The key authorization file from the server did not match


#1

Hi,

I’ve been using LE for quite some time without any issues. However …
Today I tried to add a certificate for a new domain and it failed for the following reason:

Failed authorization procedure. promentorfinans.se (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge [7aniy-jiMmzp5Qi7TD9TD2O7Fi7JXzVzt33_8yzgwyA.K50uFwf8ZXDR6ymNZ8Xjujxw9i3YOPCuL05RBECjTCU] != [7aniy-jiMmzp5Qi7TD9TD2O7Fi7JXzVzt33_8yzgwyA.-f_daEYxVOFls4aupfol2f4PA8ikqBUw-4tU6dotcK8]

I’m on CentOS7 w/ Apache 2.4.

I’ve checked the DNS/IP/A records and they are all good.
The vhost config is automated and I’ve been using this template for +100 certificates.
I use letsencrypt-auto when issuing the certificates but now I’ve tried the method suggested by your documentation, certbot --apache … and I’ve tested various other combinations including --certonly but they all end up with the above error.
I even tried deleting another certificate and there was no problem re-installing it.

Any help is greatly appreciated, thank you.


[SOLVED] The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge
#2

Hi @perlanvin,

Your domains has IPv4 and IPv6 records, the A record points to an Apache web server and the AAAA record points to a nginx web server. As Let’s Encrypt prefers IPv6 over IPv4, it is trying to reach the challenge using your nginx web server and seems you are not using it to issue your cert.

Fix your IPv6 conf or if you are not using it, remove the AAAA record for your domain.

Cheers,
sahsanu


#3

Hi @perlanvin

your file-content:

7aniy-jiMmzp5Qi7TD9TD2O7Fi7JXzVzt33_8yzgwyA.K50uFwf8ZXDR6ymNZ8Xjujxw9i3YOPCuL05RBECjTCU

7aniy-jiMmzp5Qi7TD9TD2O7Fi7JXzVzt33_8yzgwyA.-f_daEYxVOFls4aupfol2f4PA8ikqBUw-4tU6dotcK8

The first part is identical, this is the current token of the current challenge. Followed by a dot.

But the second part is different. This is the JWK footprint of your account key. Do you use a different account to create the challenge file?


#4

Hi,

I’m sorry I didn’t do my homework properly, sorting the AAAA record fixed the problem.
Thanks for very quick support!

Rgds


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.