The key authorization file from the server did not match this challenge

Community Support Cron Jobs
1

Hello guys, how to fix this error? an how to prevent it? is that issue appears after migration? (appears only on one domain) here is some topics about it but this is different case i guess.

Error: Let’s Encrypt validation status 400 (example.net). Details: 403:“The key authorization file from the server did not match this challenge. Expected "5zRs1UjJoc7wZt5bX19NUgGBy7FfEDQXH9boPBRD5dg.Mh7kiwDqY3tacPaNvzPZsg2d9Oaoe1CVAQowUvJFQxs" (got "5zRs1UjJoc7wZt5bX19NUgGBy7FfEDQXH9boPBRD5dg.Tf_K–5M2BRuk44qX7kFM6zZdRyrKyds2UKVFgXp_Rw")”

2

Hi @osmaster,

If you share the domain name we can check it but… is there any redirection on that domain?

2 Likes
3

example.net no redirection

4

Show the output of this command (replace YourUser by the actual user):

cat /home/YourUser/conf/web/example.net/nginx.conf_letsencrypt
1 Like
5 
location ~ "^/\.well-known/acme-challenge/([-_A-Za-z0-9]+)$" {
    default_type text/plain;
    return 200 "$1.Mh7kiwDqY3tacPaNvzPZsg2d9Oaoe1CVAQowUvJFQxs";
}
6

Then, nginx is caching the old answer or it didn’t reload properly.

It is serving this:

❯ curl -kL www.example.net/.well-known/acme-challenge/test
test.Tf_K--5M2BRuk44qX7kFM6zZdRyrKyds2UKVFgXp_Rw

And it should answer this:

test.Mh7kiwDqY3tacPaNvzPZsg2d9Oaoe1CVAQowUvJFQxs

Restart nginx and try again:

systemctl restart nginx

Are you trying to issue the certificate using Web UI or command line?

1 Like
7

No, I didn’t do anything, only restored backup and restarted ngix several times, only on this user it’s didn’t reload properly, after migration first I’ve uploaded old backup on this user, then I’ve deleted it and restored new (other time backup), is that connected somehow?

certificate works, in panel it’s green but this message still comes

8

Check if there is another site serving the content, because if you restarted nginx and the site is not serving the content that you posted earlier, then there is an issue and seems your domain is not pointing to the right place:

grep -r 5M2BRuk44qX7 /home/*/conf/web/*/

And show also the output of these commands (replace YourUser with the actual user):

ls -l /etc/nginx/conf.d/domains | grep example.net
v-list-web-domain YourUser example.net json
1 Like
9

Also, did you change the user name?

Show this command too (replace YourUser with the actual user):

grep include  /home/YourUser/conf/web/example.net/nginx.conf
1 Like
10 
    "domain.com": {
        "IP": "203.0.113.1", 
        "IP6": "",
        "DOCUMENT_ROOT": "/home/user/web/example.net/public_html/",
        "U_DISK": "225",
        "U_BANDWIDTH": "0",
        "TPL": "default",
        "ALIAS": "www.example.net",
        "STATS": "awstats",
        "STATS_USER": "",
        "SSL": "yes",
        "SSL_FORCE": "no",
        "SSL_HSTS": "",
        "SSL_HOME": "",
        "LETSENCRYPT": "yes",
        "FTP_USER": "",
        "FTP_PATH": "",
        "AUTH_USER": "",
        "BACKEND": "PHP-7_4",
        "PROXY": "default",
        "PROXY_EXT": "jpeg,jpg,png,gif,bmp,ico,svg,tif,tiff,css,js,htm,html,ttf,otf,webp,woff,txt,csv,rtf,doc,docx,xls,xlsx,ppt,pptx,odf,odp,ods,odt,pdf,psd,ai,eot,eps,ps,zip,tar,tgz,gz,rar,bz2,7z,aac,m4a,mp3,mp4,ogg,wav,wma,3gp,avi,flv,m4v,mkv,mov,mpeg,mpg,wmv,exe,iso,dmg,swf",
        "FASTCGI_CACHE": "no",
        "FASTCGI_DURATION": "0s",
        "REDIRECT": "",
        "REDIRECT_CODE": "",
        "CUSTOM_DOCROOT": "",
        "SUSPENDED": "no",
        "TIME": "17:10:32",
        "DATE": "2024-04-08"
11 
        include /home/user/conf/web/example.net/nginx.forcessl.conf*;
        include /home/user/conf/web/example.net/nginx.conf_*;
12

no, didn’t change user name

13

You forgot to show these commands:

grep -r 5M2BRuk44qX7 /home/*/conf/web/*/
ls -l /etc/nginx/conf.d/domains | grep example.net

Anyway, the conf for the web domain is using ip 203.0.113.1 instead of 198.51.100.1. Change it and rebuild the web domain.

2 Likes
14

so it’s migration problems

15 
/home/user/conf/web/example.net/nginx.ssl.conf_letsencrypt:    return 200 "$1.Tf_K--5M2BRuk44qX7kFM6zZdRyrKyds2UKVFgXp_Rw";

lrwxrwxrwx 1 root root 38 Apr  8 17:10 example.net.conf -> /home/user/conf/web/example.net/nginx.conf
lrwxrwxrwx 1 root root 42 Apr  8 17:10 example.net.ssl.conf -> /home/user/conf/web/example.net/nginx.ssl.conf
lrwxrwxrwx 1 root root 39 Apr  8 17:11 webmail.example.net.conf -> /home/user/conf/mail/example.net/nginx.conf
lrwxrwxrwx 1 root root 43 Apr  8 17:11 webmail.example.net.ssl.conf -> /home/user/conf/mail/example.net/nginx.ssl.conf
16

but why only this domain?

17

Mmmmm, file /home/user/conf/web/example.net/nginx.ssl.conf_letsencrypt should be a symlink to /home/user/conf/web/example.net/nginx.conf_letsencrypt and seems it isn’t.

ls -la /home/user/conf/web/example.net/
cat /home/user/conf/web/example.net/nginx.conf_letsencrypt
cat /home/user/conf/web/example.net/nginx.ssl.conf_letsencrypt

Also, you configured in Hestia NS records for domain example.net to use ns1.example.com and ns2.example.com and you should change it to use ns1.example.org an ns2.example.org

1 Like
18

this is new IP

203.0.113.1 new server

this is old IP which it’s already not mine

198.51.100.1 old server

19

Ok, then it is clear, the domain is still pointing to the old server:

❯ dig example.net +short
198.51.100.1

❯ dig example.net mx +short
0 mail.example.net.

❯ dig mail.example.net +short
198.51.100.1
1 Like
20

Also, you configured in Hestia NS records for domain example.net to use ns1.example.com and ns2.example.com and you should change it to use ns1.example.orgt an ns2.example.org

yes, i’ve change it now