The key authorization did not match... but I just copy/past it

Hello there,

I’m trying to generate a certificate with certbot on my desktop for a web hosting.
The step is quiet simple:

Make sure your web server displays the following content at
http://nkda.co/.well-known/acme-challenge/4K4utefY9yjK6O3GXVnksPSwhG6YDukVVE4ygo3LW0w before continuing:

4K4utefY9yjK6O3GXVnksPSwhG6YDukVVE4ygo3LW0w.uTELhyXiXjGZE6oY-Nal7LiiJvKQly-pLZ6KCDnZqnM

I do it but the test failed, it ask me to use a string and test with an other. I don’t understand.
The file has the good right and content-type is text/plain.

Failed authorization procedure. nkda.co (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge [4K4utefY9yjK6O3GXVnksPSwhG6YDukVVE4ygo3LW0w.uTELhyXiXjGZE6oY-Nal7LiiJvKQly-pLZ6KCDnZqnM] != [4K4utefY9yjK6O3GXVnksPSwhG6YDukVVE4ygo3LW0w.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8]

IMPORTANT NOTES:
 - The following errors were reported by the server:

Domain: nkda.co
Type:   unauthorized
Detail: The key authorization file from the server did not match this challenge
[4K4utefY9yjK6O3GXVnksPSwhG6YDukVVE4ygo3LW0w.uTELhyXiXjGZE6oY-Nal7LiiJvKQly-pLZ6KCDnZqnM]
!=
[4K4utefY9yjK6O3GXVnksPSwhG6YDukVVE4ygo3LW0w.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8]

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.

Did I miss something? :confused:

Thanks for your help.

I remember someone on IRC having the exact same problem. That user was on OVH’s shared hosting plan, which seems to be the case here as well (according to whois).

OVH’s hosting service added a new feature a while ago that automatically obtains and installs certificates through Let’s Encrypt. I’m not quite sure if it’s available for every plan, and whether it’s enabled by default for everyone just yet. It seems the way they implemented domain ownership validation was to intercept requests to the .well-known/acme-challenge path and append their account key fingerprint to the end of the token (that’s 4K4utefY9yjK6O3GXVnksPSwhG6YDukVVE4ygo3LW0w in your case, with your account key fingerprint being uTELhyXiXjGZE6oY-Nal7LiiJvKQly-pLZ6KCDnZqnM and OVH’s being 4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8 - which happens to match the one I found in my IRC logs from that other user :smile:).

I would definitely recommend contacting support so they’re made aware that this is breaking domain validation for everyone on their shared hosting plan. Since there’s no way of telling if and when they’ll fix this, you might want to take a look at the DNS-based challenge (DNS-01) as an alternative in the meantime. This will work as long as you’re able to create a TXT record for your domain. Certbot currently does not support this yet, but you can use one of the other clients with DNS-01 support, such as lego.

Thanks @pfg for your answer. Yes it’s on OVH shared hosting.
I use the feature to generate automatically the certificate, it’s work fine! But that not solving my issue :slight_smile:
I guess they don’t will fix it because they offer this certificate generation on them hosting management tool.

I don’t test lego again but I my issue is solved.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.