Newbie: Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot

Help
1

My domain is: boulangeriecyriltreveys.fr

I ran this command: certbot --apache -d boulangeriecyriltreveys.fr -d www.boulangeriecyriltreveys.fr -v

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator apache, Installer apache

Requesting a certificate for boulangeriecyriltreveys.fr and www.boulangeriecyriltreveys.fr

Performing the following challenges:

http-01 challenge for boulangeriecyriltreveys.fr

http-01 challenge for www.boulangeriecyriltreveys.fr

Waiting for verification...

Challenge failed for domain boulangeriecyriltreveys.fr

Challenge failed for domain www.boulangeriecyriltreveys.fr

http-01 challenge for boulangeriecyriltreveys.fr

http-01 challenge for www.boulangeriecyriltreveys.fr

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:

Domain: boulangeriecyriltreveys.fr

Type: unauthorized

Detail: The key authorization file from the server did not match this challenge. Expected "5a25oRP1X5IVaoojVSTrjjG_rxEnW8aOUIde2ErnfUQ.FT27V0tcfkKK39JyEYrMhoODTPxc-nIt8QIVAVJt9vo" (got "5a25oRP1X5IVaoojVSTrjjG_rxEnW8aOUIde2ErnfUQ.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8")

Domain: www.boulangeriecyriltreveys.fr

Type: unauthorized

Detail: The key authorization file from the server did not match this challenge. Expected "bcnmfvAEqDvn8uNmXwbW8PI8Xan6_rt6ZjqJdc27_V8.FT27V0tcfkKK39JyEYrMhoODTPxc-nIt8QIVAVJt9vo" (got "bcnmfvAEqDvn8uNmXwbW8PI8Xan6_rt6ZjqJdc27_V8.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8")

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges

Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache 2

The operating system my web server runs on is (include version): Ubuntu 22.04

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

2

2025-07-01 17:21:09,656:DEBUG:acme.client:Storing nonce: hFKQ31G52XieR-JTBgHEJSzebDfjm5i1me5Yk1MLoQ5533NpXJo
2025-07-01 17:21:09,656:INFO:certbot._internal.auth_handler:Challenge failed for domain boulangeriecyriltreveys.fr
2025-07-01 17:21:09,656:INFO:certbot._internal.auth_handler:Challenge failed for domain www.boulangeriecyriltreveys.fr
2025-07-01 17:21:09,657:INFO:certbot._internal.auth_handler:http-01 challenge for boulangeriecyriltreveys.fr
2025-07-01 17:21:09,657:INFO:certbot._internal.auth_handler:http-01 challenge for www.boulangeriecyriltreveys.fr
2025-07-01 17:21:09,658:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: boulangeriecyriltreveys.fr
Type: unauthorized
Detail: The key authorization file from the server did not match this challenge. Expected "uary861VdUwLLreURTKqKt2yBUYlJ_nn8xMY4faY9r4.FT27V0tcfkKK39JyEYrMhoODTPxc-nIt8QIVAVJt9vo" (got "uary861VdUwLLreURTKqKt2yBUYlJ_nn8xMY4faY9r4.4E3VCTFsySjUrqnCg0ooU>

Domain: www.boulangeriecyriltreveys.fr
Type: unauthorized
Detail: The key authorization file from the server did not match this challenge. Expected "o-Lbxr37QIZmzQ16dKOkh6b7t8YYvs2mw7pVEXT3l1M.FT27V0tcfkKK39JyEYrMhoODTPxc-nIt8QIVAVJt9vo" (got "o-Lbxr37QIZmzQ16dKOkh6b7t8YYvs2mw7pVEXT3l1M.4E3VCTFsySjUrqnCg0ooU>

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

2025-07-01 17:21:09,664:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2025-07-01 17:21:09,664:DEBUG:certbot._internal.error_handler:Calling registered functions
2025-07-01 17:21:09,664:INFO:certbot._internal.auth_handler:Cleaning up challenges
2025-07-01 17:21:09,925:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 33, in
sys.exit(load_entry_point('certbot==1.21.0', 'console_scripts', 'certbot')())
File "/usr/lib/python3/dist-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1574, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1287, in run
new_lineage = _get_and_save_cert(le_client, config, domains,
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 133, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 459, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 389, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 439, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2025-07-01 17:21:09,930:ERROR:certbot._internal.log:Some challenges have failed.

3

Welcome @jeremyrncp

The first thing is to check your DNS settings. You have an IPv6 AAAA address in your DNS which points to an OVH Cloud server. Your IPv4 A address is for your Apache. Ideally you should update the AAAA address. But, remove it if you don't support IPv6.

Let's Encrypt prefers IPv6 when present. But, anyone trying to use IPv6 will connect to the OVH server and not your Apache

From a test at https://letsdebug.net

boulangeriecyriltreveys.fr has multiple IP addresses in its DNS records. While they appear to be accessible on the network, we have detected that they produce differing results when sent an ACME HTTP validation request. This may indicate that some of the IP addresses may unintentionally point to different servers, which would cause validation to fail.

[Address=2001:41d0:301::21,Address Type=IPv6,Server=OVHcloud,HTTP Status=503] vs [Address=51.254.102.85,Address Type=IPv4,Server=Apache/2.4.52 (Ubuntu),HTTP Status=404]

3 Likes