The key authorization file from the server did not match this challenge

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: pandaarlington.com

I ran this command: certbot certonly --nginx -d pandaarlington.com

It produced this output:
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: www.pandaarlington.com
Type:
unauthorized
Detail: The key authorization file from the server did not match this challenge. Expected "6ui9GodshlkpdYiY94Z34qAM14JjUUXgcG1FD815QfM.h-QRL6Fl9XIJDwewn5nwA0QiwKpZLaT1k9UBr5c2VIk"
(g
ot "")
Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessib
le from the internet.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run certbot with -v for more details.

fbd7901d-99d3-4d43-9e48-a7350ab5825c
fbd7901d-99d3-4d43-9e48-a7350ab5825c1661×283 37.4 KB

My web server is (include version):nginx

The operating system my web server runs on is (include version):centos8

My hosting provider, if applicable, is:Qcloud

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.11.0

2

Hello @shuxiang, welcome to the Let's Encrypt community. :slightly_smiling_face:

Please show the output of sudo certbot certificates and for sudo nginx -T that is a capital T.

1 Like
3

Thanks for your response.

sudo certbot certificates
1

4

[root@VM-0-2-centos ~]# sudo nginx -t && sudo systemctl reload nginx
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx. conf test is successful
nginx.service is not active, cannot reload.
[root@VM-0-2-centos ~]#

5

root@VM-0-2-centos ~]# sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
iguration file /etc/letsencrypt/ renewal/pandaarlington. com.conf produced an unexpected err
or: expected /etc/letsencrypt/live/pang
laarlington.com/cert, pem to be a symlink. Skipping.

6

How was Certbot installed?
Has the directory /etc/letsencrypt and its subdirectories been modified by anything other than Certbot?

7

Thanks for your response.
I have reinstalled Certbot by following this link "Certbot Instructions | Certbot"

and run "certbot certonly --nginx -d pandaarlington.com", output:

3
3792×354 39.4 KB

[root@VM-0-2-centos yum.repos.d]# certbot certonly --nginx -d
pandaarlington.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for pandaarlington.com
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Aut
hority reported these problems:
Domain: pandaarlington.com
Type: unauthorized
Detail: The key authorization file from the server did not match this challenge. Expe
cted "LWlj8kP1q2TxK1sTaTgZkemWsZej0M7xDgn33BFiJ3E.h-QRL6Fl9XIJDwewn5nwA0QiwKpZLaT1k9UBr
5C2VIk"(got "")
Hint: The Certificate Authority failed to verify the temporary nginx configuration chan
ges made by Certbot. Ensure the listed domains point to this nginx server and that it i
s accessible from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logf
ile /var/log/letsencrypt/letsencrypt.log or re-run certbot with -v for more details.

8

Please show the output of sudo nginx -T that is a capital T .'

9

certbot --version

certbot 3.1.0

10

[root@VM-0-2-centos yum.repos.d]# sudo nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

# configuration file /etc/nginx/nginx.conf:
user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid		/var/run/nginx.pid;


events {
	worker_connections  1024;
}


http {
	include	   /etc/nginx/mime.types;
	default_type  application/octet-stream;
	resolver 8.8.8.8 114.114.114.114;

	log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
					  '$status $body_bytes_sent "$http_referer" '
					  '"$http_user_agent" "$http_x_forwarded_for"';

	access_log  /var/log/nginx/access.log  main;

	sendfile		on;
	#tcp_nopush	 on;

	keepalive_timeout  65;
	server_names_hash_bucket_size  256;
	proxy_buffer_size 256k;
	proxy_buffers 256 256k;

	gzip  on;
	server {
    listen 80;
    server_name pandaarlington.com;
    }

include /etc/nginx/conf.d/*.conf;

}	


# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

# configuration file /etc/nginx/fastcgi_params:

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

# configuration file /etc/nginx/conf.d/default.conf:
server {
    listen       80;
    server_name  localhost;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm index.php;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    location ~ \.php$ {
        root           /usr/share/nginx/html;
        fastcgi_pass   unix:/run/php-fpm/www.sock;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #    root           html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
}
11

To use the --nginx option you need to have a server block for the domain name(s) you are requesting.

Your only server block is this for localhost:

2 Likes
12

Thanks for your response. There is a server block in /etc/nginx/nginx.conf.

13

I did not see one in the config you showed in the earlier post. Would you show the server block that has your domain as the server_name?

Note the output of nginx -T shows the active config

1 Like
14

configuration file /etc/nginx/nginx.conf:

user nginx;
worker_processes 1;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
worker_connections 1024;
}

http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
resolver 8.8.8.8 114.114.114.114;

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
				  '$status $body_bytes_sent "$http_referer" '
				  '"$http_user_agent" "$http_x_forwarded_for"';

access_log  /var/log/nginx/access.log  main;

sendfile		on;
#tcp_nopush	 on;

keepalive_timeout  65;
server_names_hash_bucket_size  256;
proxy_buffer_size 256k;
proxy_buffers 256 256k;

gzip  on;
server {
listen 80;
server_name mydomain.com;
}

include /etc/nginx/conf.d/*.conf;

}

15

That is not the nginx config that requests to your domain use. Currently, HTTP requests to your domain get redirected to HTTPS. There is no redirect in that server block.

Do you have multiple nginx systems running?

Is the IP address in the DNS pointing to this server?

@0ms: Making a request to http://pandaarlington.com/.well-known/acme-challenge/letsdebug-test
(using initial IP 49.51.48.200)
@336ms: Server response: HTTP 301 Moved Permanently
@336ms: Received redirect to https://pandaarlington.com/.well-known/acme-challenge/letsdebug-test
@856ms: Server response: HTTP 200 OK

Note the redirect gets an HTTP 200 OK from the HTTPS request. The nginx you show does not have any server blocks for port 443.

1 Like
16

Thanks for your response. That is not the nginx config currently. I had try that config but not usefull. And I checked the file letsencrypt.log, this file contains the following information

DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/nginx.conf:

server {rewrite ^(/.well-known/acme-challenge/.*) $1 break; # managed by Certbot

listen 80;
server_name mydomain.com;
location = /.well-known/acme-challenge/TsaNTVRUQPWGu6uEW5Yfrbq2GzuwhsbSJHHfAjEY4W0{default_type text/plain;return 200 TsaNTVRUQPWGu6uEW5Yfrbq2GzuwhsbSJHHfAjEY4W0.h-QRL6Fl9XIJDwewn5nwAOQiwKpZLaT1k9UBr5C2VIk;} # managed by Certbot

}

Therefore, I try to edit the /etc/nginx/nginx.conf, change the server blocks inside to the above server blocks content, and then access http [Preformatted text](http://mydomain.com/.well-known/acme-challenge/TsaNTVRUQPWGu6uEW5Yfrbq2GzuwhsbSJHHfAjEY4W0) return TsaNTVRUQPWGu6uEW5Yfrbq2GzuwhsbSJHHfAjEY4W0.h-QRL6Fl9XIJDwewn5nwAOQiwKpZLaT1k9UBr5C2VIk

So, I think maybe certbot modified nginx.conf and this file didn't work?

17

Yes, Certbot makes temporary changes to your nginx server block. It then reloads nginx and requests the certificate. The LE server sends requests to your domain and should be returned the challenge token from those changes.

After, Certbot removes those temp changes and reloads nginx again.

So, yes, something is going wrong. Right now I get redirected to HTTPS for that request. Is your nginx still as you show it? Because nothing in that HTTP server block should redirect to HTTPS. Which means some other nginx is replying to these requests.

Do you have multiple nginx systems?

curl -i http://pandaarlington.com/.well-known/acme-challenge/TsaNTVRUQPWGu6uEW5Yfrbq2GzuwhsbSJHHfAjEY4W0
HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0
Location: https://pandaarlington.com/.well-known/acme-challenge/TsaNTVRUQPWGu6uEW5Yfrbq2GzuwhsbSJHHfAjEY4W0
1 Like
18

Hi. Thanks for your response.

I often modify the nginx.conf file to try try other solutions, now try this url

[type or paste code here](http://mydomain.com/.well-known/acme-challenge/TsaNTVRUQPWGu6uEW5Yfrbq2GzuwhsbSJHHfAjEY4W0)

Thanks.

19

I have modified the contents of the nginx.conf file, now can open [Preformatted text](http://mydomain.com/.well-known/acme-challenge/TsaNTVRUQPWGu6uEW5Yfrbq2GzuwhsbSJHHfAjEY4W0)

server {rewrite ^(/.well-known/acme-challenge/.*) $1 break; # managed by Certbot

listen 80;
server_name mydomain.com;
location = /.well-known/acme-challenge/TsaNTVRUQPWGu6uEW5Yfrbq2GzuwhsbSJHHfAjEY4W0{default_type text/plain;return 200 TsaNTVRUQPWGu6uEW5Yfrbq2GzuwhsbSJHHfAjEY4W0.h-QRL6Fl9XIJDwewn5nwAOQiwKpZLaT1k9UBr5C2VIk;} # managed by Certbot
}
20

Okay good. Now remove those "managed by Certbot" lines and reload nginx. Then show output of this

sudo certbot certonly --nginx --dry-run -d pandaarlington.com
1 Like