Topic: Letsencrypt fail with: provided key authorization was incorrect

[beast]

Hi All

I now get this error when I try to renew my certificates - do not understand why.

It has been running for a long time without problems!

Everything looks fine when I follow the guides at https://wiki.contribs.org/Letsencrypt

https://www.pcrypt.com/.well-known/acme-challenge/ also return fine results as far as I can tell

Code: [Select]

# INFO: Using main config file /etc/dehydrated/config
Processing beast.dk with alternative names: www.beast.dk passcrypt.com www.passcrypt.com passcrypt.dk www.passcrypt.dk passcrypt.eu www.passcrypt.eu passcrypt.org www.passcrypt.org passwordcrypt.dk www.passwordcrypt.dk passwordcrypt.eu www.passwordcrypt.eu passwordcrypt.org www.passwordcrypt.org pcrypt.com www.pcrypt.com pcrypt.dk www.pcrypt.dk pcrypt.eu www.pcrypt.eu pcrypt.org www.pcrypt.org
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Nov  2 00:31:00 2017 GMT (Less than 30 days). Renewing!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for beast.dk...
 + Already validated!
 + Requesting challenge for www.beast.dk...
 + Already validated!
 + Requesting challenge for passcrypt.com...
 + Already validated!
 + Requesting challenge for www.passcrypt.com...
 + Already validated!
 + Requesting challenge for passcrypt.dk...
 + Already validated!
 + Requesting challenge for www.passcrypt.dk...
 + Already validated!
 + Requesting challenge for passcrypt.eu...
 + Already validated!
 + Requesting challenge for www.passcrypt.eu...
 + Already validated!
 + Requesting challenge for passcrypt.org...
 + Already validated!
 + Requesting challenge for www.passcrypt.org...
 + Already validated!
 + Requesting challenge for passwordcrypt.dk...
 + Already validated!
 + Requesting challenge for www.passwordcrypt.dk...
 + Already validated!
 + Requesting challenge for passwordcrypt.eu...
 + Already validated!
 + Requesting challenge for www.passwordcrypt.eu...
 + Already validated!
 + Requesting challenge for passwordcrypt.org...
 + Already validated!
 + Requesting challenge for www.passwordcrypt.org...
 + Already validated!
 + Requesting challenge for pcrypt.com...
 + Already validated!
 + Requesting challenge for www.pcrypt.com...
 + Requesting challenge for pcrypt.dk...
 + Requesting challenge for www.pcrypt.dk...
 + Requesting challenge for pcrypt.eu...
 + Requesting challenge for www.pcrypt.eu...
 + Requesting challenge for pcrypt.org...
 + Requesting challenge for www.pcrypt.org...
 + Responding to challenge for www.pcrypt.com...
  + ERROR: An error occurred while sending post-request to https://acme-v01.api.letsencrypt.org/acme/challenge/vKZpBP6IypKRlw-GRWhQwq5jvX4v7RS86Xc8o_80nRs/2169721171 (Status 400)

Details:
{
  "type": "urn:acme:error:malformed",
  "detail": "Unable to update challenge :: provided key authorization was incorrect",
  "status": 400
}


[beast]

For some unknown reason it worked today after 14 days where it has not worked

[umbi]

hello

same error here:

>>umberto nerone (10.04.18 17:48):
>>ERROR: Challenge is invalid! (returned: invalid) (result: {
>>  "type": "http-01",
>>  "status": "invalid",
>>  "error": {
>>    "type": "urn:acme:error:connection",
>>    "detail": "Fetching http://www.satforum.ch/.well-known/acme-challenge/0pLHyFA1YiiMVXDQcKLMsYUr1SqP598I5eLI06z297o: Timeout",
>>    "status": 400
>>  },
>>  "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/hfvc9xxuQ8G9siUZvBFDA7_zzKU9cF79o5gIz3Lj1lo/4165957598",
>>  "token": "0pLHyFA1YiiMVXDQcKLMsYUr1SqP598I5eLI06z297o",
>>  "keyAuthorization": "0pLHyFA1YiiMVXDQcKLMsYUr1SqP598I5eLI06z297o.aw0uxAcUUOXtlRXYEw-K4Be5DP7K1vDhx0rV_O-iXGk",
>>  "validationRecord": [
>>    {
>>      "url": "http://www.satforum.ch/.well-known/acme-challenge/0pLHyFA1YiiMVXDQcKLMsYUr1SqP598I5eLI06z297o",
>>      "hostname": "www.satforum.ch",
>>      "port": "80",
>>      "addressesResolved": [
>>        "81.6.60.41"
>>      ],
>>      "addressUsed": "81.6.60.41"
>>    }
>>  ]
>>})

when i go to well-known directory the key is different not 0pLHyFA1YiiMVXDQcKLMsYUr1SqP598I5eLI06z297o

it worked more than a year perfectly. I did some mods in domain.txt  of cause removed domains and started dehydrated -c -x  from that moment error apears.

fixed ip   wellknown  directory with files appears when i call domain/.well-known/acme-challenge/

need urgently help.

[ReetP]

I now get this error when I try to renew my certificates - do not understand why.

It has been running for a long time without problems!

  + ERROR: An error occurred while sending post-request to https://acme-v01.api.letsencrypt.org/acme/challenge/vKZpBP6IypKRlw-GRWhQwq5jvX4v7RS86Xc8o_80nRs/2169721171 (Status 400)

Details:
{
  "type": "urn:acme:error:malformed",
  "detail": "Unable to update challenge :: provided key authorization was incorrect",
  "status": 400
}
[/code]

Saw this but never a follow up.

https://github.com/lukas2511/dehydrated/issues/268

I can see a while host of files in your acme-challenge dir. Might be worth a cleanout and start again That may include your PEM files in /etc/dehydrated/certs/ (careful what you do there !)

https://github.com/mailcow/mailcow/issues/465

Another thought - what  version of dehydrated are you using and what config keys have you got set ?

Code: [Select]

config show letsencrypt

Code: [Select]

rpm -qa |grep dehydrated

[ReetP]

hello

same error here:

No, it isn't the same error

    "type": "urn:acme:error:connection",
    "detail": "Fetching http://www.satforum.ch/.well-known/acme-challenge/0pLHyFA1YiiMVXDQcKLMsYUr1SqP598I5eLI06z297o: Timeout",
    "status": 400

I tried going here a little earlier:

http://www.satforum.ch/.well-known/acme-challenge

And it seemed to timeout.

I just tried again and can see the directory.

The error seems to suggest your directory was not reachable, hence the timeout.

Is your connection having issues?

You have a lot of domains I presume - again, rate limits?

Post your settings as per my earlier post.

it worked more than a year perfectly. I did some mods in domain.txt  of cause removed domains and started dehydrated -c -x  from that moment error apears.

How did you modify it and exactly what did you do ?

need urgently help.

Please don't ask this as a refusal can often offend.

If you need urgent then you can always pay someone to do something urgently.

We are all volunteers. We will help as and when we can.

[umbi]

Dear ReetP

Thank you for your fast reply. And sorry for the urgend Help request, i had not bad intentions (offending someone) with it.

for Connecting issues question:

No, i reached the directory http://www.satforum.ch/.well-known/acme-challenge from different networks without any problems. I also tryied to change router DNS to 8.8.8.8 from google what makes the answertime of the server verry slow, startet the dehydrated -c command and result: same error 400.

Rate limits

I have a lot of domains, but before it worket with more domains perfectly. Im sure im under the rate limits, maybe i can test making the certificate request with the only 3-4 importantest domains for testing if same issue comes out. If you mean the exceedet rate limit of requests: may be, but should then not come another error code?

My config

#!/bin/bash
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
CA="https://acme-v01.api.letsencrypt.org/directory" (tryed with and without comment out for testing purp.)
#BASEDIR="/etc/dehydrated" (tryed with and without comment out)
CONTACT_EMAIL="xxx@xxx.com"
HOOK="/usr/local/bin/dehydrated-hook"
PARAM_ACCEPT_TERMS="yes"

config show letsencrypt

    ACCEPT_TERMS=yes
    configure=none
    email=xxx@xxx
    hookScript=disabled
    status=enabled

rpm -qa |grep dehydrated

dehydrated-0.6.1-10.el6.fws.noarch

Apreciating your answer and thank you again

Umbi

[umbi]

i cleaned up unnsed domains in /etc/dehydrated/certs/
restartet dehydrate -c   with same error 400 (timeout)

i guess i received an update on march 18 of dehydrated. can it be that the prob is caused on update? Im still desperated. If somebody will fix for monney for me, pls write me a pm.

[ReetP]

Dear ReetP

Thank you for your fast reply. And sorry for the urgend Help request, i had not bad intentions (offending someone) with it.

NP.

No, i reached the directory http://www.satforum.ch/.well-known/acme-challenge from different networks without any problems. I also tryied to change router DNS to 8.8.8.8 from google what makes the answertime of the server verry slow, startet the dehydrated -c command and result: same error 400.

I doubt changing your router DNS will make much difference. The issue is Letsencrypt servers trying to access your server.

dehydrated-0.6.1-10.el6.fws.noarch

That may be your issue then.

That rpm is from Firewall Services. It may well be different than the one from the SME repos which I
 think is v0.4.x official and 0.5.0-3 in smetest

I think the dehydrated script from Firewall may be using v2 of the Letencrypt API and that may be causing issues somehow.

You should open a bug here:

https://bugs.contribs.org/enter_bug.cgi?product=SME%20Contribs&component=smeserver-letsencrypt&short_desc=&comment=

Note you are using the FWS dehydrated and your errors.

[umbi]

Dear ReetP

Thank you for your answer! It brings light in my darkness... 

i allso noted that at the command dehydrated -c  it tryes to feetch a keyfile doesent exist in /.well-known/acme-challenge - that causes for me the time-out 400 error.

Have i a chance to downgrade to sme v0.4.x  version without losses?
I dont want to loose still valid certs.

If yes how i should prgrogress

Yum remove dehydrated  and yum install dehidrated? copy / paste my domain.txt  ?

[ReetP]

I think you can probably downgrade to v0.5 in smetest without any issues (v 0.5 will be released to smecontribs shortly)

(Not sure of an 'official' or clean way to do this !!)

Unless you have made any manual edits anywhere it will probably be ok.

You may need a post-upgrade/ reboot to ensure the config files are regenerated.

[umbi]

ReetP
Thank you.
I guess an Bug ticket with same error is listet here:
https://bugs.contribs.org/show_bug.cgi?id=10399

I will try following steps to downgrade

1.) backup config files and domain.txt file
2.) yum remove smeserver-letsencrypt
3.) yum install smeserver-letsencrypt --enablerepo=smecontribs
     config setprop letsencrypt ACCEPT_TERMS yes
     signal-event console-save
     *** I DO NOT  :   yum update smeserver-letsencrypt dehydrated --enablerepo=smecontribs
4.) config setprop letsencrypt configure none
5.) i edit with nano -w config   and  my domains.txt with my old values.
6.) i reboot server and make dehydrated -c

Can you confirm my steps?

Greez + Thank you

Umbi

[umbi]

I have news:

Before i will start a downgrade i tryed something else:

I saw that i had pointet primary domain to an i-bay.
- I changed the pointing to default Primary directory.
- I restartet dehydrated -c

and i got "challenge is valid!" answers but at the end an error 500...

+ ERROR: An error occurred while sending post-request to https://acme-v01.api.letsencrypt.org/acme/challenge/RG2RF0T9JMffzoSuNtb2KW_raolkuE_waX1y17FPnRg/4171524971 (Status 500)

Details:
<HTML><HEAD><TITLE>Error</TITLE></HEAD><BODY>
An error occurred while processing your request.<p>
Reference&#32;&#35;179&#46;55f90a17&#46;1523458288&#46;12f0c5c
</BODY></HTML>

[umbi]

IT WORKS !

restartet the command dehydrated -c and:

+ Challenge is valid!
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Done!

So the smoking gun is:  * Never point the primary Domain to an i-bay directory *  it had worked for me in the past, but not since the update...

Im happy to resolved by my self 

[ReetP]

IT WORKS !

Excellent

So the smoking gun is:  * Never point the primary Domain to an i-bay directory *  it had worked for me in the past, but not since the update...

Hmmm. I'm not sure exactly what you did, but clearly it messed things up. If this is the case then you really should open a bug for it because the issue is still there.

Note...

I believe for /.well-known/acme-challenge/ every domain is actually pointed to the Primary ibay - check /etc/httpd/conf.httpd.conf regardless of anything else.

e.g.
<VirtualHost 0.0.0.0:80>
Servername host.domain.com
... blah
Alias /.well-known/acme-challenge/ /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge/
</VirtualHost>

It is too difficult to try and make letsencrypt/dehydrated add keys to lots of different directories so they all have to go in one place.

Im happy to resolved by my self 

Indeed. Next time have a good think of what you might have done to upset things yourself before jumping up and down and saying 'urgent'

Sometimes things that you modify might take a few days for say a reconfigure/reboot to show themselves. So you really ought to check logs etc to see what you might have changed before jumping to conclusions.

However, it is only part resolved (worked before, doesn't work now unless you revert your modification) and you really ought to create a bug.

[umbi]

ReetP


Indeed - you are right with what you write...

I can say that it worked for me from the moment where I put my main domain back to the Primary directory.

From this moment i had no more error 400. It can be that i had a strange setting on that i-bay before or some strange htaccess rule, which gave back a time out. I dont know.

I will create a bug report as soon i had a rest

I apreciate verry much your help neverthenless...

Best wishes from switzerland

Umbi