The key authorization file from the server did not match this challenge

My domain is: forennyvarld.se

I ran this command:

sudo certbot certonly --test-cert --force-renewal -d forennyvarld.se

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Nginx Web Server plugin (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator nginx, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for forennyvarld.se
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. forennyvarld.se (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge "igI4ufJl6MKO6YDLleKDxdqI9QyulTGgyOHEmQUCMUQ.43oP36BhRd9JXI52luz7wXaE6fGTkXQRzZM2ibq4vsE" != "igI4ufJl6MKO6YDLleKDxdqI9QyulTGgyOHEmQUCMUQ.-f_daEYxVOFls4aupfol2f4PA8ikqBUw-4tU6dotcK8"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: forennyvarld.se
   Type:   unauthorized
   Detail: The key authorization file from the server did not match
   this challenge
   "igI4ufJl6MKO6YDLleKDxdqI9QyulTGgyOHEmQUCMUQ.43oP36BhRd9JXI52luz7wXaE6fGTkXQRzZM2ibq4vsE"
   !=
   "igI4ufJl6MKO6YDLleKDxdqI9QyulTGgyOHEmQUCMUQ.-f_daEYxVOFls4aupfol2f4PA8ikqBUw-4tU6dotcK8"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04.6 LTS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

Please do NOT use this option if you have absolutely no clue what it actually does (as seems to be the case here). It does NOT maaaaaaagically make a previously failing challenge suddenly pass.

Also please use the staging environment for testing before you hit a rate limit.

With regard to the failing challenge: for some reason the nginx plugin uses an account which is different than the account used to communicate with the ACME server, which is kinda weird. I also noticed your Certbot version is 0.31.0, which is like, ancient. There might have been a bug in Certbot which has been fixed in the mean time. (Or maybe not, but a good idea to try and update Certbot nonetheless.) Please upgrade Certbot by switching to snapd, see https://certbot.eff.org/ for the instructions.

The key authorization file from the server did not match this challenge
I see the first portion does match but second portion DOES NOT.

Also

is old see Certbot 2.4.0 Release

The authorization changes with each certbot request.

If the system is finding an entry which is unexpected, then it sounds like it might be an outdated entry - which sounds like it was entered manually; As automated systems won't make such a mistake.

So...
How have you adjusted the ACME challenge response to produce the outdated reply?

That's the first part, the token. The second part after the dot (.) is the base64 of the account thumbprint and is the same for every challenge of the same ACME account.

So... there are multiple certbot clients at play?

I doubt that two separately running instances of Certbot could get the same token from the ACME server, but an explanation I do not have.

So, the same certbot is somehow using one account to send and another account to validate with...???

Sounds like it's time to uninstall/reinstall/upgrade certbot.

I don't understand either how that would happen, but that's how I currently look at the results, yes.

Ok, thanks. I have removed old certbot and installed version 2.4.0.

I run sudo certbot certonly --test-cert -d forennyvarld.se and still get:

$ sudo certbot certonly --test-cert -d forennyvarld.se
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Nginx Web Server plugin (nginx)
2: Runs an HTTP server locally which serves the necessary validation files under
the /.well-known/acme-challenge/ request path. Suitable if there is no HTTP
server already running. HTTP challenge only (wildcards not supported).
(standalone)
3: Saves the necessary validation files to a .well-known/acme-challenge/
directory within the nominated webroot path. A seperate HTTP server must be
running and serving files from the webroot path. HTTP challenge only (wildcards
not supported). (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Requesting a certificate for forennyvarld.se

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: forennyvarld.se
  Type:   unauthorized
  Detail: The key authorization file from the server did not match this challenge "KqftifDj-RkDWuDnxCS6ZwUHzuYdiDmShS7kCYoTMtQ.43oP36BhRd9JXI52luz7wXaE6fGTkXQRzZM2ibq4vsE" != "KqftifDj-RkDWuDnxCS6ZwUHzuYdiDmShS7kCYoTMtQ.-f_daEYxVOFls4aupfol2f4PA8ikqBUw-4tU6dotcK8"

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Do you need the LE accounts that are on that server?

If not, I suggest we get all new ones.

What shows?:
ls -lR /etc/letsencrypt/accounts/

$ sudo ls -lR /etc/letsencrypt/accounts/
/etc/letsencrypt/accounts/:
total 8
drwx------ 3 root root 4096 Jun 21  2022 acme-staging-v02.api.letsencrypt.org
drwx------ 3 root root 4096 May 18  2019 acme-v02.api.letsencrypt.org

/etc/letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org:
total 4
drwx------ 3 root root 4096 Jun 21  2022 directory

/etc/letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org/directory:
total 4
drwx------ 2 root root 4096 Jun 21  2022 6b81889714d600e86e32eefa3db0837a

/etc/letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org/directory/6b81889714d600e86e32eefa3db0837a:
total 12
-rw-r--r-- 1 root root   65 Jun 21  2022 meta.json
-r-------- 1 root root 1632 Jun 21  2022 private_key.json
-rw-r--r-- 1 root root   86 Jun 21  2022 regr.json

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org:
total 4
drwx------ 3 root root 4096 May 18  2019 directory

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory:
total 4
drwx------ 2 root root 4096 May 18  2019 18954988a72c3dead8989a717da93a4a

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/18954988a72c3dead8989a717da93a4a:
total 12
-rw-r--r-- 1 root root   65 May 18  2019 meta.json
-r-------- 1 root root 1632 May 18  2019 private_key.json
-rw-r--r-- 1 root root   78 May 18  2019 regr.json

hmm...
The dates and sizes seem correct.

If not, have a look at:
User Guide — Certbot 2.4.0 documentation (eff-certbot.readthedocs.io)

I do not know if I need them, probably not, what for should I need them? How do I create new ones?

Like... if you have ever requested, and been granted, a rate limit increase.
Those are usually based on specific accounts.

ah, ok, no, I did not request any rate increases, so I guess, I can recreate accounts. Would I be able to renew existing certificate with new accounts? Sorry for silly questions

Unless you've implemented some DNS/CAA restrictions to a specific LE account [not likely].
Then as long as you can satisfy the HTTP-01 challenge you can obtain new certs.
[FYI: There really isn't such a thing as a certificate renewal - all renewed certs are new certs]

So, yes.

I have created new account, but getting same error:

Account registered.
Requesting a certificate for forennyvarld.se

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: forennyvarld.se
  Type:   unauthorized
  Detail: The key authorization file from the server did not match this challenge "fEDQeCloAvW-vD2YvaZ4MVlrvw4GH2Zab3D-Fs3m-Sg.soPEalyNYAk2O9GoNEjdT5Pq_KtM-XJiKLYSWJFdifk" != "fEDQeCloAvW-vD2YvaZ4MVlrvw4GH2Zab3D-Fs3m-Sg.-f_daEYxVOFls4aupfol2f4PA8ikqBUw-4tU6dotcK8"

Your Loopia hosting is intercepting the ACME challenge requests. You'll have to ask them:

$ curl -i 194.9.94.85/.well-known/acme-challenge/look-mum-no-challenge
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 20 Mar 2023 21:36:37 GMT
Content-Type: text/plain
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Loopia-Node: 172.22.234.12

look-mum-no-challenge.-f_daEYxVOFls4aupfol2f4PA8ikqBUw-4tU6dotcK8

You could potentially use the DNS challenge to get your certificate, which will avoid this interception. My certbot-dns-multi plugin supports Loopia with Certbot:

• GitHub - alexzorin/certbot-dns-multi: Certbot DNS plugin supporting multiple providers, using github.com/go-acme/lego
• Loopia :: Let’s Encrypt client and ACME library written in Go.