Letsencrypt-vesta Client Error - The key authorization file from the server did not match

Hi @ontheslab @StephDotNet

Unfortunately I am not able to replicate your error :frowning:

Below is screenshots of challenges passed with ZeroSSL (online client) and Certbot (0.13.0) on Windows

I use 4096 bit RSA keys for my accounts. I have also left the challenge files so you can verify with the domains etc.

This narrows it down to one of 3 possible scenarios

  • Key issues (account key)
  • Client Implementation Issues
  • Incorrect Challenges Being Issued by LetsEncrypt

Not sure where the next steps are @jsha @schoen @bmw any major changes with boulder recently that would cause account keys not to work as expected?

For some reasons the challenge files are not lining up with the keys (i.e. one challenge is being provisioned but not in line with what should be done cryptographically)

ZeroSSL:

Certbot on Windows:

Andrei

@cpu also looping you in

could this be something to do with encoding? and the client not following the Base64 guidelines as strictly as they should?

Andrei

Ok, tell me if i can run some tests or do something to help you guys :\

1 Like

Having the exact same problem Steph. Very frustrating (especially seeing as a few domains have worked fine on the same server, and it just seems to be this one having issues)

Cheers

Andy

1 Like

Hello again, @ahaw021 @StephDotNet @steampunkjnkies

I hope this may help someone that knows what they are looking at? I have the full debug log from the domain that fails and an example domain that works on the same server.

Failed domain (complete log):

2017-04-26 20:40:05,429:DEBUG:certbot.log:Root logging level set at 20
2017-04-26 20:40:05,429:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-04-26 20:40:05,429:DEBUG:certbot.main:certbot version: 0.13.0
2017-04-26 20:40:05,429:DEBUG:certbot.main:Arguments: ['--renew-by-default', '--webroot', '-w', '/home/admin/web/vpscloud.biz/public_html', '-d', 'vpscloud.biz']
2017-04-26 20:40:05,429:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#standalone,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#webroot,PluginEntryPoint#apache,PluginEntryPoint#null)
2017-04-26 20:40:05,430:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2017-04-26 20:40:05,433:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f180f8bed50>
Prep: True
2017-04-26 20:40:05,434:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f180f8bed50> and installer None
2017-04-26 20:40:05,440:DEBUG:certbot.main:Picked account: <Account(8c77d1253cbbe0078a6519d5b2357df7)>
2017-04-26 20:40:05,441:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2017-04-26 20:40:05,447:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2017-04-26 20:40:05,621:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 352
2017-04-26 20:40:05,622:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 352
Boulder-Request-Id: ctYHqP1-7XOF5-AsGmcbTnm9_4H_COi9BghnVzSilNc
Replay-Nonce: 8Jfqe9bGxp6xApPxH1kaEUHlisdQ4FGzva5bAcBDugM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 26 Apr 2017 20:40:05 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 26 Apr 2017 20:40:05 GMT
Connection: keep-alive

{
  "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"
}
2017-04-26 20:40:05,626:INFO:certbot.main:Obtaining a new certificate
2017-04-26 20:40:05,626:DEBUG:acme.client:Requesting fresh nonce
2017-04-26 20:40:05,626:DEBUG:acme.client:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz.
2017-04-26 20:40:05,751:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "HEAD /acme/new-authz HTTP/1.1" 405 0
2017-04-26 20:40:05,751:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Boulder-Request-Id: 4APE95BWE0q_Df9ntgJpvPoVcDdUIxs00D52wHAr1KQ
Replay-Nonce: 6egnKKXtOtOGQ37fNaUQYQVT8sspP-nzspxDH8mYyrA
Expires: Wed, 26 Apr 2017 20:40:05 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 26 Apr 2017 20:40:05 GMT
Connection: keep-alive


2017-04-26 20:40:05,752:DEBUG:acme.client:Storing nonce: 6egnKKXtOtOGQ37fNaUQYQVT8sspP-nzspxDH8mYyrA
2017-04-26 20:40:05,752:DEBUG:acme.client:JWS payload:
{
  "identifier": {
    "type": "dns", 
    "value": "vpscloud.biz"
  }, 
  "resource": "new-authz"
}
2017-04-26 20:40:05,756:DEBUG:acme.client:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
  "header": {
    "alg": "RS256", 
    "jwk": {
      "e": "AQAB", 
      "kty": "RSA", 
      "n": "0W3KE7Jbbdrc0bsZcLVXNeWucNxDSuQ3UN1M8j5LiNlEMCT2SXspbKvrtmUPqL4Wh2TuL9IDDaCh3nYB7UvUBdiLjXPc9iwdPV5xo3soEyn1cIymfoUmWalWC1YqTFFJYfPUTAmAaLCTeM9Hik19kJBv3OXfmuC2naFt1sD4jPwzKS66zhIlJwKCGZiNxU3y2uB-GBfmmp6b0WP450y71OtF6hcakUWCleHlYg2DjCDeUIwo4b8YtIN4ujH8r0SAWeESBGCQd6c-qHAiVbJ0G5VYWXumUJ765l4CMgd4RiX-KNtfgoA_rdTuUjDARsCc45Fu4D_B2lCcd1uB-ZAeRQ"
    }
  }, 
  "protected": "eyJub25jZSI6ICI2ZWduS0tYdE90T0dRMzdmTmFVUVlRVlQ4c3NwUC1uenNweERIOG1ZeXJBIn0", 
  "payload": "ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAidnBzY2xvdWQuYml6IgogIH0sIAogICJyZXNvdXJjZSI6ICJuZXctYXV0aHoiCn0", 
  "signature": "pm-mAe8bVnLInot9f9HauqCiET8TXAdmuLYKD1IuJ05o7vuuGYv77d4bcJxFRfcM-ygscIg2PaCYbGJ3Cugm01y4E8wfSc98nr_Iqu8R-2_hXxtdb1Ea2zjp5a3TiHjYop7-bgKgGB9GEpbMDHE8t99Gh3aRjAjfcmtPfcLbo_0RbOwsbqplFbS4plEi79bogl0kGRNZ70vIttMhyQ9DrMn7hBtDotHulg0DvbiTaDxanyrpf-BiWCxfPGw-f8fQRQtQH1oix4devxGxWTH8cJ5Eg7ZJ8ouHWeA10h-EWTQE9VoAbxtryZDPL8anfwu7kO-ReOQ79w8UN7C7JQXT_g"
}
2017-04-26 20:40:05,930:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "POST /acme/new-authz HTTP/1.1" 201 1000
2017-04-26 20:40:05,932:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 1000
Boulder-Request-Id: -pxVjHZoJRMAgKnw8xZkVgESUTiR7Vys9DR5tWolXsM
Boulder-Requester: 13337504
Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
Location: https://acme-v01.api.letsencrypt.org/acme/authz/cY2fZ8w9Z0Okx6wuaPGIOsBDPqJEi6_eG0XwGM7VgHc
Replay-Nonce: 0cyXDgJiBRoZjhz0RInuZF6yvjm5aAeqhA-sF0a_3Ac
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 26 Apr 2017 20:40:05 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 26 Apr 2017 20:40:05 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "vpscloud.biz"
  },
  "status": "pending",
  "expires": "2017-05-03T20:40:05.921731186Z",
  "challenges": [
    {
      "type": "tls-sni-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/cY2fZ8w9Z0Okx6wuaPGIOsBDPqJEi6_eG0XwGM7VgHc/1088826855",
      "token": "FFZ1bxQmnYGd_GVsrUsBvfaBC6L0ssgBNRoG5-iDVgs"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/cY2fZ8w9Z0Okx6wuaPGIOsBDPqJEi6_eG0XwGM7VgHc/1088826856",
      "token": "xWm3rnl1K0Rx_J55n3WaSVyq4U7vHJGifbeUwbCB1tY"
    },
    {
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/cY2fZ8w9Z0Okx6wuaPGIOsBDPqJEi6_eG0XwGM7VgHc/1088826857",
      "token": "x6CeZREVHPu_QrrlMjZAKWXUl-3Ynig0rLXlMmdPT8M"
    }
  ],
  "combinations": [
    [
      0
    ],
    [
      1
    ],
    [
      2
    ]
  ]
}
2017-04-26 20:40:05,932:DEBUG:acme.client:Storing nonce: 0cyXDgJiBRoZjhz0RInuZF6yvjm5aAeqhA-sF0a_3Ac
2017-04-26 20:40:05,933:INFO:certbot.auth_handler:Performing the following challenges:
2017-04-26 20:40:05,934:INFO:certbot.auth_handler:http-01 challenge for vpscloud.biz
2017-04-26 20:40:05,934:INFO:certbot.plugins.webroot:Using the webroot path /home/admin/web/vpscloud.biz/public_html for all unmatched domains.
2017-04-26 20:40:05,935:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /home/admin/web/vpscloud.biz/public_html/.well-known/acme-challenge
2017-04-26 20:40:05,943:DEBUG:certbot.plugins.webroot:Attempting to save validation to /home/admin/web/vpscloud.biz/public_html/.well-known/acme-challenge/x6CeZREVHPu_QrrlMjZAKWXUl-3Ynig0rLXlMmdPT8M
2017-04-26 20:40:05,944:INFO:certbot.auth_handler:Waiting for verification...
2017-04-26 20:40:05,944:DEBUG:acme.client:JWS payload:
{
  "keyAuthorization": "x6CeZREVHPu_QrrlMjZAKWXUl-3Ynig0rLXlMmdPT8M.hoaEOYfgYVsX8j3ItSD7pjqPdgM1Z_H7rhsebMv7zLQ", 
  "type": "http-01", 
  "resource": "challenge"
}
2017-04-26 20:40:05,951:DEBUG:acme.client:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/challenge/cY2fZ8w9Z0Okx6wuaPGIOsBDPqJEi6_eG0XwGM7VgHc/1088826857:
{
  "header": {
    "alg": "RS256", 
    "jwk": {
      "e": "AQAB", 
      "kty": "RSA", 
      "n": "0W3KE7Jbbdrc0bsZcLVXNeWucNxDSuQ3UN1M8j5LiNlEMCT2SXspbKvrtmUPqL4Wh2TuL9IDDaCh3nYB7UvUBdiLjXPc9iwdPV5xo3soEyn1cIymfoUmWalWC1YqTFFJYfPUTAmAaLCTeM9Hik19kJBv3OXfmuC2naFt1sD4jPwzKS66zhIlJwKCGZiNxU3y2uB-GBfmmp6b0WP450y71OtF6hcakUWCleHlYg2DjCDeUIwo4b8YtIN4ujH8r0SAWeESBGCQd6c-qHAiVbJ0G5VYWXumUJ765l4CMgd4RiX-KNtfgoA_rdTuUjDARsCc45Fu4D_B2lCcd1uB-ZAeRQ"
    }
  }, 
  "protected": "eyJub25jZSI6ICIwY3lYRGdKaUJSb1pqaHowUkludVpGNnl2am01YUFlcWhBLXNGMGFfM0FjIn0", 
  "payload": "ewogICJrZXlBdXRob3JpemF0aW9uIjogIng2Q2VaUkVWSFB1X1FycmxNalpBS1dYVWwtM1luaWcwckxYbE1tZFBUOE0uaG9hRU9ZZmdZVnNYOGozSXRTRDdwanFQZGdNMVpfSDdyaHNlYk12N3pMUSIsIAogICJ0eXBlIjogImh0dHAtMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9", 
  "signature": "u1j7JP5w-qDXgRcoaCaQ53rUFALSIr6kRBoF32Gnop6-4i2DuvlmEpvk9vLdcVzlJxnDEYNzcdkhW8bx4HXb7XUuCvxVjgdcWEskDEMSAHurOcOnh4FP4Va_te60ipYXIhWJsRGGELTJZQOGIHttDVwnDvnDpRtg7TzyjltNUeXhKEEuxsM_9fo4two-9_jAVxgACW0XGYM7dJSBgmE2HWYLI0mPO9IYrKJH2dXF8ocmOp_fJMSLWhbFuYjTVKZf9HpXlCZHeLj3SOvkjdSDR4IGuNgU738H5ffPJKKR7AEUfJCyfBq4m__KAhDeZxBVh0Iyf1H5enaapQ5HmyZGhQ"
}
2017-04-26 20:40:06,143:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "POST /acme/challenge/cY2fZ8w9Z0Okx6wuaPGIOsBDPqJEi6_eG0XwGM7VgHc/1088826857 HTTP/1.1" 202 336
2017-04-26 20:40:06,144:DEBUG:acme.client:Received response:
HTTP 202
Server: nginx
Content-Type: application/json
Content-Length: 336
Boulder-Request-Id: nDdfJ7IpIw-TAuMrrkgHXe3GyTOa8czUYOPhMhDBHns
Boulder-Requester: 13337504
Link: <https://acme-v01.api.letsencrypt.org/acme/authz/cY2fZ8w9Z0Okx6wuaPGIOsBDPqJEi6_eG0XwGM7VgHc>;rel="up"
Location: https://acme-v01.api.letsencrypt.org/acme/challenge/cY2fZ8w9Z0Okx6wuaPGIOsBDPqJEi6_eG0XwGM7VgHc/1088826857
Replay-Nonce: sY_HcgmImrl1QOM6GzhCZsBiKaynrbpHpTl5CqaHtVA
Expires: Wed, 26 Apr 2017 20:40:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 26 Apr 2017 20:40:06 GMT
Connection: keep-alive

{
  "type": "http-01",
  "status": "pending",
  "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/cY2fZ8w9Z0Okx6wuaPGIOsBDPqJEi6_eG0XwGM7VgHc/1088826857",
  "token": "x6CeZREVHPu_QrrlMjZAKWXUl-3Ynig0rLXlMmdPT8M",
  "keyAuthorization": "x6CeZREVHPu_QrrlMjZAKWXUl-3Ynig0rLXlMmdPT8M.hoaEOYfgYVsX8j3ItSD7pjqPdgM1Z_H7rhsebMv7zLQ"
}
2017-04-26 20:40:06,144:DEBUG:acme.client:Storing nonce: sY_HcgmImrl1QOM6GzhCZsBiKaynrbpHpTl5CqaHtVA
2017-04-26 20:40:09,148:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/cY2fZ8w9Z0Okx6wuaPGIOsBDPqJEi6_eG0XwGM7VgHc.
2017-04-26 20:40:09,266:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "GET /acme/authz/cY2fZ8w9Z0Okx6wuaPGIOsBDPqJEi6_eG0XwGM7VgHc HTTP/1.1" 200 1825
2017-04-26 20:40:09,267:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1825
Boulder-Request-Id: iRtP9JPOQqK2E21P7r1t87KrieO0XlaDlerY4-pDeO0
Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
Replay-Nonce: gBm4MyPGt1qO_7IgqoRhuOcfMG-0t48yKE09bMZct54
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 26 Apr 2017 20:40:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 26 Apr 2017 20:40:09 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "vpscloud.biz"
  },
  "status": "invalid",
  "expires": "2017-05-03T20:40:05Z",
  "challenges": [
    {
      "type": "tls-sni-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/cY2fZ8w9Z0Okx6wuaPGIOsBDPqJEi6_eG0XwGM7VgHc/1088826855",
      "token": "FFZ1bxQmnYGd_GVsrUsBvfaBC6L0ssgBNRoG5-iDVgs"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/cY2fZ8w9Z0Okx6wuaPGIOsBDPqJEi6_eG0XwGM7VgHc/1088826856",
      "token": "xWm3rnl1K0Rx_J55n3WaSVyq4U7vHJGifbeUwbCB1tY"
    },
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:acme:error:unauthorized",
        "detail": "The key authorization file from the server did not match this challenge [x6CeZREVHPu_QrrlMjZAKWXUl-3Ynig0rLXlMmdPT8M.hoaEOYfgYVsX8j3ItSD7pjqPdgM1Z_H7rhsebMv7zLQ] != [x6CeZREVHPu_QrrlMjZAKWXUl-3Ynig0rLXlMmdPT8M.ggSx6hy43AXM901bwJ_Dr4mYLANeJZ8AC4Xxg_N3Bgg]",
        "status": 403
      },
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/cY2fZ8w9Z0Okx6wuaPGIOsBDPqJEi6_eG0XwGM7VgHc/1088826857",
      "token": "x6CeZREVHPu_QrrlMjZAKWXUl-3Ynig0rLXlMmdPT8M",
      "keyAuthorization": "x6CeZREVHPu_QrrlMjZAKWXUl-3Ynig0rLXlMmdPT8M.hoaEOYfgYVsX8j3ItSD7pjqPdgM1Z_H7rhsebMv7zLQ",
      "validationRecord": [
        {
          "url": "http://vpscloud.biz/.well-known/acme-challenge/x6CeZREVHPu_QrrlMjZAKWXUl-3Ynig0rLXlMmdPT8M",
          "hostname": "vpscloud.biz",
          "port": "80",
          "addressesResolved": [
            "159.203.76.216"
          ],
          "addressUsed": "159.203.76.216"
        }
      ]
    }
  ],
  "combinations": [
    [
      0
    ],
    [
      1
    ],
    [
      2
    ]
  ]
}
2017-04-26 20:40:09,269:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: vpscloud.biz
Type:   unauthorized
Detail: The key authorization file from the server did not match this challenge [x6CeZREVHPu_QrrlMjZAKWXUl-3Ynig0rLXlMmdPT8M.hoaEOYfgYVsX8j3ItSD7pjqPdgM1Z_H7rhsebMv7zLQ] != [x6CeZREVHPu_QrrlMjZAKWXUl-3Ynig0rLXlMmdPT8M.ggSx6hy43AXM901bwJ_Dr4mYLANeJZ8AC4Xxg_N3Bgg]

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
2017-04-26 20:40:09,269:INFO:certbot.auth_handler:Cleaning up challenges
2017-04-26 20:40:09,270:DEBUG:certbot.plugins.webroot:Removing /home/admin/web/vpscloud.biz/public_html/.well-known/acme-challenge/x6CeZREVHPu_QrrlMjZAKWXUl-3Ynig0rLXlMmdPT8M
2017-04-26 20:40:09,270:DEBUG:certbot.plugins.webroot:All challenges cleaned up, removing /home/admin/web/vpscloud.biz/public_html/.well-known/acme-challenge
2017-04-26 20:40:09,273:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 755, in main
    return config.func(config, plugins)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 682, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 82, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py", line 316, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py", line 285, in obtain_certificate
    self.config.allow_subset_of_names)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 81, in get_authorizations
    self._respond(resp, best_effort)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 138, in _respond
    self._poll_challenges(chall_update, best_effort)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 202, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. vpscloud.biz (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge [x6CeZREVHPu_QrrlMjZAKWXUl-3Ynig0rLXlMmdPT8M.hoaEOYfgYVsX8j3ItSD7pjqPdgM1Z_H7rhsebMv7zLQ] != [x6CeZREVHPu_QrrlMjZAKWXUl-3Ynig0rLXlMmdPT8M.ggSx6hy43AXM901bwJ_Dr4mYLANeJZ8AC4Xxg_N3Bgg]

Working domain (trimmed to fit in post - keys removed & cut as much as I had to to fit):

2017-04-26 20:42:47,652:DEBUG:certbot.log:Root logging level set at 20
2017-04-26 20:42:47,652:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-04-26 20:42:47,652:DEBUG:certbot.main:certbot version: 0.13.0
2017-04-26 20:42:47,652:DEBUG:certbot.main:Arguments: ['--renew-by-default', '--webroot', '-w', '/home/marktest/web/goodoils2.dyndns.org/public_html', '-d', 'goodoils2.dyndns.org', '-d', 'www.goodoils2.dyndns.org']
2017-04-26 20:42:47,652:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#standalone,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#webroot,PluginEntryPoint#apache,PluginEntryPoint#null)
2017-04-26 20:42:47,653:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2017-04-26 20:42:47,657:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7feb60352410>
Prep: True
2017-04-26 20:42:47,657:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7feb60352410> and installer None
2017-04-26 20:42:47,662:DEBUG:certbot.main:Picked account: <Account(8c77d1253cbbe0078a6519d5b2357df7)>
2017-04-26 20:42:47,663:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2017-04-26 20:42:47,669:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2017-04-26 20:42:47,795:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 352
2017-04-26 20:42:47,797:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 352
Boulder-Request-Id: EwuFKLza6I7Px7e9OH9gHS8RshR9RUDWGKTqN96JZiU
Replay-Nonce: XNml-i_iOtoVBAIV0t620AdcQZnFPCFFqz0gMsrXJxs
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 26 Apr 2017 20:42:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 26 Apr 2017 20:42:47 GMT
Connection: keep-alive

{
  "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"
}
2017-04-26 20:42:47,800:INFO:certbot.main:Obtaining a new certificate
2017-04-26 20:42:47,801:DEBUG:acme.client:Requesting fresh nonce
2017-04-26 20:42:47,801:DEBUG:acme.client:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz.
2017-04-26 20:42:47,860:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "HEAD /acme/new-authz HTTP/1.1" 405 0
2017-04-26 20:42:47,861:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Boulder-Request-Id: iWvlidOw9dSlg08-aWWkdUfwC4JUMfmZRYTq_JSxYlg
Replay-Nonce: uTLljDdn4vHugTjaN7TsruvfcoATUh8UUTAVKUXzyT4
Expires: Wed, 26 Apr 2017 20:42:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 26 Apr 2017 20:42:47 GMT
Connection: keep-alive


2017-04-26 20:42:47,862:DEBUG:acme.client:Storing nonce: uTLljDdn4vHugTjaN7TsruvfcoATUh8UUTAVKUXzyT4
2017-04-26 20:42:47,862:DEBUG:acme.client:JWS payload:
{
  "identifier": {
    "type": "dns", 
    "value": "goodoils2.dyndns.org"
  }, 
  "resource": "new-authz"
}
2017-04-26 20:42:47,866:DEBUG:acme.client:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
  "header": {
    "alg": "RS256", 
    "jwk": {
      "e": "AQAB", 
      "kty": "RSA", 
      "n": "0W3KE7Jbbdrc0bsZcLVXNeWucNxDSuQ3UN1M8j5LiNlEMCT2SXspbKvrtmUPqL4Wh2TuL9IDDaCh3nYB7UvUBdiLjXPc9iwdPV5xo3soEyn1cIymfoUmWalWC1YqTFFJYfPUTAmAaLCTeM9Hik19kJBv3OXfmuC2naFt1sD4jPwzKS66zhIlJwKCGZiNxU3y2uB-GBfmmp6b0WP450y71OtF6hcakUWCleHlYg2DjCDeUIwo4b8YtIN4ujH8r0SAWeESBGCQd6c-qHAiVbJ0G5VYWXumUJ765l4CMgd4RiX-KNtfgoA_rdTuUjDARsCc45Fu4D_B2lCcd1uB-ZAeRQ"
    }
  }, 
  "protected": "eyJub25jZSI6ICJ1VExsakRkbjR2SHVnVGphTjdUc3J1dmZjb0FUVWg4VVVUQVZLVVh6eVQ0In0", 
  "payload": "ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAiZ29vZG9pbHMyLmR5bmRucy5vcmciCiAgfSwgCiAgInJlc291cmNlIjogIm5ldy1hdXRoeiIKfQ", 
  "signature": "N338phq0wQz3-0EREUztUi36mJtysRTMTy80vGhE5dUSj1CCOYjXOAipS-Pa3qOGre-WWafnzwxtlZ1ZLxLJIUlhTqECuKPpGIKFmGCJcCoHfL-OSJ6ecQK_IPZUsScqDAWSUv4l3x6umgtADnZGK9ZMTraogOtrCa5cL6Md1x5pPZlETtrWPeV9LAJ4yOmhr1JcN1bWwyvIWRpJYqubl4PcmQSChatUXuIimU0_Ou71EDXj98Cp0OZjmBiNFqq_EM_RGeVRRSI405ArSv1u5sOHA23RGFRwjBKyQ6cAql35lJoh9QJsCxgS_5pFmOyB0OSPNQHDmk5Lyh5MdsOu5Q"
}
2017-04-26 20:42:47,952:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "POST /acme/new-authz HTTP/1.1" 201 1008
2017-04-26 20:42:47,954:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 1008
Boulder-Request-Id: kZNeWfclMWUINFaDCfe0Q60olpFA40X8gnbuZ447fT0
Boulder-Requester: 13337504
Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
Location: https://acme-v01.api.letsencrypt.org/acme/authz/MUzt26cKd8xP3tuQ6q7N-3p2jB7U4Bv9Kwbx-4PZ3mU
Replay-Nonce: dhnbMedm1wK5E47BTOFqEytLzWI1LsegTJMSjBKy9LI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 26 Apr 2017 20:42:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 26 Apr 2017 20:42:47 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "goodoils2.dyndns.org"
  },
  "status": "pending",
  "expires": "2017-05-03T20:42:47.949320859Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/MUzt26cKd8xP3tuQ6q7N-3p2jB7U4Bv9Kwbx-4PZ3mU/1088834316",
      "token": "IX6vhcat8psf1SWmnh83sQMbEFJ9kC43MIWFVkclzr8"
    },
    {
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/MUzt26cKd8xP3tuQ6q7N-3p2jB7U4Bv9Kwbx-4PZ3mU/1088834317",
      "token": "Ce2QuGyTM-K_bX3vfQK-otx8KfCv6fmaRXPu2QmmW4g"
    },
    {
      "type": "tls-sni-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/MUzt26cKd8xP3tuQ6q7N-3p2jB7U4Bv9Kwbx-4PZ3mU/1088834318",
      "token": "7YJAl0-6eyl4JOpyNM25WJmK7xL6hagsXuHtBoTB1aA"
    }
  ],
  "combinations": [
    [
      2
    ],
    [
      0
    ],
    [
      1
    ]
  ]
}
2017-04-26 20:42:47,954:DEBUG:acme.client:Storing nonce: dhnbMedm1wK5E47BTOFqEytLzWI1LsegTJMSjBKy9LI
2017-04-26 20:42:47,955:DEBUG:acme.client:JWS payload:
{
  "identifier": {
    "type": "dns", 
    "value": "www.goodoils2.dyndns.org"
  }, 
  "resource": "new-authz"
}
2017-04-26 20:42:47,960:DEBUG:acme.client:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
  "header": {
    "alg": "RS256", 
    "jwk": {
      "e": "AQAB", 
      "kty": "RSA", 
      "n": "0W3KE7Jbbdrc0bsZcLVXNeWucNxDSuQ3UN1M8j5LiNlEMCT2SXspbKvrtmUPqL4Wh2TuL9IDDaCh3nYB7UvUBdiLjXPc9iwdPV5xo3soEyn1cIymfoUmWalWC1YqTFFJYfPUTAmAaLCTeM9Hik19kJBv3OXfmuC2naFt1sD4jPwzKS66zhIlJwKCGZiNxU3y2uB-GBfmmp6b0WP450y71OtF6hcakUWCleHlYg2DjCDeUIwo4b8YtIN4ujH8r0SAWeESBGCQd6c-qHAiVbJ0G5VYWXumUJ765l4CMgd4RiX-KNtfgoA_rdTuUjDARsCc45Fu4D_B2lCcd1uB-ZAeRQ"
    }
  }, 
  "protected": "eyJub25jZSI6ICJkaG5iTWVkbTF3SzVFNDdCVE9GcUV5dEx6V0kxTHNlZ1RKTVNqQkt5OUxJIn0", 
  "payload": "ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAid3d3Lmdvb2RvaWxzMi5keW5kbnMub3JnIgogIH0sIAogICJyZXNvdXJjZSI6ICJuZXctYXV0aHoiCn0", 
  "signature": "C21j5Sijpi4Uum47mG4bhesbOh1UJulbFYD73iEQMDs1i3jypHTbVvE_MReD-oZudjgocuaMVTxBzG-DCGd2xrT7AYZDQ5LTvqigzIaZ1yTononePiB-qpDA0n6iVRRs4_-Jw52nQzZ1bD1yHgs9zE9SRy_JBGWdi8ElMTncGkopwQSNYgh0bcDO8qVCwTBpkJosWNEgVPKLC4hHZUjo_ad0zkPOg10GbVnPvBsOrqZzU3bvlY8o9r71HEZoczmTPVEUUNBty1gMaJRPDWdu5iKRqFEkCmrHMIAmrmMz7MWSbdFDozxZxiFGw7w5706mixekD2cI7zG9LpmTK5vZ0Q"
}
2017-04-26 20:42:48,047:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "POST /acme/new-authz HTTP/1.1" 201 1012
2017-04-26 20:42:48,049:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 1012
Boulder-Request-Id: GoPJXxiHa-QYUIaamfR_dpbilC3YNr8Ieo56ctV0kQo
Boulder-Requester: 13337504
Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
Location: https://acme-v01.api.letsencrypt.org/acme/authz/pSDMW4hjY9ryATRq0l5dwkUdeRtVIQZ0oBNSTJHTkfY
Replay-Nonce: AAIOiYTZXq-5lAuqV5oUbpkhHy8_H-tvVDTC1m-QquY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 26 Apr 2017 20:42:48 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 26 Apr 2017 20:42:48 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "www.goodoils2.dyndns.org"
  },
  "status": "pending",
  "expires": "2017-05-03T20:42:48.044394918Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/pSDMW4hjY9ryATRq0l5dwkUdeRtVIQZ0oBNSTJHTkfY/1088834322",
      "token": "KUl-zsQUHk9mXJQFcHjqX6zP1Uyk3jQmmXpPREhswpI"
    },
    {
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/pSDMW4hjY9ryATRq0l5dwkUdeRtVIQZ0oBNSTJHTkfY/1088834323",
      "token": "ukMJS1YP4Lk8D48vg4KS4yhKPJtBh_gxTVjCPYu3wFs"
    },
    {
      "type": "tls-sni-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/pSDMW4hjY9ryATRq0l5dwkUdeRtVIQZ0oBNSTJHTkfY/1088834324",
      "token": "6v79AULEX2wOTPvvUto3Xj1m6VO2RMzHvlIZTqTGFOQ"
    }
  ],
  "combinations": [
    [
      1
    ],
    [
      2
    ],
    [
      0
    ]
  ]
}
2017-04-26 20:42:48,049:DEBUG:acme.client:Storing nonce: AAIOiYTZXq-5lAuqV5oUbpkhHy8_H-tvVDTC1m-QquY
2017-04-26 20:42:48,050:INFO:certbot.auth_handler:Performing the following challenges:
2017-04-26 20:42:48,051:INFO:certbot.auth_handler:http-01 challenge for goodoils2.dyndns.org
2017-04-26 20:42:48,051:INFO:certbot.auth_handler:http-01 challenge for www.goodoils2.dyndns.org
2017-04-26 20:42:48,052:INFO:certbot.plugins.webroot:Using the webroot path /home/marktest/web/goodoils2.dyndns.org/public_html for all unmatched domains.
2017-04-26 20:42:48,052:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /home/marktest/web/goodoils2.dyndns.org/public_html/.well-known/acme-challenge
2017-04-26 20:42:48,053:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /home/marktest/web/goodoils2.dyndns.org/public_html/.well-known/acme-challenge
2017-04-26 20:42:48,059:DEBUG:certbot.plugins.webroot:Attempting to save validation to /home/marktest/web/goodoils2.dyndns.org/public_html/.well-known/acme-challenge/Ce2QuGyTM-K_bX3vfQK-otx8KfCv6fmaRXPu2QmmW4g
2017-04-26 20:42:48,062:DEBUG:certbot.plugins.webroot:Attempting to save validation to /home/marktest/web/goodoils2.dyndns.org/public_html/.well-known/acme-challenge/ukMJS1YP4Lk8D48vg4KS4yhKPJtBh_gxTVjCPYu3wFs
2017-04-26 20:42:48,063:INFO:certbot.auth_handler:Waiting for verification...
2017-04-26 20:42:48,064:DEBUG:acme.client:JWS payload:
{
  "keyAuthorization": "Ce2QuGyTM-K_bX3vfQK-otx8KfCv6fmaRXPu2QmmW4g.hoaEOYfgYVsX8j3ItSD7pjqPdgM1Z_H7rhsebMv7zLQ", 
  "type": "http-01", 
  "resource": "challenge"
}

It seems like something on vpscloud.biz is set up to auto-respond to HTTP-01 by echoing the provided token, but with a specific account key thumbprint. See, for instance:

curl http://vpscloud.biz/.well-known/acme-challenge/this-is-not-a-challenge
this-is-not-a-challenge.ggSx6hy43AXM901bwJ_Dr4mYLANeJZ8AC4Xxg_N3Bgg

Note: The part after the “.” is supposed to be a thumbprint (aka fingerprint) of an account key. In this case, the “gg…” thumbprint doesn’t match the thumbprint of your account key, as shown in the keyAuthorization part of your logs.

I think the next step would be to figure out what is responsible for answering that query on your server. I would search your Nginx configs for “well-known” to see if there is any special rule catching such URLs.

Is it possible that Vesta is has its own builting Let’s Encrypt integration, and that is interfering with your attempted Certbot runs?

Hello, thank you for that. Yes VestaCP does have its own plugin now, which is working fine on 3 domains on that server - vpscloud.biz being the base domain of the server. When the plugin failed to create the certs, I went to the command line and it still would not work, however 2 others that I tested did.

I will have a a look and Vesta’s nginx config.

Thank you.

An update for you @StephDotNet @ahaw021 @steampunkjnkies @jsha,

I have had some success that may relate to all or some of our problems.

Thank you @jsha for the guidance, I did indeed find a nginx config file that was creating the reply - nginx.vpscloud.biz.conf_letsencrypt:

location ~ "^/\.well-known/acme-challenge/(.*)$" {
    default_type text/plain;
    return 200 "$1.ggSx6hy43AXM901bwJ_Dr4mYLANeJZ8AC4Xxg_N3Bgg";
}

From its date it looks to be left from the failed attempt to create new certs with the VestaCP plugin, which was failing with a timeout - as mentioned in:

After removing this config file "nginx.vpscloud.biz.conf_letsencrypt" the command line process now fails with the same CCA timeout, but at least its making progress!

> Failed authorization procedure. vpscloud.biz (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: query timed out looking up CAA for vpscloud.biz

> IMPORTANT NOTES:
>  - The following errors were reported by the server:

>    Domain: vpscloud.biz
>    Type:   connection
>    Detail: DNS problem: query timed out looking up CAA for
>    vpscloud.biz

>    To fix these errors, please make sure that your domain name was
>    entered correctly and the DNS A record(s) for that domain
>    contain(s) the right IP address. Additionally, please check that
>    your computer has a publicly routable IP address and that no
>    firewalls are preventing the server from communicating with the
>    client. If you're using the webroot plugin, you should also verify
>    that you are serving files from the webroot path you provided. 

Now all I have to solve is an issue with one of the major DNS providers in Australia! :wink:

I hope this will help point others with VestaCP in the right direction, the nginx config chain of files is located in the "conf" directory for your VestaCP user in my case - "/home/admin/conf/web"

Thanks to all and regards,

Mark.

1 Like

For your NetRegistry problems, see DNS problem: query timed out looking up CAA (using Netregistry).

1 Like

Thank you very much for that, I was aware of that thread and had cited it above.

Thanks @ontheslab. Unfortunately that still didn’t do it for me. It just re-created the _letsencrypt config file, but still failed. Mmm :frowning:

@ontheslab I’m glad you have some changes, maybe it will help us finding a solution. I did this but as for steampunkjnkies it did’nt even recreated the file & the authorization still fails.

I am stucked with this problem and i need to solve it since it’s for a major client :frowning:

I also have the feeling that it comes from the Domain Name configuration since i’ve never had this problem before ( i’ve done this for 7 domain names) but this one “lacafetiere” is one i’ve retrieved from another web company… Maybe i should reset the configuration i don’t know ;’(

As @jsha said, it could also be related to a recent change in the way vesta responds to the challenge (encoding, encryption, IDK :\ ). Maybe i’m gonna ask on the vesta forum…

If a pro wants access to my VPS to run some test, feel welcome ^^ Cheers & thanks for your time

Ok I finally made it and i feel terrible (so maybe it’s a different issue for you).

  • 1st, i made a test, trying to create the certificate for a subdomain (test.lacafetiere.com) so i created the 2 A zones with 60s TTL (test and www.test pointing to the IP).

I did the “letsencrypt-vesta -a 60” command and it worked :fireworks: so i thought it was related to something going wrong on the main folder.

  • So i took everything from my main folder (the main site), and moved everything to a subfolder :. I tryed again and it worked.

So i think it was due to the htaccess on the root folder (public_html) of the site i was trying to certificate.

Hope it will help you folks :confounded:

1 Like

@StephDotNet glad you had a win! Not so different a problem than the one I had in the end - a miss return or request! (In my case a nginx over-ride and as you say prob a .htaccess over-ride). @steampunkjnkies could your issue be along the same lines?

Still need to fix my Netregistry problems :wink: then I will be happy!

haha well I'm getting closer, but still not quite. Staging version works fine:

/usr/local/letsencrypt/certbot-auto certonly --staging --webroot -w /home/admin/web/school-clip-art.com/public_html -d school-clip-art.com -d www.school-clip-art.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/school-clip-art.com.conf)

What would you like to do?

1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for school-clip-art.com
http-01 challenge for www.school-clip-art.com
Using the webroot path /home/admin/web/school-clip-art.com/public_html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Unable to clean up challenge directory /home/admin/web/school-clip-art.com/public_html/.well-known/acme-challenge
Generating key (2048 bits): /etc/letsencrypt/keys/0002_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0002_csr-certbot.pem

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/school-clip-art.com/fullchain.pem. Your cert
    will expire on 2017-07-27. To obtain a new or tweaked version of
    this certificate in the future, simply run certbot-auto again. To
    non-interactively renew all of your certificates, run
    "certbot-auto renew"

...but not the "live" one :confused:

/usr/local/letsencrypt/certbot-auto certonly --webroot -w /home/admin/web/school-clip-art.com/public_html -d school-clip-art.com -d www.school-clip-art.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/school-clip-art.com.conf)

What would you like to do?

1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for school-clip-art.com
http-01 challenge for www.school-clip-art.com
Using the webroot path /home/admin/web/school-clip-art.com/public_html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Unable to clean up challenge directory /home/admin/web/school-clip-art.com/public_html/.well-known/acme-challenge
Failed authorization procedure. www.school-clip-art.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge [z01v1WRI0wuyPchNLcChostfaIowM7uZSKtt5Lz8N0o.QOHPDOM39nXOn7vMCwxuoSYRMc3icfYIIOtd8JI45Q8] != [z01v1WRI0wuyPchNLcChostfaIowM7uZSKtt5Lz8N0o.jovWtVw8hQo48B0oVNH2HtMnU6dasUd0_8jh4cxgALE], school-clip-art.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge [I5iSChtr-ZeUNdr9UBorsvCn5hJaLHzY1mIW1-GDky4.QOHPDOM39nXOn7vMCwxuoSYRMc3icfYIIOtd8JI45Q8] != [I5iSChtr-ZeUNdr9UBorsvCn5hJaLHzY1mIW1-GDky4.jovWtVw8hQo48B0oVNH2HtMnU6dasUd0_8jh4cxgALE]

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: www.school-clip-art.com
Type: unauthorized
Detail: The key authorization file from the server did not match
this challenge
[z01v1WRI0wuyPchNLcChostfaIowM7uZSKtt5Lz8N0o.QOHPDOM39nXOn7vMCwxuoSYRMc3icfYIIOtd8JI45Q8]
!=
[z01v1WRI0wuyPchNLcChostfaIowM7uZSKtt5Lz8N0o.jovWtVw8hQo48B0oVNH2HtMnU6dasUd0_8jh4cxgALE]

Domain: school-clip-art.com
Type: unauthorized
Detail: The key authorization file from the server did not match
this challenge
[I5iSChtr-ZeUNdr9UBorsvCn5hJaLHzY1mIW1-GDky4.QOHPDOM39nXOn7vMCwxuoSYRMc3icfYIIOtd8JI45Q8]
!=
[I5iSChtr-ZeUNdr9UBorsvCn5hJaLHzY1mIW1-GDky4.jovWtVw8hQo48B0oVNH2HtMnU6dasUd0_8jh4cxgALE]

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.

Looking at the log files for the staging, and "live" one, I did happen to notice:

Staging: (worked OK);

HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 1519
Boulder-Request-Id: PIoEDqzgNw0hAqbx51TSB2yJf58X8xN1mnCU5EpyN2s
Boulder-Requester: 1992360
Link: https://acme-staging.api.letsencrypt.org/acme/new-cert;rel="next"
Location: https://acme-staging.api.letsencrypt.org/acme/authz/yldyfBkWVgZ4X-OyWHd41ElNy4RPuxjJm7G8uKowMQA
Replay-Nonce: T59R7TpHezUe3UhF2tkzK_PntTFMJTyEtpip62eX1pg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 28 Apr 2017 04:40:40 GMT

Live (didn't work);

HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 1007
Boulder-Request-Id: Ilo1Vq-hUqyq0FnaHFJ507NFNO9BMczdb-UsUlxKKzA
Boulder-Requester: 13370135
Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
Location: https://acme-v01.api.letsencrypt.org/acme/authz/f2LDQVqzqnpdu0kUqVvKxazU8FBgZ3vSs34GM1SKBV0
Replay-Nonce: XXRz_v0SwEJDN0dMWCZkm5mEJgtnwMOifXP9xmPm-fA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

Notice how the content length is different. Is that normal? Digging into the guts here really isn't my expertise , so I'm hoping someone can help me figure it out :slight_smile:

@ontheslab - what was the nginx config issue you had? I'm on nginx as well. I have this in mynginx.conf file for each of the domains:

location / {
    if ($request_uri ~ "^/\.well-known/acme-challenge/(.*)$") {
        break;
    }
    rewrite ^(.*) https://free-clip-art.com$1 permanent;
}

Cheers

Andy

HI @steampunkjnkies, in my case the config file that the VestaCP letsencrypt plugin was leaving behind would override the response from the server (ie; returning its own key - not the new challenge key). I removed this additional config file containing the “^/.well-known/acme-challenge/(.*)$” option and then it worked correctly. Perhaps you could try to comment out that conditional https rewrite directive and try the key creation again? Sorry, I am no expert on nginx!

Mark.

Thanks. This gets more and more confusing :frowning: So in nginx.school-clip-art.com.conf_letsencrypt, I found that it had a different string (as you mentioned). So I updated it to the one it was expecting.

location ~ "^/\.well-known/acme-challenge/(.*)$" {
    default_type text/plain;
    return 200 "$1.QOHPDOM39nXOn7vMCwxuoSYRMc3icfYIIOtd8JI45Q8";
}

…I then re-run it from SSH, and it works!

/usr/local/letsencrypt/certbot-auto certonly --webroot -w /home/admin/web/school-clip-art.com/public_html -d school-clip-art.com -d www.school-clip-art.com


Generating key (2048 bits): /etc/letsencrypt/keys/0003_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0003_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/school-clip-art.com/fullchain.pem. Your cert
   will expire on 2017-07-27. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"

…but as soon as I try it from the VestaCP area, it doesn’t work again. It’s almost like certbot-auto, and the VestaCP admin tool are using different auth codes, and that is screwing things up :confused:

Cheers

Andy

it's almost like certbot-auto, and the VestaCP admin tool are using different auth codes, and that is screwing things up :confused:

I am sure they do, I would either go with the command line or the Vesta plugin - using both I am sure will lead to confusion and trouble.

Mark.

Yeah, although I’m not too sure how to do that. I want to really use the web-based one (as it handles all the updates / renewals etc). The other one I’ve been testing is just the normal certbot-auto (and that was purely so I could do the “staging” test stuff, as for some reason that isn’t an option in the VestaCP system)

Eugh, well I’ve managed to get a bit of a work around (at least so I can get the site live again)

/usr/local/letsencrypt/certbot-auto certonly --webroot -w /home/admin/web/school-clip-art.com/public_html -d school-clip-art.com -d www.school-clip-art.com

Then I had to manually copy and paste the contents into the VestaCP certificate sections, and it works. But far from ideal, as

  1. It won’t auto renew
  2. I’m going to have to manually fix them up every 3 months
  3. I’m really miffed that I just can it to work, even though it works fine on all the other sites on the server (with the same configs)

:frowning:

If anyone has any more suggestions as to what I could try, I’m more than happy to give them a go!

Cheers

Andy