Unable to verify my domain

I’m trying to create a letsencrypt certificate for my domain. The webserver is working and is setup so that it returns the last segment of a path it’s requested:

my_domain.com/.well-known/acme-challenge/something ====> something

However, when I’m running this:

  sudo ./letsencrypt-auto certonly -a webroot --webroot-path=/home/my_user/my_website -d my_website.com -d www.my_website.com

I get this error:

    Failed authorization procedure. my_domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge [something1-something2.something3] != [something1-something2], www.my_domain.com (http-01): urn:acme:error:unauthorized :: 

    The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge [fdsfdsfdsfdsfdsfddsfd23232.something3] != [fdsfdsfdsfdsfdsfddsfd23232]
    Domain: www.my_website.com
       Type:   unauthorized
       Detail: The key authorization file from the server did not match
       this challenge
       [aaaaaa.bbbbb] != [aaaaaa]
       To fix these errors, please make sure that your domain name was
       entered correctly and the DNS A record(s) for that domain
       contain(s) the right IP address.

Why? Where did the part “bbbbb” and “something3” come from?

see https://letsencrypt.org/how-it-works/ for an overview.

The token (your “something” ) is generating by signing a specific request with your private key, which is to confirm that you have control over the domain.

We can help a lot more if you provide your domain name, and the “somethings”, rather than redacting all that information out. Typically it’s because redirects on your domain are redirecting anything in the .well-known/acme-challenge path, so it may be best to change your redirects to not do redirects on that path.

what do you mean exactly? show an example.

There are many ways this could be done ( in .htaccess or apache config or nginx config ), and I'm not tempted to try and second guess what your current setup is, knowing nothing about it.

You state;

How is this done ? Then I'll at least know something about your current setup to explain how you could change it to not redirect for .well-known/acme-challenge.

It’s done this by creating a custom webserver which is programmed to return the last sergement of an url it receives.

I understand that. But how ? where ? because it’s in this place you need to modify it to not do that for .well-known urls

where what?
it’s a python script-webserver, it’s running in /home/my_user/my_website

I don't understand that, rephrase.

In the nicest possible way … it’s hard work trying to extract information from you in order to be able to help you.

To be able to help effectively there are a list of questions which you ignored when you originally posted, these are;

My domain is:

I ran this command:

It produced this output:

My operating system is (include version):

My web server is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

I’ve asked several times for some of this information, which you never provide.

You say that you have a “custom webserver” - so I assume it’s not apache, nginx or other standard webserver, it’s simply “a python script-webserver”. Is this one you have written yourself ? or a standard one that’s available online.

Each webserver has different configuration options, so apache, is different to nginx, is different to “a python script-webserver”. Explaining how to do it in gninx isn’t going to help if you are running “a python script-webserver”

Please provide as much information as possible about your current configuration / setup. The above standard questions would be a great place to start :slight_smile:

Note that the value you need to serve when Let’s Encrypt’s validation server hits your site is not just the token in the URL, but also a fingerprint of your account key. See section 7.1 of the relevant ACME draft for a full description of what goes into this so-called Key Authorization.

This is your problem--it isn't enough to simply respond with the requested filename. What made you think it was? If you modify your simple webserver to actually serve files in /home/my_user/my_website (or any other path you want to specify), you should be fine, as certbot will write the correct file with the correct contents (and remove it once validation has succeeded).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.