Token Mismatch error even with correct validation setup


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.trashitaliano.it

We are getting token mismatch for the domain www.trashitaliano.it. The redirect is set up correctly. It is not clear as to why the validation fails here.

curl -s -D - “http://www.trashitaliano.it/.well-known/acme-challenge/x7idU0LHOWENkBtcGI6BGQlNSu24YvbxhkIzmS_fLX0” -o /dev/null

HTTP/1.1 301 Moved Permanently
Date: Thu, 26 Jul 2018 17:46:46 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 300
Set-Cookie: SERVERID567=204029; path=/; max-age=900
Server: Apache
Location: http://dcv.akamai.com/.well-known/acme-challenge/x7idU0LHOWENkBtcGI6BGQlNSu24YvbxhkIzmS_fLX0
Cache-Control: max-age=86400
Expires: Fri, 27 Jul 2018 17:46:46 GMT
X-IPLB-Instance: 18163

API response.
{
“size” : 1,
“data” : [ {
“name” : “www.trashitaliano.it”,
“expires” : “Aug 3, 2018 10:53:10 AM”,
“domainStatus” : “awaiting”,
“path” : “http://www.trashitaliano.it/.well-known/acme-challenge/hfWgyNJN0bsgKTovIbJuJpfG-e4fJf3JVi-Gg9yJuYY”,
“pathStatus” : “TOKEN_MISMATCH”,
“redirectPath” : “http://dcv.akamai.com/.well-known/acme-challenge/hfWgyNJN0bsgKTovIbJuJpfG-e4fJf3JVi-Gg9yJuYY”,
“redirectStatus” : “READY”,
“token” : “hfWgyNJN0bsgKTovIbJuJpfG-e4fJf3JVi-Gg9yJuYY.I0NKvfPV_1vzF4OUaCihD164ZON3BPMjHH4MGX1uGT4”
} ]
}


#2

Hi @sakrpa,

The API response you shared is not from Boulder/Let’s Encrypt. It looks more like some kind of internal pre-flight check. I was also able to confirm that while we’ve seen a new-authz request for this domain name we have not seen any associated challenges POSTed to perform an actual HTTP-01 validation request.

Are you sure this is an issue that Let’s Encrypt can help address?


#3

Hi @sakrpa

testing this:

D:\download http://www.trashitaliano.it/.well-known/acme-challenge/x7idU0LHOWENkBtcGI6BGQlNSu24YvbxhkIzmS_fLX0 -h
Transfer-Encoding: chunked
Vary: Cookie
Content-Type: text/html; charset=UTF-8
Date: Fri, 27 Jul 2018 15:17:56 GMT
Set-Cookie: SERVERID567=204029; path=/; max-age=900,PHPSESSID=ca7523e09d65a44a73717dc077a31f80; path=/
Server: Apache
X-Powered-By: PHP/7.0.30
Pragma: no-cache
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Location: http://trashitaliano.it/.well-known/acme-challenge/x7idU0LHOWENkBtcGI6BGQlNSu24YvbxhkIzmS_fLX0
X-IPLB-Instance: 18167

Status: 301 MovedPermanently

there is a redirect. But

D:\download http://trashitaliano.it/.well-known/acme-challenge/x7idU0LHOWENkBtcGI6BGQlNSu24YvbxhkIzmS_fLX0 -h
ConnectionClosed

Has your curl additional rights?

Testing your url with a browser I get a

 404 - page not found 

Ooops, sorry! We couldn’t find it
You have requested a page or file which doesn’t exist

So Letsencrypt may have the same problem to find your file.


#4

I believe what happened is that the redirect was setup only for a small time period and validation did not go through during that time period. Currently, redirect is broken so I will work on setting that up again. Thanks for the assistance.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.