Let's encrypt renew certificate issue

Hello All,

I’m using directadmin with let’s encrypt certificate for few months and several domain names without issue but since last week, a domain name and just one does not succeed to renew the certificate. When I try to create a new one manually, I receive the message below :

Getting challenge for renard-asso.org from acme-server…
Waiting for domain verification…
Challenge is invalid. Details: The key authorization file from the server did not match this challenge [n2CMLgpmRpQX6yYHaQuJtXP2MCP2Bg28YEYedj2aGAI.3q_KYmBgmqWVZycm0pBx–qJriX_mZkOrmXRRsiZ2IQ] != [n2CMLgpmRpQX6yYHaQuJtXP2MCP2Bg28YEYedj2aGAI.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8]. Exiting…

I’m trying to find a solution on Google but without success.

Maybe somebody knows the process to solve that.

Thanks in advance.

can you place a test.txt fil in the acme-challenge folder - maybe add the domain name in the file.
let’s see if that is accessible from the outside.

Hi,

:slight_smile: It was already there : http://www.renard-asso.org/.well-known/acme-challenge/test.txt

well that step worked:
wget http://www.renard-asso.org/.well-known/acme-challenge/test.txt
–2017-06-06 03:07:36-- http://www.renard-asso.org/.well-known/acme-challenge/test.txt
Resolving www.renard-asso.org (www.renard-asso.org)… 94.23.221.93, 2001:41d0:1:1b00:213:186:33:19
Connecting to www.renard-asso.org (www.renard-asso.org)|94.23.221.93|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 5 [text/plain]

verify file content “test”

All seems ok form server, I just create a new certificate for another domain form the same server and the Result is OK.

The problem seems to be linked to this domain name.

anything special about the configuration file for that domain?

Hi @julos08,

Your domains has both DNS records A and AAAA but you have not configured it to answer correctly to IPv6 connections.

IPv4 is OK:

curl -IkL4 http://www.renard-asso.org/.well-known/acme-challenge/test.txt
HTTP/1.1 200 OK
Date: Tue, 06 Jun 2017 07:57:26 GMT
Server: Apache/2
Last-Modified: Wed, 15 Mar 2017 12:50:32 GMT
ETag: "5-54ac463dafbeb"
Accept-Ranges: bytes
Content-Length: 5
Vary: User-Agent
Content-Type: text/plain

IPv6 is NOT OK:

curl -IkL6 http://www.renard-asso.org/.well-known/acme-challenge/test.txt
HTTP/1.1 404 Not Found
Set-Cookie: 60gpBAK=R1224195776; path=/; expires=Tue, 06-Jun-2017 08:34:02 GMT
Date: Tue, 06 Jun 2017 07:25:28 GMT
Content-Type: text/html
Set-Cookie: 60gp=R4109771239; path=/; expires=Tue, 06-Jun-2017 08:43:42 GMT
Server: Apache
Accept-Ranges: bytes
Vary: Accept-Encoding
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Wed, 31 Mar 1979 01:23:45 GMT
X-IPLB-Instance: 183

Let’s Encrypt prefers IPv6 so it will use it to validate your domain so you have 2 options, configure correctly to use IPv6 or remove the AAAA record for your domain.

Cheers,
sahsanu

1 Like

Hi sahsanu,

It’s a really good remark, I completly forgot to check the DNS records and you are right the IPV6 was not configured correctly.
I removed the AAAA record and now I’m waiting to see in few hours if it’s ok now.

I’ll let you know.

1 Like

Many Thanks to you, it’s working fine now, it was a stupid issue.

Have a good day.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.