The key authorization file from server did not match this challenge

Hello dear. I ask for your help. There is a Debian 9 droplet on DigitalOcean (DO). It has 6 sites. Sites were transferred to DO a very long time ago. Now I need to install LetsEncrypt on the sites. Unfortunately, I haven't done this before. But the algorithm is written on the Internet quite clearly.
I logged into the server. I upgraded all programs and installed LetsEncrypt (Certbot 0.28.0). Looked VirtualHosts "apachectl -t -D DUMP_VHOST". Answer:

*.*.*.*:8443 MySite1.com (/home/admin/conf/web/mysite1.com.apache2.ssl.conf:1)
*.*.*.*:8080 is a NameVirtualServer
       default server vesta.MyAdminSite.com (/home/.....)
       port 8080 namevhost vesta.MyAdminSite.com (/home/...)
              alias www.vesta.MyAdminSite.com
       port 8080 namevhost MySite1.com (/home/...)
              alias www........
       port 8080 namevhost MySite2.com (/home/...)
              alias www........
       port 8080 namevhost MySite3.com (/home/...)
              alias www........
       port 8080 namevhost MySite4.com (/home/...)
              alias www........
       port 8080 namevhost MySite5.com (/home/...)
              alias www........
       port 8080 namevhost MySite6.com (/home/...)
              alias www........

That is, now if I write "httpS://.." and the name of any of my sites, the server shows https://mySite1.com

OK. I created a folder "/public_html/.well-known/acme-challenge", gave it permissions 755. I write:
letsencrypt run -d MySite2.com -m admin@MySite2.com --http-01-port 8080
Answer:

Failed authorization procedure. MySite2.com (http-01): urn:ietf:params:acme:error:anauthorized ::"
...
IMPORTANT NOTE:
- The following errors were reported by server:
...
Detail: The key authorization file from server did not match this challenge
"ui-jfghkjf.123456578..." != "ui-jfghkjf.5654654645..."
To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA records for that domain contains the right IP address.

I checked - all DNS records are correct.

A www.Mysite2.com directs to  *.*.*.*
MX MySite2.com mail handled by mail.another.mail.server.ua
A MySite2.com directs to *.*.*.*
NS MySite2.com directs to ns1.digitalocean.com.
NS MySite2.com directs to ns2.digitalocean.com.
NS MySite2.com directs to ns3.digitalocean.com.

But I saw that in the configuration of the nginx.MySite2.com.conf_letsencrypt virtual server there was already a line with some key that LetsEncrypt swore at:
return 200 "$1.5654654645..."

I transferred this file, hid it. But nothing has changed.

Tell me, please, what should be done?

You are overcomplicating your job.

Check the "getting started" section on certbot.eff.org

And please note that version 0.28something is really old.

4 Likes

Thank you very much for your answer, 9peppe. I started doing as you said. Like it says in certbot.eff.org.
But when I got to point 7, the same error repeated:

7. Choose how you'd like to run Certbot
Either get and install your certificates...
sudo certbot --apache

I wrote this command, but again added --http-01-port 8080 (I have servers on this port)
The same error appeared (on picture):

1 Like

The validation server only connects on port 80. That option is for when you use --standalone instead of --apache and you have a reverse proxy in front of your certbot.

You can serve your website on whatever port you want, but validation needs to happen on port 80.

If you have no webserver on port 80 you can run

certbot --authenticator standalone --installer apache

(But you do have a webserver on port 80, serving some other challenge.)

3 Likes
Performing the following challenges:
http-01 challenge for MySite2.com
Cleaning up challenges
Problem blinding to port 80: Could not blind to IPv4 or IPv6.

That makes sense.

What are you serving on port 80?

3 Likes

I will repeat what I wrote above. All virtual hosts are set (for 1) to port 8080. This was not done by me and many years ago. Why and for what - I do not know. Judging by the response from "apachectl -t -D DUMP_VHOST" there is nothing on port 80.

There is something on port 80, even if it's not Apache.

To find out what, run ss -tlpn

3 Likes

Yes you are right. Listening to my IP on port 80
users:(("nginx", pid=997, fd=35), ("nginx", pid=884, fd=35)).
User "root" and user "www-data" are listen port 80. Both CMD - "nginx"

Then this should work:

certbot --authenticator nginx --installer apache

(If you installed both plugins)

3 Likes

Site:

500. Internal Server Error

Sorry, something went wrong :frowning:

$ systemctl start apache2
Job apache2.service failed because the control process exiting with error code. See journalctl -xe

Screenshot. It seems to me that this is the Vesta admin panel conflicting.

Probably. Does Vesta have its own acme client? Probably.

3 Likes

I think not
2023-01-20_13-45

I am now restoring yesterday's droplet image

Check if Vesta has a "native" way of doing that.

That kind of control panel only works if you do stuff their way.

3 Likes

I have now received certificates from LetsEncrypt using DNS-01. In folder /etc/letsencrypt/live/MySite.com I see cert.pem chain.pem fullchain.pem privkey.pem .

Can you tell me how to point Apache2 to them? And how to make Apache2 listen and see on the secure port not only Site-1 but this second site?

Your brightfield HTTPS is being handled by nginx not Apache. Although, it is not using the correct cert it is using one for a medical domain.

Maybe I do not understand what you are doing but it seems to me nginx is the server handling your HTTPS (port 443).

That's fine and you can use it to reverse proxy to Apache but then Apache does not need certs for that

EDIT:
You can see what cert (and server) is being used with a site like this SSL Checker (link here)

3 Likes

Thank you!

4 Likes