The key authorization file from the server did not match - Vesta

Help
1

Hello,
I’m using Vesta CP + Ubuntu 14.04
And I have multiple domains in this server. Letsencrypt-vesta worked fine for almost all of them. Except 2 domains that give me the same error:
The key authorization file from the server did not match

Command and Error

letsencrypt-vesta nazare educandarionazare.com.br
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for educandarionazare.com.br
http-01 challenge for www.educandarionazare.com.br
Using the webroot path /etc/letsencrypt/webroot for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.educandarionazare.com.br (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge [9PD-UqE_sN1ulFPP–UYWvMqrr6ygVCBjaoIZ0U-Yks.jhQBQiGe76BI2NcqfxPtBlIjtMCn7COQgm-6alI6DC4] != [9PD-UqE_sN1ulFPP–UYWvMqrr6ygVCBjaoIZ0U-Yks.EL2TSWIc9-Bazr1jS9Q-hfP7066LKeP5Si2FggAG91M], educandarionazare.com.br (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge [Qns3ziGXTBiAPBFtFeOumgzvwiaPg_5BIQrUxDrRvHA.jhQBQiGe76BI2NcqfxPtBlIjtMCn7COQgm-6alI6DC4] != [Qns3ziGXTBiAPBFtFeOumgzvwiaPg_5BIQrUxDrRvHA.EL2TSWIc9-Bazr1jS9Q-hfP7066LKeP5Si2FggAG91M]

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.educandarionazare.com.br
    Type: unauthorized
    Detail: The key authorization file from the server did not match
    this challenge
    [9PD-UqE_sN1ulFPP–UYWvMqrr6ygVCBjaoIZ0U-Yks.jhQBQiGe76BI2NcqfxPtBlIjtMCn7COQgm-6alI6DC4]
    !=
    [9PD-UqE_sN1ulFPP–UYWvMqrr6ygVCBjaoIZ0U-Yks.EL2TSWIc9-Bazr1jS9Q-hfP7066LKeP5Si2FggAG91M]

    Domain: educandarionazare.com.br
    Type: unauthorized
    Detail: The key authorization file from the server did not match
    this challenge
    [Qns3ziGXTBiAPBFtFeOumgzvwiaPg_5BIQrUxDrRvHA.jhQBQiGe76BI2NcqfxPtBlIjtMCn7COQgm-6alI6DC4]
    !=
    [Qns3ziGXTBiAPBFtFeOumgzvwiaPg_5BIQrUxDrRvHA.EL2TSWIc9-Bazr1jS9Q-hfP7066LKeP5Si2FggAG91M]

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.
    Let’s Encrypt returned an error status. Aborting.

I have done a lot of research, tried many solutions that I found, but none of them works. I need Help.
Here a link for the letsencrypt.log (I tried to copy and paste de content in a Details, but because there are too many links, I can’t)

Can anyone help-me?

2

I would verify the correctness of using:
’–webroot’, ‘-w’, ‘/etc/letsencrypt/webroot’

Also, the cert presented does not match:
https://www.ssllabs.com/ssltest/analyze.html?d=www.educandarionazare.com.br&hideResults=on
https://www.ssllabs.com/ssltest/analyze.html?d=educandarionazare.com.br&hideResults=on
which may indicate that the site in question is actually not SSL enabled and the server is presenting the default cert.

3

This is pretty interesting. Usually this error message indicates that the Let’s Encrypt systems reached a server but were presented with something completely wrong, such as an error message, or a blank web pages, rather than the content which proves your control over the site. In this case they’re getting almost but not quite the correct answer which is remarkable.

For example one answer should have been:

Qns3ziGXTBiAPBFtFeOumgzvwiaPg_5BIQrUxDrRvHA.jhQBQiGe76BI2NcqfxPtBlIjtMCn7COQgm-6alI6DC

But instead the answer provided was exactly:

Qns3ziGXTBiAPBFtFeOumgzvwiaPg_5BIQrUxDrRvHA.EL2TSWIc9-Bazr1jS9Q-hfP7066LKeP5Si2FggAG91M

That’s very close! I expect an ACME expert looking at these logs will have a better idea what went wrong than I do. Hopefully one will be along shortly. It is conceivable it’s a bug in the Certbot software, or something like that. There is an outside chance of such a problem occurring due to a hardware fault, a bunch of mathematics is happening to produce the magic numbers (represented as gibberish text) which make this work, and so a tiny fault in a microprocessor, cache or similar hardware could potentially produce such symptoms, but I expect then when somebody smarter than me comes along to diagnose they will find a more mundane cause.

1 Like
4

I believe the portion after the dot is a signature that is computed from the account key by the ACME client. It's possible there's some bug in the Vesta client that is mixing up account keys or otherwise not creating this signature properly.

Other people have reported this bug as well:

Since there seems to be no resolution to the issue, I would suggest taking a backup of your current certificate and private key and then doing whatever you can to erase or reset the Let's Encrypt configuration so that it can register a new account key and start fresh.

5

So thanks to you guys I tried looking into vesta and the option “Enable SSL” on this site was not marked. And every try I made to check the box, it simply would not go. So I loged in SSH and run apt-get update and upgrade, rebooted the server and tried again via vesta. The box and a new option of “support Letsencrypt” was there. I marked both and it worked. I now access via “https” and none of my browsers gave me error BUT in ssh the command “letsencrpyt-vesta” still got me the same error. And that is make me think that 3 months from now I will be having issues… I’ll go to vesta forums too and see what I get from them.

Thanks a lot for the insight and help.

6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.