Letsencrypt-vesta Client Error - The key authorization file from the server did not match

My domain is: vpscloud.biz

I ran this command: generate_ssl admin vpscloud.biz

It produced this output:

Failed authorization procedure. vpscloud.biz (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge [snH8Pb-9EnsXMM4N2fmaG-k_UXKSe_K59cKFlnU5T-Q.hoaEOYfgYVsX8j3ItSD7pjqPdgM1Z_H7rhsebMv7zLQ] != [snH8Pb-9EnsXMM4N2fmaG-k_UXKSe_K59cKFlnU5T-Q.ggSx6hy43AXM901bwJ_Dr4mYLANeJZ8AC4Xxg_N3Bgg]

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: vpscloud.biz
  Type: unauthorized
  Detail: The key authorization file from the server did not match
  this challenge
  [snH8Pb-9EnsXMM4N2fmaG-k_UXKSe_K59cKFlnU5T-Q.hoaEOYfgYVsX8j3ItSD7pjqPdgM1Z_H7rhsebMv7zLQ]
  !=
  [snH8Pb-9EnsXMM4N2fmaG-k_UXKSe_K59cKFlnU5T-Q.ggSx6hy43AXM901bwJ_Dr4mYLANeJZ8AC4Xxg_N3Bgg]

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A record(s) for that domain
  contain(s) the right IP address.

My operating system is (include version): ubuntu 14.04.5

My web server is (include version): Apache / nginx

My hosting provider, if applicable, is: Running a vesta server

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Vesta

Hello, I have several sites running off a vesta configuration some using the built in vesta support for letsencrypt and they are running fine.
I have not attempted to use letsencrpt for my base domain and it is failing as described above. I first tried using the inbuilt vesta support and then have moved to the command line as it was failing too (only for this site).
I have added an ‘A’ record for www.vpscloud.biz just incase with no luck.

Any guidance would be appreciated.

Thank you,

Mark.

I am struggling with the exact same problem for 3 days. I have asked my Server Provider (OVH) if they know something about it, and i’am waiting for an answer.

My domain is: lacafetiere66.com

I ran this command: letsencrypt-vesta -a 60 admin lacafetiere66.com

It produced this output: Same kind of error (semi match on the auth key)

	Type:   unauthorized
	   Detail: The key authorization file from the server did not match
	   this challenge
	   [992UDDDFH6T-1ssXjyYdsiVw831nZCyRQPmswPJBCrY.pEnmRaKUfocNAyWXCeqxF1n9MbTGUoEuZ31wE515Dpk]
	   !=
	   [992UDDDFH6T-1ssXjyYdsiVw831nZCyRQPmswPJBCrY.xuC9pMtJCwhW2xKWfBFtfpwbfp-bgUfAhG2aCCHvHAY]

My operating system is (include version): Debian 7
My web server is (include version): Apache / nginx
My hosting provider, if applicable, is: Vesta CP server
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Vesta

Hi @StephDotNet

Have a look on this forum and there are suggestions: The key authorization file from the server did not match this challenge

letsencrypt-vista is developed by a third party and you should be able to review issues or log a new one with them https://github.com/interbrite/letsencrypt-vesta (this is probably the best way forward as it is most likely a client related error)

Andrei

Yes i have already posted my error to github, but the problem doesn’t comes from the plugin.

The error is returned by let’s encrypt since i also have this error when i do this :

“certbot-auto certonly -a webroot --webroot-path=/home/admin/web/lacafetiere66.com/public_html -d www.lacafetiere66.com”

Besides, my curl request to “curl -i http://lacafetiere66.com/.well-known/acme-challenge/testfile” returns a text/plain response.

Thanks for your help anyway

yeah there are a couple of other people posting similar issues

I am running some tests tonight with a different client so will let you know how I go

Andrei

Hi @StephDotNet it has been the same for me, as I said, I first came across the error in vesta so I moved to a manual command line - free from vesta - and I still get the same error.
It’s the letsencrypt command that is returning the error but only for the one domain so far on my server.

Hi @ontheslab @StephDotNet

Unfortunately I am not able to replicate your error

Below is screenshots of challenges passed with ZeroSSL (online client) and Certbot (0.13.0) on Windows

I use 4096 bit RSA keys for my accounts. I have also left the challenge files so you can verify with the domains etc.

This narrows it down to one of 3 possible scenarios

• Key issues (account key)
• Client Implementation Issues
• Incorrect Challenges Being Issued by LetsEncrypt

Not sure where the next steps are @jsha @schoen @bmw any major changes with boulder recently that would cause account keys not to work as expected?

For some reasons the challenge files are not lining up with the keys (i.e. one challenge is being provisioned but not in line with what should be done cryptographically)

ZeroSSL:

ZEROSSL CONFIG.PNG1212×547 30.4 KB

ZEROSSL_CHALLENGE.PNG1244×510 25.9 KB

IIS_CONFIG.PNG988×359 19.5 KB

PASSED.PNG1355×641 57.5 KB

Certbot on Windows:

CERTBOT_WINDOWS_SUCCESS.PNG846×693 26.1 KB

CERBTBOT_WINDOWS.PNG994×409 23.4 KB

Andrei

@cpu also looping you in

could this be something to do with encoding? and the client not following the Base64 guidelines as strictly as they should?

Andrei

Ok, tell me if i can run some tests or do something to help you guys :\

Having the exact same problem Steph. Very frustrating (especially seeing as a few domains have worked fine on the same server, and it just seems to be this one having issues)

Cheers

Andy

Hello again, @ahaw021 @StephDotNet @steampunkjnkies

I hope this may help someone that knows what they are looking at? I have the full debug log from the domain that fails and an example domain that works on the same server.

Failed domain (complete log):

2017-04-26 20:40:05,429:DEBUG:certbot.log:Root logging level set at 20
2017-04-26 20:40:05,429:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-04-26 20:40:05,429:DEBUG:certbot.main:certbot version: 0.13.0
2017-04-26 20:40:05,429:DEBUG:certbot.main:Arguments: ['--renew-by-default', '--webroot', '-w', '/home/admin/web/vpscloud.biz/public_html', '-d', 'vpscloud.biz']
2017-04-26 20:40:05,429:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#standalone,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#webroot,PluginEntryPoint#apache,PluginEntryPoint#null)
2017-04-26 20:40:05,430:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2017-04-26 20:40:05,433:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f180f8bed50>
Prep: True
2017-04-26 20:40:05,434:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f180f8bed50> and installer None
2017-04-26 20:40:05,440:DEBUG:certbot.main:Picked account: <Account(8c77d1253cbbe0078a6519d5b2357df7)>
2017-04-26 20:40:05,441:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2017-04-26 20:40:05,447:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2017-04-26 20:40:05,621:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 352
2017-04-26 20:40:05,622:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 352
Boulder-Request-Id: ctYHqP1-7XOF5-AsGmcbTnm9_4H_COi9BghnVzSilNc
Replay-Nonce: 8Jfqe9bGxp6xApPxH1kaEUHlisdQ4FGzva5bAcBDugM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 26 Apr 2017 20:40:05 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 26 Apr 2017 20:40:05 GMT
Connection: keep-alive

{
  "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"
}
2017-04-26 20:40:05,626:INFO:certbot.main:Obtaining a new certificate
2017-04-26 20:40:05,626:DEBUG:acme.client:Requesting fresh nonce
2017-04-26 20:40:05,626:DEBUG:acme.client:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz.
2017-04-26 20:40:05,751:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "HEAD /acme/new-authz HTTP/1.1" 405 0
2017-04-26 20:40:05,751:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Boulder-Request-Id: 4APE95BWE0q_Df9ntgJpvPoVcDdUIxs00D52wHAr1KQ
Replay-Nonce: 6egnKKXtOtOGQ37fNaUQYQVT8sspP-nzspxDH8mYyrA
Expires: Wed, 26 Apr 2017 20:40:05 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 26 Apr 2017 20:40:05 GMT
Connection: keep-alive


2017-04-26 20:40:05,752:DEBUG:acme.client:Storing nonce: 6egnKKXtOtOGQ37fNaUQYQVT8sspP-nzspxDH8mYyrA
2017-04-26 20:40:05,752:DEBUG:acme.client:JWS payload:
{
  "identifier": {
    "type": "dns", 
    "value": "vpscloud.biz"
  }, 
  "resource": "new-authz"
}
2017-04-26 20:40:05,756:DEBUG:acme.client:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
  "header": {
    "alg": "RS256", 
    "jwk": {
      "e": "AQAB", 
      "kty": "RSA", 
      "n": "0W3KE7Jbbdrc0bsZcLVXNeWucNxDSuQ3UN1M8j5LiNlEMCT2SXspbKvrtmUPqL4Wh2TuL9IDDaCh3nYB7UvUBdiLjXPc9iwdPV5xo3soEyn1cIymfoUmWalWC1YqTFFJYfPUTAmAaLCTeM9Hik19kJBv3OXfmuC2naFt1sD4jPwzKS66zhIlJwKCGZiNxU3y2uB-GBfmmp6b0WP450y71OtF6hcakUWCleHlYg2DjCDeUIwo4b8YtIN4ujH8r0SAWeESBGCQd6c-qHAiVbJ0G5VYWXumUJ765l4CMgd4RiX-KNtfgoA_rdTuUjDARsCc45Fu4D_B2lCcd1uB-ZAeRQ"
    }
  }, 
  "protected": "eyJub25jZSI6ICI2ZWduS0tYdE90T0dRMzdmTmFVUVlRVlQ4c3NwUC1uenNweERIOG1ZeXJBIn0", 
  "payload": "ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAidnBzY2xvdWQuYml6IgogIH0sIAogICJyZXNvdXJjZSI6ICJuZXctYXV0aHoiCn0", 
  "signature": "pm-mAe8bVnLInot9f9HauqCiET8TXAdmuLYKD1IuJ05o7vuuGYv77d4bcJxFRfcM-ygscIg2PaCYbGJ3Cugm01y4E8wfSc98nr_Iqu8R-2_hXxtdb1Ea2zjp5a3TiHjYop7-bgKgGB9GEpbMDHE8t99Gh3aRjAjfcmtPfcLbo_0RbOwsbqplFbS4plEi79bogl0kGRNZ70vIttMhyQ9DrMn7hBtDotHulg0DvbiTaDxanyrpf-BiWCxfPGw-f8fQRQtQH1oix4devxGxWTH8cJ5Eg7ZJ8ouHWeA10h-EWTQE9VoAbxtryZDPL8anfwu7kO-ReOQ79w8UN7C7JQXT_g"
}
2017-04-26 20:40:05,930:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "POST /acme/new-authz HTTP/1.1" 201 1000
2017-04-26 20:40:05,932:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 1000
Boulder-Request-Id: -pxVjHZoJRMAgKnw8xZkVgESUTiR7Vys9DR5tWolXsM
Boulder-Requester: 13337504
Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
Location: https://acme-v01.api.letsencrypt.org/acme/authz/cY2fZ8w9Z0Okx6wuaPGIOsBDPqJEi6_eG0XwGM7VgHc
Replay-Nonce: 0cyXDgJiBRoZjhz0RInuZF6yvjm5aAeqhA-sF0a_3Ac
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 26 Apr 2017 20:40:05 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 26 Apr 2017 20:40:05 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "vpscloud.biz"
  },
  "status": "pending",
  "expires": "2017-05-03T20:40:05.921731186Z",
  "challenges": [
    {
      "type": "tls-sni-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/cY2fZ8w9Z0Okx6wuaPGIOsBDPqJEi6_eG0XwGM7VgHc/1088826855",
      "token": "FFZ1bxQmnYGd_GVsrUsBvfaBC6L0ssgBNRoG5-iDVgs"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/cY2fZ8w9Z0Okx6wuaPGIOsBDPqJEi6_eG0XwGM7VgHc/1088826856",
      "token": "xWm3rnl1K0Rx_J55n3WaSVyq4U7vHJGifbeUwbCB1tY"
    },
    {
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/cY2fZ8w9Z0Okx6wuaPGIOsBDPqJEi6_eG0XwGM7VgHc/1088826857",
      "token": "x6CeZREVHPu_QrrlMjZAKWXUl-3Ynig0rLXlMmdPT8M"
    }
  ],
  "combinations": [
    [
      0
    ],
    [
      1
    ],
    [
      2
    ]
  ]
}
2017-04-26 20:40:05,932:DEBUG:acme.client:Storing nonce: 0cyXDgJiBRoZjhz0RInuZF6yvjm5aAeqhA-sF0a_3Ac
2017-04-26 20:40:05,933:INFO:certbot.auth_handler:Performing the following challenges:
2017-04-26 20:40:05,934:INFO:certbot.auth_handler:http-01 challenge for vpscloud.biz
2017-04-26 20:40:05,934:INFO:certbot.plugins.webroot:Using the webroot path /home/admin/web/vpscloud.biz/public_html for all unmatched domains.
2017-04-26 20:40:05,935:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /home/admin/web/vpscloud.biz/public_html/.well-known/acme-challenge
2017-04-26 20:40:05,943:DEBUG:certbot.plugins.webroot:Attempting to save validation to /home/admin/web/vpscloud.biz/public_html/.well-known/acme-challenge/x6CeZREVHPu_QrrlMjZAKWXUl-3Ynig0rLXlMmdPT8M
2017-04-26 20:40:05,944:INFO:certbot.auth_handler:Waiting for verification...
2017-04-26 20:40:05,944:DEBUG:acme.client:JWS payload:
{
  "keyAuthorization": "x6CeZREVHPu_QrrlMjZAKWXUl-3Ynig0rLXlMmdPT8M.hoaEOYfgYVsX8j3ItSD7pjqPdgM1Z_H7rhsebMv7zLQ", 
  "type": "http-01", 
  "resource": "challenge"
}
2017-04-26 20:40:05,951:DEBUG:acme.client:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/challenge/cY2fZ8w9Z0Okx6wuaPGIOsBDPqJEi6_eG0XwGM7VgHc/1088826857:
{
  "header": {
    "alg": "RS256", 
    "jwk": {
      "e": "AQAB", 
      "kty": "RSA", 
      "n": "0W3KE7Jbbdrc0bsZcLVXNeWucNxDSuQ3UN1M8j5LiNlEMCT2SXspbKvrtmUPqL4Wh2TuL9IDDaCh3nYB7UvUBdiLjXPc9iwdPV5xo3soEyn1cIymfoUmWalWC1YqTFFJYfPUTAmAaLCTeM9Hik19kJBv3OXfmuC2naFt1sD4jPwzKS66zhIlJwKCGZiNxU3y2uB-GBfmmp6b0WP450y71OtF6hcakUWCleHlYg2DjCDeUIwo4b8YtIN4ujH8r0SAWeESBGCQd6c-qHAiVbJ0G5VYWXumUJ765l4CMgd4RiX-KNtfgoA_rdTuUjDARsCc45Fu4D_B2lCcd1uB-ZAeRQ"
    }
  }, 
  "protected": "eyJub25jZSI6ICIwY3lYRGdKaUJSb1pqaHowUkludVpGNnl2am01YUFlcWhBLXNGMGFfM0FjIn0", 
  "payload": "ewogICJrZXlBdXRob3JpemF0aW9uIjogIng2Q2VaUkVWSFB1X1FycmxNalpBS1dYVWwtM1luaWcwckxYbE1tZFBUOE0uaG9hRU9ZZmdZVnNYOGozSXRTRDdwanFQZGdNMVpfSDdyaHNlYk12N3pMUSIsIAogICJ0eXBlIjogImh0dHAtMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9", 
  "signature": "u1j7JP5w-qDXgRcoaCaQ53rUFALSIr6kRBoF32Gnop6-4i2DuvlmEpvk9vLdcVzlJxnDEYNzcdkhW8bx4HXb7XUuCvxVjgdcWEskDEMSAHurOcOnh4FP4Va_te60ipYXIhWJsRGGELTJZQOGIHttDVwnDvnDpRtg7TzyjltNUeXhKEEuxsM_9fo4two-9_jAVxgACW0XGYM7dJSBgmE2HWYLI0mPO9IYrKJH2dXF8ocmOp_fJMSLWhbFuYjTVKZf9HpXlCZHeLj3SOvkjdSDR4IGuNgU738H5ffPJKKR7AEUfJCyfBq4m__KAhDeZxBVh0Iyf1H5enaapQ5HmyZGhQ"
}
2017-04-26 20:40:06,143:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "POST /acme/challenge/cY2fZ8w9Z0Okx6wuaPGIOsBDPqJEi6_eG0XwGM7VgHc/1088826857 HTTP/1.1" 202 336
2017-04-26 20:40:06,144:DEBUG:acme.client:Received response:
HTTP 202
Server: nginx
Content-Type: application/json
Content-Length: 336
Boulder-Request-Id: nDdfJ7IpIw-TAuMrrkgHXe3GyTOa8czUYOPhMhDBHns
Boulder-Requester: 13337504
Link: <https://acme-v01.api.letsencrypt.org/acme/authz/cY2fZ8w9Z0Okx6wuaPGIOsBDPqJEi6_eG0XwGM7VgHc>;rel="up"
Location: https://acme-v01.api.letsencrypt.org/acme/challenge/cY2fZ8w9Z0Okx6wuaPGIOsBDPqJEi6_eG0XwGM7VgHc/1088826857
Replay-Nonce: sY_HcgmImrl1QOM6GzhCZsBiKaynrbpHpTl5CqaHtVA
Expires: Wed, 26 Apr 2017 20:40:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 26 Apr 2017 20:40:06 GMT
Connection: keep-alive

{
  "type": "http-01",
  "status": "pending",
  "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/cY2fZ8w9Z0Okx6wuaPGIOsBDPqJEi6_eG0XwGM7VgHc/1088826857",
  "token": "x6CeZREVHPu_QrrlMjZAKWXUl-3Ynig0rLXlMmdPT8M",
  "keyAuthorization": "x6CeZREVHPu_QrrlMjZAKWXUl-3Ynig0rLXlMmdPT8M.hoaEOYfgYVsX8j3ItSD7pjqPdgM1Z_H7rhsebMv7zLQ"
}
2017-04-26 20:40:06,144:DEBUG:acme.client:Storing nonce: sY_HcgmImrl1QOM6GzhCZsBiKaynrbpHpTl5CqaHtVA
2017-04-26 20:40:09,148:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/cY2fZ8w9Z0Okx6wuaPGIOsBDPqJEi6_eG0XwGM7VgHc.
2017-04-26 20:40:09,266:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "GET /acme/authz/cY2fZ8w9Z0Okx6wuaPGIOsBDPqJEi6_eG0XwGM7VgHc HTTP/1.1" 200 1825
2017-04-26 20:40:09,267:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1825
Boulder-Request-Id: iRtP9JPOQqK2E21P7r1t87KrieO0XlaDlerY4-pDeO0
Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
Replay-Nonce: gBm4MyPGt1qO_7IgqoRhuOcfMG-0t48yKE09bMZct54
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 26 Apr 2017 20:40:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 26 Apr 2017 20:40:09 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "vpscloud.biz"
  },
  "status": "invalid",
  "expires": "2017-05-03T20:40:05Z",
  "challenges": [
    {
      "type": "tls-sni-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/cY2fZ8w9Z0Okx6wuaPGIOsBDPqJEi6_eG0XwGM7VgHc/1088826855",
      "token": "FFZ1bxQmnYGd_GVsrUsBvfaBC6L0ssgBNRoG5-iDVgs"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/cY2fZ8w9Z0Okx6wuaPGIOsBDPqJEi6_eG0XwGM7VgHc/1088826856",
      "token": "xWm3rnl1K0Rx_J55n3WaSVyq4U7vHJGifbeUwbCB1tY"
    },
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:acme:error:unauthorized",
        "detail": "The key authorization file from the server did not match this challenge [x6CeZREVHPu_QrrlMjZAKWXUl-3Ynig0rLXlMmdPT8M.hoaEOYfgYVsX8j3ItSD7pjqPdgM1Z_H7rhsebMv7zLQ] != [x6CeZREVHPu_QrrlMjZAKWXUl-3Ynig0rLXlMmdPT8M.ggSx6hy43AXM901bwJ_Dr4mYLANeJZ8AC4Xxg_N3Bgg]",
        "status": 403
      },
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/cY2fZ8w9Z0Okx6wuaPGIOsBDPqJEi6_eG0XwGM7VgHc/1088826857",
      "token": "x6CeZREVHPu_QrrlMjZAKWXUl-3Ynig0rLXlMmdPT8M",
      "keyAuthorization": "x6CeZREVHPu_QrrlMjZAKWXUl-3Ynig0rLXlMmdPT8M.hoaEOYfgYVsX8j3ItSD7pjqPdgM1Z_H7rhsebMv7zLQ",
      "validationRecord": [
        {
          "url": "http://vpscloud.biz/.well-known/acme-challenge/x6CeZREVHPu_QrrlMjZAKWXUl-3Ynig0rLXlMmdPT8M",
          "hostname": "vpscloud.biz",
          "port": "80",
          "addressesResolved": [
            "159.203.76.216"
          ],
          "addressUsed": "159.203.76.216"
        }
      ]
    }
  ],
  "combinations": [
    [
      0
    ],
    [
      1
    ],
    [
      2
    ]
  ]
}
2017-04-26 20:40:09,269:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: vpscloud.biz
Type:   unauthorized
Detail: The key authorization file from the server did not match this challenge [x6CeZREVHPu_QrrlMjZAKWXUl-3Ynig0rLXlMmdPT8M.hoaEOYfgYVsX8j3ItSD7pjqPdgM1Z_H7rhsebMv7zLQ] != [x6CeZREVHPu_QrrlMjZAKWXUl-3Ynig0rLXlMmdPT8M.ggSx6hy43AXM901bwJ_Dr4mYLANeJZ8AC4Xxg_N3Bgg]

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
2017-04-26 20:40:09,269:INFO:certbot.auth_handler:Cleaning up challenges
2017-04-26 20:40:09,270:DEBUG:certbot.plugins.webroot:Removing /home/admin/web/vpscloud.biz/public_html/.well-known/acme-challenge/x6CeZREVHPu_QrrlMjZAKWXUl-3Ynig0rLXlMmdPT8M
2017-04-26 20:40:09,270:DEBUG:certbot.plugins.webroot:All challenges cleaned up, removing /home/admin/web/vpscloud.biz/public_html/.well-known/acme-challenge
2017-04-26 20:40:09,273:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 755, in main
    return config.func(config, plugins)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 682, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 82, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py", line 316, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py", line 285, in obtain_certificate
    self.config.allow_subset_of_names)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 81, in get_authorizations
    self._respond(resp, best_effort)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 138, in _respond
    self._poll_challenges(chall_update, best_effort)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 202, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. vpscloud.biz (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge [x6CeZREVHPu_QrrlMjZAKWXUl-3Ynig0rLXlMmdPT8M.hoaEOYfgYVsX8j3ItSD7pjqPdgM1Z_H7rhsebMv7zLQ] != [x6CeZREVHPu_QrrlMjZAKWXUl-3Ynig0rLXlMmdPT8M.ggSx6hy43AXM901bwJ_Dr4mYLANeJZ8AC4Xxg_N3Bgg]

Working domain (trimmed to fit in post - keys removed & cut as much as I had to to fit):

2017-04-26 20:42:47,652:DEBUG:certbot.log:Root logging level set at 20
2017-04-26 20:42:47,652:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-04-26 20:42:47,652:DEBUG:certbot.main:certbot version: 0.13.0
2017-04-26 20:42:47,652:DEBUG:certbot.main:Arguments: ['--renew-by-default', '--webroot', '-w', '/home/marktest/web/goodoils2.dyndns.org/public_html', '-d', 'goodoils2.dyndns.org', '-d', 'www.goodoils2.dyndns.org']
2017-04-26 20:42:47,652:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#standalone,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#webroot,PluginEntryPoint#apache,PluginEntryPoint#null)
2017-04-26 20:42:47,653:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2017-04-26 20:42:47,657:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7feb60352410>
Prep: True
2017-04-26 20:42:47,657:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7feb60352410> and installer None
2017-04-26 20:42:47,662:DEBUG:certbot.main:Picked account: <Account(8c77d1253cbbe0078a6519d5b2357df7)>
2017-04-26 20:42:47,663:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2017-04-26 20:42:47,669:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2017-04-26 20:42:47,795:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 352
2017-04-26 20:42:47,797:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 352
Boulder-Request-Id: EwuFKLza6I7Px7e9OH9gHS8RshR9RUDWGKTqN96JZiU
Replay-Nonce: XNml-i_iOtoVBAIV0t620AdcQZnFPCFFqz0gMsrXJxs
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 26 Apr 2017 20:42:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 26 Apr 2017 20:42:47 GMT
Connection: keep-alive

{
  "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"
}
2017-04-26 20:42:47,800:INFO:certbot.main:Obtaining a new certificate
2017-04-26 20:42:47,801:DEBUG:acme.client:Requesting fresh nonce
2017-04-26 20:42:47,801:DEBUG:acme.client:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz.
2017-04-26 20:42:47,860:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "HEAD /acme/new-authz HTTP/1.1" 405 0
2017-04-26 20:42:47,861:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Boulder-Request-Id: iWvlidOw9dSlg08-aWWkdUfwC4JUMfmZRYTq_JSxYlg
Replay-Nonce: uTLljDdn4vHugTjaN7TsruvfcoATUh8UUTAVKUXzyT4
Expires: Wed, 26 Apr 2017 20:42:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 26 Apr 2017 20:42:47 GMT
Connection: keep-alive


2017-04-26 20:42:47,862:DEBUG:acme.client:Storing nonce: uTLljDdn4vHugTjaN7TsruvfcoATUh8UUTAVKUXzyT4
2017-04-26 20:42:47,862:DEBUG:acme.client:JWS payload:
{
  "identifier": {
    "type": "dns", 
    "value": "goodoils2.dyndns.org"
  }, 
  "resource": "new-authz"
}
2017-04-26 20:42:47,866:DEBUG:acme.client:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
  "header": {
    "alg": "RS256", 
    "jwk": {
      "e": "AQAB", 
      "kty": "RSA", 
      "n": "0W3KE7Jbbdrc0bsZcLVXNeWucNxDSuQ3UN1M8j5LiNlEMCT2SXspbKvrtmUPqL4Wh2TuL9IDDaCh3nYB7UvUBdiLjXPc9iwdPV5xo3soEyn1cIymfoUmWalWC1YqTFFJYfPUTAmAaLCTeM9Hik19kJBv3OXfmuC2naFt1sD4jPwzKS66zhIlJwKCGZiNxU3y2uB-GBfmmp6b0WP450y71OtF6hcakUWCleHlYg2DjCDeUIwo4b8YtIN4ujH8r0SAWeESBGCQd6c-qHAiVbJ0G5VYWXumUJ765l4CMgd4RiX-KNtfgoA_rdTuUjDARsCc45Fu4D_B2lCcd1uB-ZAeRQ"
    }
  }, 
  "protected": "eyJub25jZSI6ICJ1VExsakRkbjR2SHVnVGphTjdUc3J1dmZjb0FUVWg4VVVUQVZLVVh6eVQ0In0", 
  "payload": "ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAiZ29vZG9pbHMyLmR5bmRucy5vcmciCiAgfSwgCiAgInJlc291cmNlIjogIm5ldy1hdXRoeiIKfQ", 
  "signature": "N338phq0wQz3-0EREUztUi36mJtysRTMTy80vGhE5dUSj1CCOYjXOAipS-Pa3qOGre-WWafnzwxtlZ1ZLxLJIUlhTqECuKPpGIKFmGCJcCoHfL-OSJ6ecQK_IPZUsScqDAWSUv4l3x6umgtADnZGK9ZMTraogOtrCa5cL6Md1x5pPZlETtrWPeV9LAJ4yOmhr1JcN1bWwyvIWRpJYqubl4PcmQSChatUXuIimU0_Ou71EDXj98Cp0OZjmBiNFqq_EM_RGeVRRSI405ArSv1u5sOHA23RGFRwjBKyQ6cAql35lJoh9QJsCxgS_5pFmOyB0OSPNQHDmk5Lyh5MdsOu5Q"
}
2017-04-26 20:42:47,952:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "POST /acme/new-authz HTTP/1.1" 201 1008
2017-04-26 20:42:47,954:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 1008
Boulder-Request-Id: kZNeWfclMWUINFaDCfe0Q60olpFA40X8gnbuZ447fT0
Boulder-Requester: 13337504
Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
Location: https://acme-v01.api.letsencrypt.org/acme/authz/MUzt26cKd8xP3tuQ6q7N-3p2jB7U4Bv9Kwbx-4PZ3mU
Replay-Nonce: dhnbMedm1wK5E47BTOFqEytLzWI1LsegTJMSjBKy9LI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 26 Apr 2017 20:42:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 26 Apr 2017 20:42:47 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "goodoils2.dyndns.org"
  },
  "status": "pending",
  "expires": "2017-05-03T20:42:47.949320859Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/MUzt26cKd8xP3tuQ6q7N-3p2jB7U4Bv9Kwbx-4PZ3mU/1088834316",
      "token": "IX6vhcat8psf1SWmnh83sQMbEFJ9kC43MIWFVkclzr8"
    },
    {
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/MUzt26cKd8xP3tuQ6q7N-3p2jB7U4Bv9Kwbx-4PZ3mU/1088834317",
      "token": "Ce2QuGyTM-K_bX3vfQK-otx8KfCv6fmaRXPu2QmmW4g"
    },
    {
      "type": "tls-sni-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/MUzt26cKd8xP3tuQ6q7N-3p2jB7U4Bv9Kwbx-4PZ3mU/1088834318",
      "token": "7YJAl0-6eyl4JOpyNM25WJmK7xL6hagsXuHtBoTB1aA"
    }
  ],
  "combinations": [
    [
      2
    ],
    [
      0
    ],
    [
      1
    ]
  ]
}
2017-04-26 20:42:47,954:DEBUG:acme.client:Storing nonce: dhnbMedm1wK5E47BTOFqEytLzWI1LsegTJMSjBKy9LI
2017-04-26 20:42:47,955:DEBUG:acme.client:JWS payload:
{
  "identifier": {
    "type": "dns", 
    "value": "www.goodoils2.dyndns.org"
  }, 
  "resource": "new-authz"
}
2017-04-26 20:42:47,960:DEBUG:acme.client:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
  "header": {
    "alg": "RS256", 
    "jwk": {
      "e": "AQAB", 
      "kty": "RSA", 
      "n": "0W3KE7Jbbdrc0bsZcLVXNeWucNxDSuQ3UN1M8j5LiNlEMCT2SXspbKvrtmUPqL4Wh2TuL9IDDaCh3nYB7UvUBdiLjXPc9iwdPV5xo3soEyn1cIymfoUmWalWC1YqTFFJYfPUTAmAaLCTeM9Hik19kJBv3OXfmuC2naFt1sD4jPwzKS66zhIlJwKCGZiNxU3y2uB-GBfmmp6b0WP450y71OtF6hcakUWCleHlYg2DjCDeUIwo4b8YtIN4ujH8r0SAWeESBGCQd6c-qHAiVbJ0G5VYWXumUJ765l4CMgd4RiX-KNtfgoA_rdTuUjDARsCc45Fu4D_B2lCcd1uB-ZAeRQ"
    }
  }, 
  "protected": "eyJub25jZSI6ICJkaG5iTWVkbTF3SzVFNDdCVE9GcUV5dEx6V0kxTHNlZ1RKTVNqQkt5OUxJIn0", 
  "payload": "ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAid3d3Lmdvb2RvaWxzMi5keW5kbnMub3JnIgogIH0sIAogICJyZXNvdXJjZSI6ICJuZXctYXV0aHoiCn0", 
  "signature": "C21j5Sijpi4Uum47mG4bhesbOh1UJulbFYD73iEQMDs1i3jypHTbVvE_MReD-oZudjgocuaMVTxBzG-DCGd2xrT7AYZDQ5LTvqigzIaZ1yTononePiB-qpDA0n6iVRRs4_-Jw52nQzZ1bD1yHgs9zE9SRy_JBGWdi8ElMTncGkopwQSNYgh0bcDO8qVCwTBpkJosWNEgVPKLC4hHZUjo_ad0zkPOg10GbVnPvBsOrqZzU3bvlY8o9r71HEZoczmTPVEUUNBty1gMaJRPDWdu5iKRqFEkCmrHMIAmrmMz7MWSbdFDozxZxiFGw7w5706mixekD2cI7zG9LpmTK5vZ0Q"
}
2017-04-26 20:42:48,047:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "POST /acme/new-authz HTTP/1.1" 201 1012
2017-04-26 20:42:48,049:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 1012
Boulder-Request-Id: GoPJXxiHa-QYUIaamfR_dpbilC3YNr8Ieo56ctV0kQo
Boulder-Requester: 13337504
Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
Location: https://acme-v01.api.letsencrypt.org/acme/authz/pSDMW4hjY9ryATRq0l5dwkUdeRtVIQZ0oBNSTJHTkfY
Replay-Nonce: AAIOiYTZXq-5lAuqV5oUbpkhHy8_H-tvVDTC1m-QquY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 26 Apr 2017 20:42:48 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 26 Apr 2017 20:42:48 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "www.goodoils2.dyndns.org"
  },
  "status": "pending",
  "expires": "2017-05-03T20:42:48.044394918Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/pSDMW4hjY9ryATRq0l5dwkUdeRtVIQZ0oBNSTJHTkfY/1088834322",
      "token": "KUl-zsQUHk9mXJQFcHjqX6zP1Uyk3jQmmXpPREhswpI"
    },
    {
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/pSDMW4hjY9ryATRq0l5dwkUdeRtVIQZ0oBNSTJHTkfY/1088834323",
      "token": "ukMJS1YP4Lk8D48vg4KS4yhKPJtBh_gxTVjCPYu3wFs"
    },
    {
      "type": "tls-sni-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/pSDMW4hjY9ryATRq0l5dwkUdeRtVIQZ0oBNSTJHTkfY/1088834324",
      "token": "6v79AULEX2wOTPvvUto3Xj1m6VO2RMzHvlIZTqTGFOQ"
    }
  ],
  "combinations": [
    [
      1
    ],
    [
      2
    ],
    [
      0
    ]
  ]
}
2017-04-26 20:42:48,049:DEBUG:acme.client:Storing nonce: AAIOiYTZXq-5lAuqV5oUbpkhHy8_H-tvVDTC1m-QquY
2017-04-26 20:42:48,050:INFO:certbot.auth_handler:Performing the following challenges:
2017-04-26 20:42:48,051:INFO:certbot.auth_handler:http-01 challenge for goodoils2.dyndns.org
2017-04-26 20:42:48,051:INFO:certbot.auth_handler:http-01 challenge for www.goodoils2.dyndns.org
2017-04-26 20:42:48,052:INFO:certbot.plugins.webroot:Using the webroot path /home/marktest/web/goodoils2.dyndns.org/public_html for all unmatched domains.
2017-04-26 20:42:48,052:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /home/marktest/web/goodoils2.dyndns.org/public_html/.well-known/acme-challenge
2017-04-26 20:42:48,053:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /home/marktest/web/goodoils2.dyndns.org/public_html/.well-known/acme-challenge
2017-04-26 20:42:48,059:DEBUG:certbot.plugins.webroot:Attempting to save validation to /home/marktest/web/goodoils2.dyndns.org/public_html/.well-known/acme-challenge/Ce2QuGyTM-K_bX3vfQK-otx8KfCv6fmaRXPu2QmmW4g
2017-04-26 20:42:48,062:DEBUG:certbot.plugins.webroot:Attempting to save validation to /home/marktest/web/goodoils2.dyndns.org/public_html/.well-known/acme-challenge/ukMJS1YP4Lk8D48vg4KS4yhKPJtBh_gxTVjCPYu3wFs
2017-04-26 20:42:48,063:INFO:certbot.auth_handler:Waiting for verification...
2017-04-26 20:42:48,064:DEBUG:acme.client:JWS payload:
{
  "keyAuthorization": "Ce2QuGyTM-K_bX3vfQK-otx8KfCv6fmaRXPu2QmmW4g.hoaEOYfgYVsX8j3ItSD7pjqPdgM1Z_H7rhsebMv7zLQ", 
  "type": "http-01", 
  "resource": "challenge"
}

It seems like something on vpscloud.biz is set up to auto-respond to HTTP-01 by echoing the provided token, but with a specific account key thumbprint. See, for instance:

curl http://vpscloud.biz/.well-known/acme-challenge/this-is-not-a-challenge
this-is-not-a-challenge.ggSx6hy43AXM901bwJ_Dr4mYLANeJZ8AC4Xxg_N3Bgg

Note: The part after the “.” is supposed to be a thumbprint (aka fingerprint) of an account key. In this case, the “gg…” thumbprint doesn’t match the thumbprint of your account key, as shown in the keyAuthorization part of your logs.

I think the next step would be to figure out what is responsible for answering that query on your server. I would search your Nginx configs for “well-known” to see if there is any special rule catching such URLs.

Is it possible that Vesta is has its own builting Let’s Encrypt integration, and that is interfering with your attempted Certbot runs?

Hello, thank you for that. Yes VestaCP does have its own plugin now, which is working fine on 3 domains on that server - vpscloud.biz being the base domain of the server. When the plugin failed to create the certs, I went to the command line and it still would not work, however 2 others that I tested did.

I will have a a look and Vesta’s nginx config.

Thank you.

An update for you @StephDotNet @ahaw021 @steampunkjnkies @jsha,

I have had some success that may relate to all or some of our problems.

Thank you @jsha for the guidance, I did indeed find a nginx config file that was creating the reply - nginx.vpscloud.biz.conf_letsencrypt:

location ~ "^/\.well-known/acme-challenge/(.*)$" {
    default_type text/plain;
    return 200 "$1.ggSx6hy43AXM901bwJ_Dr4mYLANeJZ8AC4Xxg_N3Bgg";
}

From its date it looks to be left from the failed attempt to create new certs with the VestaCP plugin, which was failing with a timeout - as mentioned in:

After removing this config file "nginx.vpscloud.biz.conf_letsencrypt" the command line process now fails with the same CCA timeout, but at least its making progress!

> Failed authorization procedure. vpscloud.biz (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: query timed out looking up CAA for vpscloud.biz

> IMPORTANT NOTES:
>  - The following errors were reported by the server:

>    Domain: vpscloud.biz
>    Type:   connection
>    Detail: DNS problem: query timed out looking up CAA for
>    vpscloud.biz

>    To fix these errors, please make sure that your domain name was
>    entered correctly and the DNS A record(s) for that domain
>    contain(s) the right IP address. Additionally, please check that
>    your computer has a publicly routable IP address and that no
>    firewalls are preventing the server from communicating with the
>    client. If you're using the webroot plugin, you should also verify
>    that you are serving files from the webroot path you provided. 

Now all I have to solve is an issue with one of the major DNS providers in Australia!

I hope this will help point others with VestaCP in the right direction, the nginx config chain of files is located in the "conf" directory for your VestaCP user in my case - "/home/admin/conf/web"

Thanks to all and regards,

Mark.

For your NetRegistry problems, see DNS problem: query timed out looking up CAA (using Netregistry).

Thank you very much for that, I was aware of that thread and had cited it above.

Thanks @ontheslab. Unfortunately that still didn’t do it for me. It just re-created the _letsencrypt config file, but still failed. Mmm

@ontheslab I’m glad you have some changes, maybe it will help us finding a solution. I did this but as for steampunkjnkies it did’nt even recreated the file & the authorization still fails.

I am stucked with this problem and i need to solve it since it’s for a major client

I also have the feeling that it comes from the Domain Name configuration since i’ve never had this problem before ( i’ve done this for 7 domain names) but this one “lacafetiere” is one i’ve retrieved from another web company… Maybe i should reset the configuration i don’t know ;’(

As @jsha said, it could also be related to a recent change in the way vesta responds to the challenge (encoding, encryption, IDK :\ ). Maybe i’m gonna ask on the vesta forum…

If a pro wants access to my VPS to run some test, feel welcome ^^ Cheers & thanks for your time

Ok I finally made it and i feel terrible (so maybe it’s a different issue for you).

• 1st, i made a test, trying to create the certificate for a subdomain (test.lacafetiere.com) so i created the 2 A zones with 60s TTL (test and www.test pointing to the IP).

I did the “letsencrypt-vesta -a 60” command and it worked so i thought it was related to something going wrong on the main folder.

• So i took everything from my main folder (the main site), and moved everything to a subfolder :. I tryed again and it worked.

So i think it was due to the htaccess on the root folder (public_html) of the site i was trying to certificate.

Hope it will help you folks

@StephDotNet glad you had a win! Not so different a problem than the one I had in the end - a miss return or request! (In my case a nginx over-ride and as you say prob a .htaccess over-ride). @steampunkjnkies could your issue be along the same lines?

Still need to fix my Netregistry problems then I will be happy!