The key authorization file from server did not match this challenge

Hello dear. I ask for your help. There is a Debian 9 droplet on DigitalOcean (DO). It has 6 sites. Sites were transferred to DO a very long time ago. Now I need to install LetsEncrypt on the sites. Unfortunately, I haven't done this before. But the algorithm is written on the Internet quite clearly.
I logged into the server. I upgraded all programs and installed LetsEncrypt (Certbot 0.28.0). Looked VirtualHosts "apachectl -t -D DUMP_VHOST". Answer:

*.*.*.*:8443 (/home/admin/conf/web/
*.*.*.*:8080 is a NameVirtualServer
       default server (/home/.....)
       port 8080 namevhost (/home/...)
       port 8080 namevhost (/home/...)
              alias www........
       port 8080 namevhost (/home/...)
              alias www........
       port 8080 namevhost (/home/...)
              alias www........
       port 8080 namevhost (/home/...)
              alias www........
       port 8080 namevhost (/home/...)
              alias www........
       port 8080 namevhost (/home/...)
              alias www........

That is, now if I write "httpS://.." and the name of any of my sites, the server shows

OK. I created a folder "/public_html/.well-known/acme-challenge", gave it permissions 755. I write:
letsencrypt run -d -m --http-01-port 8080

Failed authorization procedure. (http-01): urn:ietf:params:acme:error:anauthorized ::"
- The following errors were reported by server:
Detail: The key authorization file from server did not match this challenge
"ui-jfghkjf.123456578..." != "ui-jfghkjf.5654654645..."
To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA records for that domain contains the right IP address.

I checked - all DNS records are correct.

A directs to  *.*.*.*
MX mail handled by
A directs to *.*.*.*
NS directs to
NS directs to
NS directs to

But I saw that in the configuration of the virtual server there was already a line with some key that LetsEncrypt swore at:
return 200 "$1.5654654645..."

I transferred this file, hid it. But nothing has changed.

Tell me, please, what should be done?

You are overcomplicating your job.

Check the "getting started" section on

And please note that version 0.28something is really old.


Thank you very much for your answer, 9peppe. I started doing as you said. Like it says in
But when I got to point 7, the same error repeated:

7. Choose how you'd like to run Certbot
Either get and install your certificates...
sudo certbot --apache

I wrote this command, but again added --http-01-port 8080 (I have servers on this port)
The same error appeared (on picture):

1 Like

The validation server only connects on port 80. That option is for when you use --standalone instead of --apache and you have a reverse proxy in front of your certbot.

You can serve your website on whatever port you want, but validation needs to happen on port 80.

If you have no webserver on port 80 you can run

certbot --authenticator standalone --installer apache

(But you do have a webserver on port 80, serving some other challenge.)

Performing the following challenges:
http-01 challenge for
Cleaning up challenges
Problem blinding to port 80: Could not blind to IPv4 or IPv6.

That makes sense.

What are you serving on port 80?


I will repeat what I wrote above. All virtual hosts are set (for 1) to port 8080. This was not done by me and many years ago. Why and for what - I do not know. Judging by the response from "apachectl -t -D DUMP_VHOST" there is nothing on port 80.

There is something on port 80, even if it's not Apache.

To find out what, run ss -tlpn


Yes you are right. Listening to my IP on port 80
users:(("nginx", pid=997, fd=35), ("nginx", pid=884, fd=35)).
User "root" and user "www-data" are listen port 80. Both CMD - "nginx"

Then this should work:

certbot --authenticator nginx --installer apache

(If you installed both plugins)



500. Internal Server Error

Sorry, something went wrong :frowning:

$ systemctl start apache2
Job apache2.service failed because the control process exiting with error code. See journalctl -xe

Screenshot. It seems to me that this is the Vesta admin panel conflicting.

Probably. Does Vesta have its own acme client? Probably.


I think not

I am now restoring yesterday's droplet image

Check if Vesta has a "native" way of doing that.

That kind of control panel only works if you do stuff their way.


I have now received certificates from LetsEncrypt using DNS-01. In folder /etc/letsencrypt/live/ I see cert.pem chain.pem fullchain.pem privkey.pem .

Can you tell me how to point Apache2 to them? And how to make Apache2 listen and see on the secure port not only Site-1 but this second site?

Your brightfield HTTPS is being handled by nginx not Apache. Although, it is not using the correct cert it is using one for a medical domain.

Maybe I do not understand what you are doing but it seems to me nginx is the server handling your HTTPS (port 443).

That's fine and you can use it to reverse proxy to Apache but then Apache does not need certs for that

You can see what cert (and server) is being used with a site like this SSL Checker (link here)


Thank you!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.