The key authorization file from the server did not match this challenge


for the most of my Domains letsencrypt is working wunderful and I never want to go back :slight_smile:

I'm using client and for two domains I get this error:

ERROR: Challenge is invalid! (returned: invalid) (result: {"type":"http-01","status":"invalid","error":{"type":"urn:acme:error:unauthorized","detail":"The key authorization file from the server did not match this challenge [-_dVouVdkdzUxnMDM9VdgwF6Bg-2ljlxDVs1BcbD_SM.JLh-ENA3K0oKfcww06a2Zvndaht4OrYNbOpAUBAZd28] != [FeedurO7gTppB8-dabIhDPdmwD20AWwCS_2oZHi7BTs.JLh-ENA3K0oKfcww06a2Zvndaht4OrYNbOpAUBAZd28]"},"uri":"","token":"-_dVouVdkdzUxnMDM9VdgwF6Bg-2ljlxDVs1BcbD_SM","keyAuthorization":"-_dVouVdkdzUxnMDM9VdgwF6Bg-2ljlxDVs1BcbD_SM.JLh-ENA3K0oKfcww06a2Zvndaht4OrYNbOpAUBAZd28","validationRecord":[{"url":"","hostname":"","port":"80","addressesResolved":[""],"addressUsed":""}]})

But I can see that the HTTP request get 200 and the content of this file was: - - [01/Apr/2016:09:35:08 +0200] "GET /.well-known/acme-challenge/-_dVouVdkdzUxnMDM9VdgwF6Bg-2ljlxDVs1BcbD_SM HTTP/1.1" 200 243 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +" "-"


Can someone please help me debugging this?

Hello @foobar23,

You are serving the contents of acme-challenge as application/octet-stream:

curl -i
HTTP/1.1 200 OK
Server: nginx/1.8.1
Date: Fri, 01 Apr 2016 08:19:01 GMT
Content-Type: application/octet-stream    <--------------------
Content-Length: 87
Connection: keep-alive
Keep-Alive: timeout=20


Could you please add these lines to your domain conf, reload nginx and try again to issue the cert?.

location ^~ /.well-known/acme-challenge/ {
    default_type "text/plain";

Well, before try to get the cert put a test file with a line of text on /path/to/docroot/for/ and try to retrieve it using curl:

curl -i

And if the conf change worked you will see in the headers Content-Type: text/plain then you can try to issue again the cert.


1 Like

Thank you very much for your help!

I figured it it wasn’t the mimetime, I was just stupid. There was still an old location part from where I’ve tested letsencrypt manually :frowning:

After removing this, it worked like the other domains.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.