The key authorization file from the server did not match this challenge

Hi guys,

I'm running grafana server (port 3000) into a private instance. I wish to install https feature via certbot but I get the following failed message. Do you have some advices to resolve this message please ?

My domain is:

I ran this command: sudo certbot certonly --standalone

It produced this output:
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel):
Requesting a certificate for

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Type: unauthorized
Detail: The key authorization file from the server did not match this challenge "wKx4mJdWIhgnquOxnajs9maJPYf_oBVQ3OctwrMfbVA.uRGGHW-zabCjIlpPXEuVC4257KNh0ThNjbwG4XRUeeQ" != ""

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.
Ask for help or search for solutions at See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

The operating system my web server runs on is (include version): Debian 10 in an EC2 aws instance

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.26.0

There's an OpenResty webserver answering on port 80. Answering with HTTP 200 OK status on any request for random files within the /.well-known/acme-challenge/ path. It looks like this is not compatible with your --standalone attempt using Certbot.

Could you perhaps explain more about the infrastructure of your setup? I also saw Varnish somewhere in the headers..


Hi Osiris,

Thanks for you reply.

This server is a server located into an EC2 instance server. It's use for grafana. Actually the security group allow internal flow (on our private subnet) to have access to grafana port3000. On the public side, only outside flow it's granted. There is not firewall rules on the server.

Only just grafana and prometheus have been installed.

1 Like

I have no idea what this means.

Fact: Let's Encrypt requires to be able to connect from the internet to port 80 on your host. It needs to download the token present at the /.well-known/acme-challenge/ path. Currently this is not possible.


Where was certbot installed?



Thanks for all your advices. I moved on and modify my DNS. But, I have a firewall problem I think

what are ports that should be opened ?


1 Like

Need port 80 open for http challenge for

I also see different DNS for your apex and this grafana domain name. That's OK but it often isn't what people intend so I thought I'd mention it.

Your grafana DNS points to an EC2 instance which does not have port 80 open. Check the EC2 security group. It will also need port 443 open to respond to https requests

Your apex DNS points to an AWS Global Accelerator. This has ports 80 and 443 open.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.