Let's encrypt renew certificate issue


#1

Hello All,

I’m using directadmin with let’s encrypt certificate for few months and several domain names without issue but since last week, a domain name and just one does not succeed to renew the certificate. When I try to create a new one manually, I receive the message below :

Getting challenge for renard-asso.org from acme-server…
Waiting for domain verification…
Challenge is invalid. Details: The key authorization file from the server did not match this challenge [n2CMLgpmRpQX6yYHaQuJtXP2MCP2Bg28YEYedj2aGAI.3q_KYmBgmqWVZycm0pBx–qJriX_mZkOrmXRRsiZ2IQ] != [n2CMLgpmRpQX6yYHaQuJtXP2MCP2Bg28YEYedj2aGAI.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8]. Exiting…

I’m trying to find a solution on Google but without success.

Maybe somebody knows the process to solve that.

Thanks in advance.


#2

can you place a test.txt fil in the acme-challenge folder - maybe add the domain name in the file.
let’s see if that is accessible from the outside.


#3

Hi,

:slight_smile: It was already there : http://www.renard-asso.org/.well-known/acme-challenge/test.txt


#4

well that step worked:
wget http://www.renard-asso.org/.well-known/acme-challenge/test.txt
–2017-06-06 03:07:36-- http://www.renard-asso.org/.well-known/acme-challenge/test.txt
Resolving www.renard-asso.org (www.renard-asso.org)… 94.23.221.93, 2001:41d0:1:1b00:213:186:33:19
Connecting to www.renard-asso.org (www.renard-asso.org)|94.23.221.93|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 5 [text/plain]

verify file content “test”


#5

All seems ok form server, I just create a new certificate for another domain form the same server and the Result is OK.

The problem seems to be linked to this domain name.


#6

anything special about the configuration file for that domain?


#7

Hi @julos08,

Your domains has both DNS records A and AAAA but you have not configured it to answer correctly to IPv6 connections.

IPv4 is OK:

curl -IkL4 http://www.renard-asso.org/.well-known/acme-challenge/test.txt
HTTP/1.1 200 OK
Date: Tue, 06 Jun 2017 07:57:26 GMT
Server: Apache/2
Last-Modified: Wed, 15 Mar 2017 12:50:32 GMT
ETag: "5-54ac463dafbeb"
Accept-Ranges: bytes
Content-Length: 5
Vary: User-Agent
Content-Type: text/plain

IPv6 is NOT OK:

curl -IkL6 http://www.renard-asso.org/.well-known/acme-challenge/test.txt
HTTP/1.1 404 Not Found
Set-Cookie: 60gpBAK=R1224195776; path=/; expires=Tue, 06-Jun-2017 08:34:02 GMT
Date: Tue, 06 Jun 2017 07:25:28 GMT
Content-Type: text/html
Set-Cookie: 60gp=R4109771239; path=/; expires=Tue, 06-Jun-2017 08:43:42 GMT
Server: Apache
Accept-Ranges: bytes
Vary: Accept-Encoding
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Wed, 31 Mar 1979 01:23:45 GMT
X-IPLB-Instance: 183

Let’s Encrypt prefers IPv6 so it will use it to validate your domain so you have 2 options, configure correctly to use IPv6 or remove the AAAA record for your domain.

Cheers,
sahsanu


Certbot - Troubleshooting HTTP-01 Challenge Related Issues
#8

Hi sahsanu,

It’s a really good remark, I completly forgot to check the DNS records and you are right the IPV6 was not configured correctly.
I removed the AAAA record and now I’m waiting to see in few hours if it’s ok now.

I’ll let you know.


#9

Many Thanks to you, it’s working fine now, it was a stupid issue.

Have a good day.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.