Subdomain - did not match this challenge

The challenge does not match the returned value from the server indeed.
I traced the requested URL and it never matched the challenge in the first place.
This test seems to work just fine: http://1of.bluedgeusa.com/.well-known/acme-challenge/test

My domain is: 1of.bluedgeusa.com

I ran this command: certbot certonly --webroot -w /home/www/1of/public -d 1of.bluedgeusa.com --dry-run -v

It produced this output:
Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator webroot and installer None
Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7fd9e1e83990>
Prep: True
Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7fd9e1e83990> and installer None
Plugins selected: Authenticator webroot, Installer None
Picked account: <Account(RegistrationResource(body=Registration(status=u’valid’, contact=(u’mailto:n.alessandra@gmail.com’,), agreement=u’https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf’, key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7fd9e1e83bd0>)>)), uri=u’https://acme-staging.api.letsencrypt.org/acme/reg/5373810’, new_authzr_uri=u’https://acme-staging.api.letsencrypt.org/acme/new-authz’, terms_of_service=u’https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf’), 01f234a972b680b7cac9ed2a8f717588, Meta(creation_host=u’1of-limited-edition’, creation_dt=datetime.datetime(2018, 1, 11, 15, 13, 21, tzinfo=)))>
Sending GET request to https://acme-staging.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
https://acme-staging.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 582
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 582
Replay-Nonce: XH-BSdhD_Yn1DLH86kPqpIGhSHbE0BNtxMSnPnJx3k8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 11 Jan 2018 16:24:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 11 Jan 2018 16:24:53 GMT
Connection: keep-alive

{
  "XKOCVXx5TwU": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "key-change": "https://acme-staging.api.letsencrypt.org/acme/key-change",
  "meta": {
    "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
  },
  "new-authz": "https://acme-staging.api.letsencrypt.org/acme/new-authz",
  "new-cert": "https://acme-staging.api.letsencrypt.org/acme/new-cert",
  "new-reg": "https://acme-staging.api.letsencrypt.org/acme/new-reg",
  "revoke-cert": "https://acme-staging.api.letsencrypt.org/acme/revoke-cert"
}
Obtaining a new certificate
Requesting fresh nonce
Sending HEAD request to https://acme-staging.api.letsencrypt.org/acme/new-authz.
https://acme-staging.api.letsencrypt.org:443 "HEAD /acme/new-authz HTTP/1.1" 405 0
Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Replay-Nonce: qBRBz2WwNfcVJmW5paCnEWyhp5LDg9CnzHsJa6uwVPA
Expires: Thu, 11 Jan 2018 16:24:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 11 Jan 2018 16:24:53 GMT
Connection: keep-alive


Storing nonce: qBRBz2WwNfcVJmW5paCnEWyhp5LDg9CnzHsJa6uwVPA
JWS payload:
{
  "identifier": {
    "type": "dns", 
    "value": "1of.bluedgeusa.com"
  }, 
  "resource": "new-authz"
}
Sending POST request to https://acme-staging.api.letsencrypt.org/acme/new-authz:
{
  "protected": "eyJub25jZSI6ICJxQlJCejJXd05mY1ZKbVc1cGFDbkVXeWhwNUxEZzlDbnpIc0phNnV3VlBBIiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAid0Q3V19PaDlyQ2hXdG1KSXl3bnhVZDB5ZzMySkZpdm9fY1Q0dnUtOU1SRV9wZk82a1VQbGpFNDk4NFVwUDc5VXJCakFoLWR2UUJPMDdXX3huT0l4TkJYX1lTdEdkNHRlQjZBaHpXUFJaQ1RLUjJ5SUxqcFRPSFJFb3Z4emZJdE45cnJicU1VbEZlbmxHU05aMnRIR1JUbXVsWS0xUVl3TlZ0MHZpblI0MGQxVlFhTHZzcDc2QXNhaGl5UHNqb1F2anFQUktRbHVBRGRRS3FkZU5SWVBhZFF6OU1WX29pWnVuX0ZaX3dxT3lZbm9CLTZtcTd1ai1QbHhITjZPMWl6dU1LZ0llS0djTFN0Q3Nhd055aDlaSDFRUnBqX3RFazdLX0x4dVRBdlhCSEtUR3ZvRm1IdHZkTkg0djNpVHFUS1E5NFBBNmpoN0IzUy1jWkt0WS1zeGRRIn19", 
  "payload": "ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAiMW9mLmJsdWVkZ2V1c2EuY29tIgogIH0sIAogICJyZXNvdXJjZSI6ICJuZXctYXV0aHoiCn0", 
  "signature": "oeP1577UpbNdtUkpKP1oTlmuzgMBPnC9sGElBvv-OkBo-VybONOLFcRzvQwpJUAQB8oYJprqHTTOjvp3h9lKduQ8ZhVshOhDyZG1_QBj2FUtcuaEpHmqaEpkzstdXv42x5G3Cyp9RGHk75828a7CATeeFvrgIOP6uQ1G5XqQA5caQfyonO9AbmQ6ROKmpNAMEjinSwsdS5vNhP91taCbfrrBYgkgnuRMsNoznKSVUKT-jC_ImdE7bO_pBfgNeiMxn-jN-dWpRqnkivSFPVaLcPhdc7q6pxlFIAKt6ej6ZJnB0PtooyJibnph5BWKebOL4OJ9umGsymvF9RfnnJX_zQ"
}
https://acme-staging.api.letsencrypt.org:443 "POST /acme/new-authz HTTP/1.1" 201 737
Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 737
Boulder-Requester: 5373810
Link: <https://acme-staging.api.letsencrypt.org/acme/new-cert>;rel="next"
Location: https://acme-staging.api.letsencrypt.org/acme/authz/5O-Zzs4mH6t_yBDPsS54Ni0YUbpif7loC5rVJi0IdHc
Replay-Nonce: kU8SYb1p67clP4dGOP6Njzz4PXNdDrb768Fz1_BSD1E
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 11 Jan 2018 16:24:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 11 Jan 2018 16:24:53 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "1of.bluedgeusa.com"
  },
  "status": "pending",
  "expires": "2018-01-18T16:24:53.639046806Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/5O-Zzs4mH6t_yBDPsS54Ni0YUbpif7loC5rVJi0IdHc/91657249",
      "token": "Ruk-4QP4ikWDrF-FkXc-MpykXaf1Lu4hCy2RhzrQ6fg"
    },
    {
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/5O-Zzs4mH6t_yBDPsS54Ni0YUbpif7loC5rVJi0IdHc/91657250",
      "token": "Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4"
    }
  ],
  "combinations": [
    [
      0
    ],
    [
      1
    ]
  ]
}
Storing nonce: kU8SYb1p67clP4dGOP6Njzz4PXNdDrb768Fz1_BSD1E
Performing the following challenges:
http-01 challenge for 1of.bluedgeusa.com
Using the webroot path /home/www/1of/public for all unmatched domains.
Creating root challenges validation dir at /home/www/1of/public/.well-known/acme-challenge
Attempting to save validation to /home/www/1of/public/.well-known/acme-challenge/Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4
Waiting for verification...
JWS payload:
{
  "keyAuthorization": "Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4.Fi2TIN7l4WO7vgJC6R41s4wJ79UJ8dmS_Fv1gNZdWjs", 
  "type": "http-01", 
  "resource": "challenge"
}
Sending POST request to https://acme-staging.api.letsencrypt.org/acme/challenge/5O-Zzs4mH6t_yBDPsS54Ni0YUbpif7loC5rVJi0IdHc/91657250:
{
  "protected": "eyJub25jZSI6ICJrVThTWWIxcDY3Y2xQNGRHT1A2Tmp6ejRQWE5kRHJiNzY4RnoxX0JTRDFFIiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAid0Q3V19PaDlyQ2hXdG1KSXl3bnhVZDB5ZzMySkZpdm9fY1Q0dnUtOU1SRV9wZk82a1VQbGpFNDk4NFVwUDc5VXJCakFoLWR2UUJPMDdXX3huT0l4TkJYX1lTdEdkNHRlQjZBaHpXUFJaQ1RLUjJ5SUxqcFRPSFJFb3Z4emZJdE45cnJicU1VbEZlbmxHU05aMnRIR1JUbXVsWS0xUVl3TlZ0MHZpblI0MGQxVlFhTHZzcDc2QXNhaGl5UHNqb1F2anFQUktRbHVBRGRRS3FkZU5SWVBhZFF6OU1WX29pWnVuX0ZaX3dxT3lZbm9CLTZtcTd1ai1QbHhITjZPMWl6dU1LZ0llS0djTFN0Q3Nhd055aDlaSDFRUnBqX3RFazdLX0x4dVRBdlhCSEtUR3ZvRm1IdHZkTkg0djNpVHFUS1E5NFBBNmpoN0IzUy1jWkt0WS1zeGRRIn19", 
  "payload": "ewogICJrZXlBdXRob3JpemF0aW9uIjogIkNtYTdVMEkybW5tWlZGNk93SzlLRHB5Vl9nSXQ2MnduUGVDeEhENm1vWTQuRmkyVElON2w0V083dmdKQzZSNDFzNHdKNzlVSjhkbVNfRnYxZ05aZFdqcyIsIAogICJ0eXBlIjogImh0dHAtMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9", 
  "signature": "kCfbSos9fm1Cntu_zZIScbVKfbhpmuv-v3eO0n2Oea3G8mPcwhk3uA3CbwolISRJvGfYfW-_q7Kh4i8DC_ChwVMXfEUhqA-fBpioYLMtliyQ5IxHfXaZgyOVrDWCo1UMPZZiF9cKslQMeHguYjqcXhN2kl5pib_DGsZ8rCUKnwFlDBOVyoFCpy5K3SrbXebsXKSuZswvlpeERUPIWRJ6ZG_W3o-16s8SIXzC8i5aJkrJH1N748oQzU_TIYAGbRw-_VHa--S8cKih4bimByR7UtEuO0I2hnbbEQMSb6wTfUZ4e3j3NArdXGxbeZLVB1oDwh7zKCrwd2Y7nvRmCDm6Qw"
}
https://acme-staging.api.letsencrypt.org:443 "POST /acme/challenge/5O-Zzs4mH6t_yBDPsS54Ni0YUbpif7loC5rVJi0IdHc/91657250 HTTP/1.1" 202 338
Received response:
HTTP 202
Server: nginx
Content-Type: application/json
Content-Length: 338
Boulder-Requester: 5373810
Link: <https://acme-staging.api.letsencrypt.org/acme/authz/5O-Zzs4mH6t_yBDPsS54Ni0YUbpif7loC5rVJi0IdHc>;rel="up"
Location: https://acme-staging.api.letsencrypt.org/acme/challenge/5O-Zzs4mH6t_yBDPsS54Ni0YUbpif7loC5rVJi0IdHc/91657250
Replay-Nonce: gPeM-y_J-FYoBaI9lWzn_6c1ZI3nTQUyAvMfAJfPVbw
Expires: Thu, 11 Jan 2018 16:24:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 11 Jan 2018 16:24:53 GMT
Connection: keep-alive

{
  "type": "http-01",
  "status": "pending",
  "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/5O-Zzs4mH6t_yBDPsS54Ni0YUbpif7loC5rVJi0IdHc/91657250",
  "token": "Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4",
  "keyAuthorization": "Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4.Fi2TIN7l4WO7vgJC6R41s4wJ79UJ8dmS_Fv1gNZdWjs"
}
Storing nonce: gPeM-y_J-FYoBaI9lWzn_6c1ZI3nTQUyAvMfAJfPVbw
Sending GET request to https://acme-staging.api.letsencrypt.org/acme/authz/5O-Zzs4mH6t_yBDPsS54Ni0YUbpif7loC5rVJi0IdHc.
https://acme-staging.api.letsencrypt.org:443 "GET /acme/authz/5O-Zzs4mH6t_yBDPsS54Ni0YUbpif7loC5rVJi0IdHc HTTP/1.1" 200 1558
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1558
Link: <https://acme-staging.api.letsencrypt.org/acme/new-cert>;rel="next"
Replay-Nonce: iTMykircDevX-rNAiIjOq-0Y9j7tVOtRaKd7IhVcqX4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 11 Jan 2018 16:24:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 11 Jan 2018 16:24:56 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "1of.bluedgeusa.com"
  },
  "status": "invalid",
  "expires": "2018-01-18T16:24:53Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/5O-Zzs4mH6t_yBDPsS54Ni0YUbpif7loC5rVJi0IdHc/91657249",
      "token": "Ruk-4QP4ikWDrF-FkXc-MpykXaf1Lu4hCy2RhzrQ6fg"
    },
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:acme:error:unauthorized",
        "detail": "The key authorization file from the server did not match this challenge [Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4.Fi2TIN7l4WO7vgJC6R41s4wJ79UJ8dmS_Fv1gNZdWjs] != [Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4]",
        "status": 403
      },
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/5O-Zzs4mH6t_yBDPsS54Ni0YUbpif7loC5rVJi0IdHc/91657250",
      "token": "Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4",
      "keyAuthorization": "Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4.Fi2TIN7l4WO7vgJC6R41s4wJ79UJ8dmS_Fv1gNZdWjs",
      "validationRecord": [
        {
          "url": "http://1of.bluedgeusa.com/.well-known/acme-challenge/Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4",
          "hostname": "1of.bluedgeusa.com",
          "port": "80",
          "addressesResolved": [
            "45.55.21.101"
          ],
          "addressUsed": "45.55.21.101",
          "addressesTried": []
        }
      ]
    }
  ],
  "combinations": [
    [
      0
    ],
    [
      1
    ]
  ]
}
Reporting to user: The following errors were reported by the server:

Domain: 1of.bluedgeusa.com
Type:   unauthorized
Detail: The key authorization file from the server did not match this challenge [Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4.Fi2TIN7l4WO7vgJC6R41s4wJ79UJ8dmS_Fv1gNZdWjs] != [Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4]

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
Cleaning up challenges
Removing /home/www/1of/public/.well-known/acme-challenge/Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4
Unable to clean up challenge directory /home/www/1of/public/.well-known/acme-challenge
Error was: [Errno 39] Directory not empty: '/home/www/1of/public/.well-known/acme-challenge'
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.19.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 861, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 786, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 85, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 357, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 318, in obtain_certificate
    self.config.allow_subset_of_names)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 81, in get_authorizations
    self._respond(resp, best_effort)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 138, in _respond
    self._poll_challenges(chall_update, best_effort)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 202, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. 1of.bluedgeusa.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge [Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4.Fi2TIN7l4WO7vgJC6R41s4wJ79UJ8dmS_Fv1gNZdWjs] != [Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4]
Failed authorization procedure. 1of.bluedgeusa.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge [Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4.Fi2TIN7l4WO7vgJC6R41s4wJ79UJ8dmS_Fv1gNZdWjs] != [Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4]

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: 1of.bluedgeusa.com
    Type: unauthorized
    Detail: The key authorization file from the server did not match
    this challenge
    [Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4.Fi2TIN7l4WO7vgJC6R41s4wJ79UJ8dmS_Fv1gNZdWjs]
    != [Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4]

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): NodeJS 8.9.4

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I found the issue (weird one by the way).
Few months ago I’ve set a SSL serving back the requested url after challenge/ (as text/plain)
This didn’t work this time, I had to catch the request and serve the file as a HTTP answer.

Not sure why It is different this time, hopefully it helps someone.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.