Letsencrypt-vesta Client Error - The key authorization file from the server did not match

haha well I'm getting closer, but still not quite. Staging version works fine:

/usr/local/letsencrypt/certbot-auto certonly --staging --webroot -w /home/admin/web/school-clip-art.com/public_html -d school-clip-art.com -d www.school-clip-art.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/school-clip-art.com.conf)

What would you like to do?

1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for school-clip-art.com
http-01 challenge for www.school-clip-art.com
Using the webroot path /home/admin/web/school-clip-art.com/public_html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Unable to clean up challenge directory /home/admin/web/school-clip-art.com/public_html/.well-known/acme-challenge
Generating key (2048 bits): /etc/letsencrypt/keys/0002_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0002_csr-certbot.pem

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/school-clip-art.com/fullchain.pem. Your cert
    will expire on 2017-07-27. To obtain a new or tweaked version of
    this certificate in the future, simply run certbot-auto again. To
    non-interactively renew all of your certificates, run
    "certbot-auto renew"

...but not the "live" one :confused:

/usr/local/letsencrypt/certbot-auto certonly --webroot -w /home/admin/web/school-clip-art.com/public_html -d school-clip-art.com -d www.school-clip-art.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/school-clip-art.com.conf)

What would you like to do?

1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for school-clip-art.com
http-01 challenge for www.school-clip-art.com
Using the webroot path /home/admin/web/school-clip-art.com/public_html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Unable to clean up challenge directory /home/admin/web/school-clip-art.com/public_html/.well-known/acme-challenge
Failed authorization procedure. www.school-clip-art.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge [z01v1WRI0wuyPchNLcChostfaIowM7uZSKtt5Lz8N0o.QOHPDOM39nXOn7vMCwxuoSYRMc3icfYIIOtd8JI45Q8] != [z01v1WRI0wuyPchNLcChostfaIowM7uZSKtt5Lz8N0o.jovWtVw8hQo48B0oVNH2HtMnU6dasUd0_8jh4cxgALE], school-clip-art.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge [I5iSChtr-ZeUNdr9UBorsvCn5hJaLHzY1mIW1-GDky4.QOHPDOM39nXOn7vMCwxuoSYRMc3icfYIIOtd8JI45Q8] != [I5iSChtr-ZeUNdr9UBorsvCn5hJaLHzY1mIW1-GDky4.jovWtVw8hQo48B0oVNH2HtMnU6dasUd0_8jh4cxgALE]

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: www.school-clip-art.com
Type: unauthorized
Detail: The key authorization file from the server did not match
this challenge
[z01v1WRI0wuyPchNLcChostfaIowM7uZSKtt5Lz8N0o.QOHPDOM39nXOn7vMCwxuoSYRMc3icfYIIOtd8JI45Q8]
!=
[z01v1WRI0wuyPchNLcChostfaIowM7uZSKtt5Lz8N0o.jovWtVw8hQo48B0oVNH2HtMnU6dasUd0_8jh4cxgALE]

Domain: school-clip-art.com
Type: unauthorized
Detail: The key authorization file from the server did not match
this challenge
[I5iSChtr-ZeUNdr9UBorsvCn5hJaLHzY1mIW1-GDky4.QOHPDOM39nXOn7vMCwxuoSYRMc3icfYIIOtd8JI45Q8]
!=
[I5iSChtr-ZeUNdr9UBorsvCn5hJaLHzY1mIW1-GDky4.jovWtVw8hQo48B0oVNH2HtMnU6dasUd0_8jh4cxgALE]

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.

Looking at the log files for the staging, and "live" one, I did happen to notice:

Staging: (worked OK);

HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 1519
Boulder-Request-Id: PIoEDqzgNw0hAqbx51TSB2yJf58X8xN1mnCU5EpyN2s
Boulder-Requester: 1992360
Link: https://acme-staging.api.letsencrypt.org/acme/new-cert;rel="next"
Location: https://acme-staging.api.letsencrypt.org/acme/authz/yldyfBkWVgZ4X-OyWHd41ElNy4RPuxjJm7G8uKowMQA
Replay-Nonce: T59R7TpHezUe3UhF2tkzK_PntTFMJTyEtpip62eX1pg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 28 Apr 2017 04:40:40 GMT

Live (didn't work);

HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 1007
Boulder-Request-Id: Ilo1Vq-hUqyq0FnaHFJ507NFNO9BMczdb-UsUlxKKzA
Boulder-Requester: 13370135
Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
Location: https://acme-v01.api.letsencrypt.org/acme/authz/f2LDQVqzqnpdu0kUqVvKxazU8FBgZ3vSs34GM1SKBV0
Replay-Nonce: XXRz_v0SwEJDN0dMWCZkm5mEJgtnwMOifXP9xmPm-fA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

Notice how the content length is different. Is that normal? Digging into the guts here really isn't my expertise , so I'm hoping someone can help me figure it out :slight_smile:

@ontheslab - what was the nginx config issue you had? I'm on nginx as well. I have this in mynginx.conf file for each of the domains:

location / {
    if ($request_uri ~ "^/\.well-known/acme-challenge/(.*)$") {
        break;
    }
    rewrite ^(.*) https://free-clip-art.com$1 permanent;
}

Cheers

Andy

HI @steampunkjnkies, in my case the config file that the VestaCP letsencrypt plugin was leaving behind would override the response from the server (ie; returning its own key - not the new challenge key). I removed this additional config file containing the “^/.well-known/acme-challenge/(.*)$” option and then it worked correctly. Perhaps you could try to comment out that conditional https rewrite directive and try the key creation again? Sorry, I am no expert on nginx!

Mark.

Thanks. This gets more and more confusing :frowning: So in nginx.school-clip-art.com.conf_letsencrypt, I found that it had a different string (as you mentioned). So I updated it to the one it was expecting.

location ~ "^/\.well-known/acme-challenge/(.*)$" {
    default_type text/plain;
    return 200 "$1.QOHPDOM39nXOn7vMCwxuoSYRMc3icfYIIOtd8JI45Q8";
}

…I then re-run it from SSH, and it works!

/usr/local/letsencrypt/certbot-auto certonly --webroot -w /home/admin/web/school-clip-art.com/public_html -d school-clip-art.com -d www.school-clip-art.com


Generating key (2048 bits): /etc/letsencrypt/keys/0003_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0003_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/school-clip-art.com/fullchain.pem. Your cert
   will expire on 2017-07-27. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"

…but as soon as I try it from the VestaCP area, it doesn’t work again. It’s almost like certbot-auto, and the VestaCP admin tool are using different auth codes, and that is screwing things up :confused:

Cheers

Andy

it's almost like certbot-auto, and the VestaCP admin tool are using different auth codes, and that is screwing things up :confused:

I am sure they do, I would either go with the command line or the Vesta plugin - using both I am sure will lead to confusion and trouble.

Mark.

Yeah, although I’m not too sure how to do that. I want to really use the web-based one (as it handles all the updates / renewals etc). The other one I’ve been testing is just the normal certbot-auto (and that was purely so I could do the “staging” test stuff, as for some reason that isn’t an option in the VestaCP system)

Eugh, well I’ve managed to get a bit of a work around (at least so I can get the site live again)

/usr/local/letsencrypt/certbot-auto certonly --webroot -w /home/admin/web/school-clip-art.com/public_html -d school-clip-art.com -d www.school-clip-art.com

Then I had to manually copy and paste the contents into the VestaCP certificate sections, and it works. But far from ideal, as

  1. It won’t auto renew
  2. I’m going to have to manually fix them up every 3 months
  3. I’m really miffed that I just can it to work, even though it works fine on all the other sites on the server (with the same configs)

:frowning:

If anyone has any more suggestions as to what I could try, I’m more than happy to give them a go!

Cheers

Andy

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.