The challenge does not match the returned value from the server indeed.
I traced the requested URL and it never matched the challenge in the first place.
This test seems to work just fine: http://1of.bluedgeusa.com/.well-known/acme-challenge/test
My domain is: 1of.bluedgeusa.com
I ran this command: certbot certonly --webroot -w /home/www/1of/public -d 1of.bluedgeusa.com --dry-run -v
It produced this output:
Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator webroot and installer None
Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7fd9e1e83990>
Prep: True
Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7fd9e1e83990> and installer None
Plugins selected: Authenticator webroot, Installer None
Picked account: <Account(RegistrationResource(body=Registration(status=u’valid’, contact=(u’mailto:n.alessandra@gmail.com’,), agreement=u’https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf’, key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7fd9e1e83bd0>)>)), uri=u’https://acme-staging.api.letsencrypt.org/acme/reg/5373810’, new_authzr_uri=u’https://acme-staging.api.letsencrypt.org/acme/new-authz’, terms_of_service=u’https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf’), 01f234a972b680b7cac9ed2a8f717588, Meta(creation_host=u’1of-limited-edition’, creation_dt=datetime.datetime(2018, 1, 11, 15, 13, 21, tzinfo=)))>
Sending GET request to https://acme-staging.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
https://acme-staging.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 582
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 582
Replay-Nonce: XH-BSdhD_Yn1DLH86kPqpIGhSHbE0BNtxMSnPnJx3k8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 11 Jan 2018 16:24:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 11 Jan 2018 16:24:53 GMT
Connection: keep-alive
{
"XKOCVXx5TwU": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"key-change": "https://acme-staging.api.letsencrypt.org/acme/key-change",
"meta": {
"terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
},
"new-authz": "https://acme-staging.api.letsencrypt.org/acme/new-authz",
"new-cert": "https://acme-staging.api.letsencrypt.org/acme/new-cert",
"new-reg": "https://acme-staging.api.letsencrypt.org/acme/new-reg",
"revoke-cert": "https://acme-staging.api.letsencrypt.org/acme/revoke-cert"
}
Obtaining a new certificate
Requesting fresh nonce
Sending HEAD request to https://acme-staging.api.letsencrypt.org/acme/new-authz.
https://acme-staging.api.letsencrypt.org:443 "HEAD /acme/new-authz HTTP/1.1" 405 0
Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Replay-Nonce: qBRBz2WwNfcVJmW5paCnEWyhp5LDg9CnzHsJa6uwVPA
Expires: Thu, 11 Jan 2018 16:24:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 11 Jan 2018 16:24:53 GMT
Connection: keep-alive
Storing nonce: qBRBz2WwNfcVJmW5paCnEWyhp5LDg9CnzHsJa6uwVPA
JWS payload:
{
"identifier": {
"type": "dns",
"value": "1of.bluedgeusa.com"
},
"resource": "new-authz"
}
Sending POST request to https://acme-staging.api.letsencrypt.org/acme/new-authz:
{
"protected": "eyJub25jZSI6ICJxQlJCejJXd05mY1ZKbVc1cGFDbkVXeWhwNUxEZzlDbnpIc0phNnV3VlBBIiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAid0Q3V19PaDlyQ2hXdG1KSXl3bnhVZDB5ZzMySkZpdm9fY1Q0dnUtOU1SRV9wZk82a1VQbGpFNDk4NFVwUDc5VXJCakFoLWR2UUJPMDdXX3huT0l4TkJYX1lTdEdkNHRlQjZBaHpXUFJaQ1RLUjJ5SUxqcFRPSFJFb3Z4emZJdE45cnJicU1VbEZlbmxHU05aMnRIR1JUbXVsWS0xUVl3TlZ0MHZpblI0MGQxVlFhTHZzcDc2QXNhaGl5UHNqb1F2anFQUktRbHVBRGRRS3FkZU5SWVBhZFF6OU1WX29pWnVuX0ZaX3dxT3lZbm9CLTZtcTd1ai1QbHhITjZPMWl6dU1LZ0llS0djTFN0Q3Nhd055aDlaSDFRUnBqX3RFazdLX0x4dVRBdlhCSEtUR3ZvRm1IdHZkTkg0djNpVHFUS1E5NFBBNmpoN0IzUy1jWkt0WS1zeGRRIn19",
"payload": "ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAiMW9mLmJsdWVkZ2V1c2EuY29tIgogIH0sIAogICJyZXNvdXJjZSI6ICJuZXctYXV0aHoiCn0",
"signature": "oeP1577UpbNdtUkpKP1oTlmuzgMBPnC9sGElBvv-OkBo-VybONOLFcRzvQwpJUAQB8oYJprqHTTOjvp3h9lKduQ8ZhVshOhDyZG1_QBj2FUtcuaEpHmqaEpkzstdXv42x5G3Cyp9RGHk75828a7CATeeFvrgIOP6uQ1G5XqQA5caQfyonO9AbmQ6ROKmpNAMEjinSwsdS5vNhP91taCbfrrBYgkgnuRMsNoznKSVUKT-jC_ImdE7bO_pBfgNeiMxn-jN-dWpRqnkivSFPVaLcPhdc7q6pxlFIAKt6ej6ZJnB0PtooyJibnph5BWKebOL4OJ9umGsymvF9RfnnJX_zQ"
}
https://acme-staging.api.letsencrypt.org:443 "POST /acme/new-authz HTTP/1.1" 201 737
Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 737
Boulder-Requester: 5373810
Link: <https://acme-staging.api.letsencrypt.org/acme/new-cert>;rel="next"
Location: https://acme-staging.api.letsencrypt.org/acme/authz/5O-Zzs4mH6t_yBDPsS54Ni0YUbpif7loC5rVJi0IdHc
Replay-Nonce: kU8SYb1p67clP4dGOP6Njzz4PXNdDrb768Fz1_BSD1E
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 11 Jan 2018 16:24:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 11 Jan 2018 16:24:53 GMT
Connection: keep-alive
{
"identifier": {
"type": "dns",
"value": "1of.bluedgeusa.com"
},
"status": "pending",
"expires": "2018-01-18T16:24:53.639046806Z",
"challenges": [
{
"type": "dns-01",
"status": "pending",
"uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/5O-Zzs4mH6t_yBDPsS54Ni0YUbpif7loC5rVJi0IdHc/91657249",
"token": "Ruk-4QP4ikWDrF-FkXc-MpykXaf1Lu4hCy2RhzrQ6fg"
},
{
"type": "http-01",
"status": "pending",
"uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/5O-Zzs4mH6t_yBDPsS54Ni0YUbpif7loC5rVJi0IdHc/91657250",
"token": "Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4"
}
],
"combinations": [
[
0
],
[
1
]
]
}
Storing nonce: kU8SYb1p67clP4dGOP6Njzz4PXNdDrb768Fz1_BSD1E
Performing the following challenges:
http-01 challenge for 1of.bluedgeusa.com
Using the webroot path /home/www/1of/public for all unmatched domains.
Creating root challenges validation dir at /home/www/1of/public/.well-known/acme-challenge
Attempting to save validation to /home/www/1of/public/.well-known/acme-challenge/Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4
Waiting for verification...
JWS payload:
{
"keyAuthorization": "Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4.Fi2TIN7l4WO7vgJC6R41s4wJ79UJ8dmS_Fv1gNZdWjs",
"type": "http-01",
"resource": "challenge"
}
Sending POST request to https://acme-staging.api.letsencrypt.org/acme/challenge/5O-Zzs4mH6t_yBDPsS54Ni0YUbpif7loC5rVJi0IdHc/91657250:
{
"protected": "eyJub25jZSI6ICJrVThTWWIxcDY3Y2xQNGRHT1A2Tmp6ejRQWE5kRHJiNzY4RnoxX0JTRDFFIiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAid0Q3V19PaDlyQ2hXdG1KSXl3bnhVZDB5ZzMySkZpdm9fY1Q0dnUtOU1SRV9wZk82a1VQbGpFNDk4NFVwUDc5VXJCakFoLWR2UUJPMDdXX3huT0l4TkJYX1lTdEdkNHRlQjZBaHpXUFJaQ1RLUjJ5SUxqcFRPSFJFb3Z4emZJdE45cnJicU1VbEZlbmxHU05aMnRIR1JUbXVsWS0xUVl3TlZ0MHZpblI0MGQxVlFhTHZzcDc2QXNhaGl5UHNqb1F2anFQUktRbHVBRGRRS3FkZU5SWVBhZFF6OU1WX29pWnVuX0ZaX3dxT3lZbm9CLTZtcTd1ai1QbHhITjZPMWl6dU1LZ0llS0djTFN0Q3Nhd055aDlaSDFRUnBqX3RFazdLX0x4dVRBdlhCSEtUR3ZvRm1IdHZkTkg0djNpVHFUS1E5NFBBNmpoN0IzUy1jWkt0WS1zeGRRIn19",
"payload": "ewogICJrZXlBdXRob3JpemF0aW9uIjogIkNtYTdVMEkybW5tWlZGNk93SzlLRHB5Vl9nSXQ2MnduUGVDeEhENm1vWTQuRmkyVElON2w0V083dmdKQzZSNDFzNHdKNzlVSjhkbVNfRnYxZ05aZFdqcyIsIAogICJ0eXBlIjogImh0dHAtMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9",
"signature": "kCfbSos9fm1Cntu_zZIScbVKfbhpmuv-v3eO0n2Oea3G8mPcwhk3uA3CbwolISRJvGfYfW-_q7Kh4i8DC_ChwVMXfEUhqA-fBpioYLMtliyQ5IxHfXaZgyOVrDWCo1UMPZZiF9cKslQMeHguYjqcXhN2kl5pib_DGsZ8rCUKnwFlDBOVyoFCpy5K3SrbXebsXKSuZswvlpeERUPIWRJ6ZG_W3o-16s8SIXzC8i5aJkrJH1N748oQzU_TIYAGbRw-_VHa--S8cKih4bimByR7UtEuO0I2hnbbEQMSb6wTfUZ4e3j3NArdXGxbeZLVB1oDwh7zKCrwd2Y7nvRmCDm6Qw"
}
https://acme-staging.api.letsencrypt.org:443 "POST /acme/challenge/5O-Zzs4mH6t_yBDPsS54Ni0YUbpif7loC5rVJi0IdHc/91657250 HTTP/1.1" 202 338
Received response:
HTTP 202
Server: nginx
Content-Type: application/json
Content-Length: 338
Boulder-Requester: 5373810
Link: <https://acme-staging.api.letsencrypt.org/acme/authz/5O-Zzs4mH6t_yBDPsS54Ni0YUbpif7loC5rVJi0IdHc>;rel="up"
Location: https://acme-staging.api.letsencrypt.org/acme/challenge/5O-Zzs4mH6t_yBDPsS54Ni0YUbpif7loC5rVJi0IdHc/91657250
Replay-Nonce: gPeM-y_J-FYoBaI9lWzn_6c1ZI3nTQUyAvMfAJfPVbw
Expires: Thu, 11 Jan 2018 16:24:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 11 Jan 2018 16:24:53 GMT
Connection: keep-alive
{
"type": "http-01",
"status": "pending",
"uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/5O-Zzs4mH6t_yBDPsS54Ni0YUbpif7loC5rVJi0IdHc/91657250",
"token": "Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4",
"keyAuthorization": "Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4.Fi2TIN7l4WO7vgJC6R41s4wJ79UJ8dmS_Fv1gNZdWjs"
}
Storing nonce: gPeM-y_J-FYoBaI9lWzn_6c1ZI3nTQUyAvMfAJfPVbw
Sending GET request to https://acme-staging.api.letsencrypt.org/acme/authz/5O-Zzs4mH6t_yBDPsS54Ni0YUbpif7loC5rVJi0IdHc.
https://acme-staging.api.letsencrypt.org:443 "GET /acme/authz/5O-Zzs4mH6t_yBDPsS54Ni0YUbpif7loC5rVJi0IdHc HTTP/1.1" 200 1558
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1558
Link: <https://acme-staging.api.letsencrypt.org/acme/new-cert>;rel="next"
Replay-Nonce: iTMykircDevX-rNAiIjOq-0Y9j7tVOtRaKd7IhVcqX4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 11 Jan 2018 16:24:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 11 Jan 2018 16:24:56 GMT
Connection: keep-alive
{
"identifier": {
"type": "dns",
"value": "1of.bluedgeusa.com"
},
"status": "invalid",
"expires": "2018-01-18T16:24:53Z",
"challenges": [
{
"type": "dns-01",
"status": "pending",
"uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/5O-Zzs4mH6t_yBDPsS54Ni0YUbpif7loC5rVJi0IdHc/91657249",
"token": "Ruk-4QP4ikWDrF-FkXc-MpykXaf1Lu4hCy2RhzrQ6fg"
},
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:acme:error:unauthorized",
"detail": "The key authorization file from the server did not match this challenge [Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4.Fi2TIN7l4WO7vgJC6R41s4wJ79UJ8dmS_Fv1gNZdWjs] != [Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4]",
"status": 403
},
"uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/5O-Zzs4mH6t_yBDPsS54Ni0YUbpif7loC5rVJi0IdHc/91657250",
"token": "Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4",
"keyAuthorization": "Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4.Fi2TIN7l4WO7vgJC6R41s4wJ79UJ8dmS_Fv1gNZdWjs",
"validationRecord": [
{
"url": "http://1of.bluedgeusa.com/.well-known/acme-challenge/Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4",
"hostname": "1of.bluedgeusa.com",
"port": "80",
"addressesResolved": [
"45.55.21.101"
],
"addressUsed": "45.55.21.101",
"addressesTried": []
}
]
}
],
"combinations": [
[
0
],
[
1
]
]
}
Reporting to user: The following errors were reported by the server:
Domain: 1of.bluedgeusa.com
Type: unauthorized
Detail: The key authorization file from the server did not match this challenge [Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4.Fi2TIN7l4WO7vgJC6R41s4wJ79UJ8dmS_Fv1gNZdWjs] != [Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4]
To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
Cleaning up challenges
Removing /home/www/1of/public/.well-known/acme-challenge/Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4
Unable to clean up challenge directory /home/www/1of/public/.well-known/acme-challenge
Error was: [Errno 39] Directory not empty: '/home/www/1of/public/.well-known/acme-challenge'
Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in <module>
load_entry_point('certbot==0.19.0', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 861, in main
return config.func(config, plugins)
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 786, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 85, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 357, in obtain_and_enroll_certificate
certr, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 318, in obtain_certificate
self.config.allow_subset_of_names)
File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 81, in get_authorizations
self._respond(resp, best_effort)
File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 138, in _respond
self._poll_challenges(chall_update, best_effort)
File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 202, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. 1of.bluedgeusa.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge [Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4.Fi2TIN7l4WO7vgJC6R41s4wJ79UJ8dmS_Fv1gNZdWjs] != [Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4]
Failed authorization procedure. 1of.bluedgeusa.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge [Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4.Fi2TIN7l4WO7vgJC6R41s4wJ79UJ8dmS_Fv1gNZdWjs] != [Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4]
IMPORTANT NOTES:
-
The following errors were reported by the server:
Domain: 1of.bluedgeusa.com
Type: unauthorized
Detail: The key authorization file from the server did not match
this challenge
[Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4.Fi2TIN7l4WO7vgJC6R41s4wJ79UJ8dmS_Fv1gNZdWjs]
!= [Cma7U0I2mnmZVF6OwK9KDpyV_gIt62wnPeCxHD6moY4]To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version): NodeJS 8.9.4
The operating system my web server runs on is (include version): Ubuntu 16.04
My hosting provider, if applicable, is: DigitalOcean
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no