The key authorization file from the server did not match this challenge


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cherberg.de

I ran this command: ./certbot-auto renew

It produced this output:
Plugins selected: Authenticator apache, Installer None

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for cherberg.de

Waiting for verification…

Cleaning up challenges

Attempting to renew cert (cherberg.de) from /etc/letsencrypt/renewal/cherberg.de.conf produced an unexpected error: Failed authorization procedure. cherberg.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge [HTjSal-Fd1-C7v5I8XBszImvF5rVidmsMQ5NsvA-BXg.lsGRooYEb3t2f5-PGJdbLNkdAbUwNckqbqa_D3v-HrE] != [<html><head><title>cherberg.de</title></head><body><center><b>Diese Domain ist unkonfiguriert.</b></center></body></html>]. Skipping.

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/cherberg.de/fullchain.pem (failure)

My web server is (include version): Apache

The operating system my web server runs on is (include version): Linux

My hosting provider, if applicable, is: private hosting via DDNS

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


#2

IPv4:80 is blocked.
IPv6:80 is allowed but all requests seem to return the same 121 bytes:

<html><head><title>cherberg.de</title></head><body><center><b>Diese Domain ist unkonfiguriert.</b></center></body></html>

#3

Hi @cherberg

there are a lot of things.

First, you have ipv4 and ipv6:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
cherberg.de A 92.201.194.79 yes 1 0
AAAA 2A01:04F8:0190:62F4:0000:0000:0000:0013 yes
www.cherberg.de A 93.129.177.51 yes 1 0
AAAA 2A01:04F8:0190:62F4:0000:0000:0000:0013 yes

Is your webserver configured?

Then:

Diese Domain ist unkonfiguriert.

Looks like the message is only a standard message of the system, generated via ipv6.

And your ipv4 has timeouts:

Domainname Http-Status redirect Sec. G
http://cherberg.de/
92.201.194.79 -14 10.027 T
Timeout - The operation has timed out
http://www.cherberg.de/
93.129.177.51 -14 10.027 T
Timeout - The operation has timed out
https://cherberg.de/
92.201.194.79 302 https://cherberg.de/index.php/login 8.347 N
Certificate error: RemoteCertificateChainErrors
https://www.cherberg.de/
93.129.177.51 -14 10.026 T
Timeout - The operation has timed out
https://cherberg.de/index.php/login 200 4.280 N
Certificate error: RemoteCertificateChainErrors
http://cherberg.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
92.201.194.79 -14 10.026 T
Timeout - The operation has timed out
http://www.cherberg.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
93.129.177.51 -14 10.026 T
Timeout - The operation has timed out

So http-01 - validation wouldn’t work.


#4

Also, the IPv6 web server claims to be lighttpd/1.4.28 (released in 2010).


#5

Are you sure your Dynamic DNS for your IPv4 address is current/updated?

Based on previous IP addresses for your domain, your site was working and actually advertising Apache httpd, so it’s possible that the domain is just currently pointing to a different IPv4 host entirely.