualmin: [this statement is incorrect, please see @MikeMcQ's reply below]

The key ideas are (A) disable WSGI and (B) ensure that the
Apache DocumentRoot is consistent with Let's Encrypt's renewal
webroot_path configuration.

(1) WSGI is incompatible with Let's Encrypt: disable WSGI
    and restart Apache with some simple site:

        % sudo a2disconf wsgi
        % sudo a2dissite website-ssl
        % sudo a2ensite 000-default
        % sudo systemctl restart apache2

    where 000-default.conf has the following setting

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

    Note: some internet support groups suggest commenting
    out WSGIScriptAlias, WSGIDaemonProcess, and
    WSGIProcessGroup in wsgi.conf will do without having to
    enable another site.  I have not tried it.

(2) Edit /etc/letsencrypt/renewal/DOMAIN.conf, replacing the
    value of webroot_path with the value of DocumentRoot
    above.  There may be multiple places in the file that
    needs replacement.

    Note: the DOMAIN.conf file changes after certificate
    renewal, which means the file needs to be edited again
    before the next renewal.

    It may be possible to set DocumentRoot in step (1) to
    the value of webroot_path in DOMAIN.conf to obviate this
    current step.  I have tried cursorily to no avail.

(3) Make a backup of the /etc/letsencrypt directory in case
    something goes wrong during the renewal process.

(4) Renew

        % sudo letsencrypt renew

(5) Request Let's Encrypt renewal certificate in
    Webmin/Virtualmin's server configuration web interface.

    Note: This may be superfluous.

I knew WSGI was not compatible with the --apache plug-in of Certbot

But, I thought webroot should work OK with it involved. At worst you would need a location for /.well-known/acme-challenge maybe but I don't have a WSGI setup to test if you even need that.

And, I don't have a VirtualMin setup either so your settings may be specific to your particular hosting config.

Just for clarity, it is one Certbot option, not Let's Encrypt, that is incompatible with WSGI. And, that is because it doesn't parse the Apache config with non-standard Apache settings. Let's Encrypt is the ACME Server and issues the certs. It may not be clear about this in the VirtualMin panels but this is what is actually happening.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.