The key authorization file from the server did not match this challenge


#1

Hello,

for the most of my Domains letsencrypt is working wunderful and I never want to go back :slight_smile:

I’m using letsencrypt.sh client and for two domains I get this error:

ERROR: Challenge is invalid! (returned: invalid) (result: {“type”:“http-01”,“status”:“invalid”,“error”:{“type”:“urn:acme:error:unauthorized”,“detail”:“The key authorization file from the server did not match this challenge [-_dVouVdkdzUxnMDM9VdgwF6Bg-2ljlxDVs1BcbD_SM.JLh-ENA3K0oKfcww06a2Zvndaht4OrYNbOpAUBAZd28] != [FeedurO7gTppB8-dabIhDPdmwD20AWwCS_2oZHi7BTs.JLh-ENA3K0oKfcww06a2Zvndaht4OrYNbOpAUBAZd28]”},“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/AeMNno3Q5BQLrxECTivtpFj-xyS0HbDQJouz35_xnPo/39159319",“token”:"-_dVouVdkdzUxnMDM9VdgwF6Bg-2ljlxDVs1BcbD_SM",“keyAuthorization”:"-_dVouVdkdzUxnMDM9VdgwF6Bg-2ljlxDVs1BcbD_SM.JLh-ENA3K0oKfcww06a2Zvndaht4OrYNbOpAUBAZd28",“validationRecord”:[{“url”:“http://members.vertisr.com/.well-known/acme-challenge/-_dVouVdkdzUxnMDM9VdgwF6Bg-2ljlxDVs1BcbD_SM”,“hostname”:“members.vertisr.com”,“port”:“80”,“addressesResolved”:[“85.10.205.167”],“addressUsed”:"85.10.205.167”}]})

But I can see that the HTTP request get 200 and the content of this file was:

66.133.109.36 - - [01/Apr/2016:09:35:08 +0200] “GET /.well-known/acme-challenge/-_dVouVdkdzUxnMDM9VdgwF6Bg-2ljlxDVs1BcbD_SM HTTP/1.1” 200 243 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)” “-”

-_dVouVdkdzUxnMDM9VdgwF6Bg-2ljlxDVs1BcbD_SM.JLh-ENA3K0oKfcww06a2Zvndaht4OrYNbOpAUBAZd28

Can someone please help me debugging this?


Letsencrypt-vesta Client Error - The key authorization file from the server did not match
#2

Hello @foobar23,

You are serving the contents of acme-challenge as application/octet-stream:

curl -i http://members.vertisr.com/.well-known/acme-challenge/-dVouVdkdzUxnMDM9VdgwF6Bg-2ljlxDVs1BcbDSM
HTTP/1.1 200 OK
Server: nginx/1.8.1
Date: Fri, 01 Apr 2016 08:19:01 GMT
Content-Type: application/octet-stream    <--------------------
Content-Length: 87
Connection: keep-alive
Keep-Alive: timeout=20

FeedurO7gTppB8-dabIhDPdmwD20AWwCS_2oZHi7BTs.JLh-ENA3K0oKfcww06a2Zvndaht4OrYNbOpAUBAZd28

Could you please add these lines to your domain members.vertisr.com conf, reload nginx and try again to issue the cert?.

location ^~ /.well-known/acme-challenge/ {
    default_type "text/plain";
}

Well, before try to get the cert put a test file with a line of text on /path/to/docroot/for/members.vertisr.com/.well-known/acme-challenge/testfile and try to retrieve it using curl:

curl -i http://members.vertisr.com/.well-known/acme-challenge/testfile

And if the conf change worked you will see in the headers Content-Type: text/plain then you can try to issue again the cert.

Cheers,
sahsanu


#3

Thank you very much for your help!

I figured it it wasn’t the mimetime, I was just stupid. There was still an old location part from where I’ve tested letsencrypt manually :frowning:

After removing this, it worked like the other domains.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.