Page 1 of 1
Letsencrypt Authorization no longer working
Posted: Sun Jan 28, 2018 2:32 am
by plutocrat
I'm not sure if this is related to the recent upgrade (my server just upgraded to 0.9.8-19), but v-check-letsencrypt-domain is throwing errors.
In my /home/admin/conf/web I have all the *letsencrypt files for each domain eg.
Code: Select all
> cat nginx.domain.com.conf_letsencrypt
location ~ "^/\.well-known/acme-challenge/(.*)$" {
default_type text/plain;
return 200 "$1.7S7fqQLuC750VgVgynDuEhxfyE5yGH5o_lf43LUBWvQ";
}
And a corresponding snginx file symlinked to it.
When I run the command "v-check-letsencrypt-domain 'admin' 'domain.com'" I get
Error: The key authorization file from the server did not match this challenge [F9fH3McNPg2HaYDCFGhRQ_26X6d_Y4XWm2JcRT67fn0.7S7fqQLuC750VgVgynDuEhxfyE5yGH5o_lf43LUBWvQ] != [F9fH3McNPg2HaYDCFGhRQ_26X6d_Y4XWm2JcRT67fn0.Iee1t8LEgpgulk8DICcovfY3TZRuBetz-Q3GlnBA7jY]
Unfortunately I've been trying a few things to debug this, and have now hit the Letsencrypt authorisation limit. "LetsEncrypt challenge request 429". So I have to wait before re-trying.
Two domains on this server are now showing the same error. I'm expecting that more will appear as they hit the expiry limit.
Has Letsencrypt changed something on their side?
Re: Letsencrypt Authorization no longer working
Posted: Tue Jan 30, 2018 1:10 am
by plutocrat
OK, now I'm allowed to authorise again, I tried a bit of tampering. As noted above, if I do a letsencrypt add, I get an error.
Code: Select all
v-add-letsencrypt- 'admin' 'domain.com' 'www.domain.com'
Error: The key authorization file from the server did not match this challenge [-RKY5D-NFCLkuUyXR-a4v8psNqJVCyuhvhjazO3aHZg.7S7fqQLuC750VgVgynDuEhxfyE5yGH5o_lf43LUBWvQ] != [-RKY5D-NFCLkuUyXR-a4v8psNqJVCyuhvhjazO3aHZg.Iee1t8LEgpgulk8DICcovfY3TZRuBetz-Q3GlnBA7jY]
So I edited nginx.domain.com.conf_letsencrypt to change this:
Code: Select all
location ~ "^/\.well-known/acme-challenge/(.*)$" {
default_type text/plain;
return 200 "$1.7S7fqQLuC750VgVgynDuEhxfyE5yGH5o_lf43LUBWvQ";
}
To this:
Code: Select all
location ~ "^/\.well-known/acme-challenge/(.*)$" {
default_type text/plain;
return 200 "$1.Iee1t8LEgpgulk8DICcovfY3TZRuBetz-Q3GlnBA7jY";
}
I restarted nginx. Then when I try again I get the same error.
Code: Select all
v-add-letsencrypt- 'admin' 'domain.com' 'www.domain.com'
Error: The key authorization file from the server did not match this challenge [OLuV3c9FDyRnwUcAoKCGOfFMGsopuHiD-2IfjOWArZc.7S7fqQLuC750VgVgynDuEhxfyE5yGH5o_lf43LUBWvQ] != [OLuV3c9FDyRnwUcAoKCGOfFMGsopuHiD-2IfjOWArZc.Iee1t8LEgpgulk8DICcovfY3TZRuBetz-Q3GlnBA7jY]
So from that we can deduce that the first auth string OLuV3c9FDyRnwUcAoKCGOfFMGsopuHiD-2IfjOWArZc.7S7fqQLuC750VgVgynDuEhxfyE5yGH5o_lf43LUBWvQ is coming from Letsencrypt auth servers, but the second part should be generated by the nginx config I edited ... but isn't!
So where is it getting this string from Iee1t8LEgpgulk8DICcovfY3TZRuBetz-Q3GlnBA7jY
Re: Letsencrypt Authorization no longer working
Posted: Tue Jan 30, 2018 1:44 am
by plutocrat
So the thing that's really confusing is that 8 domains on this server, under the admin account all updated fine over the last couple of weeks and have the exact same nginx config file. There are only two which are failing. No discernable difference between the ones that fail and the ones that succeed.
Re: Letsencrypt Authorization no longer working
Posted: Tue Jan 30, 2018 4:45 pm
by ChrisKnez
plutocrat wrote:So the thing that's really confusing is that 8 domains on this server, under the admin account all updated fine over the last couple of weeks and have the exact same nginx config file. There are only two which are failing. No discernable difference between the ones that fail and the ones that succeed.
What comes to my mind is that your domain might have gotten blocked from Letsencrypt.
I kept testing the Letsencrypt function on a single domain over and over again and I can't get a new certificate for a specific amount of time now.
Re: Letsencrypt Authorization no longer working
Posted: Wed Jan 31, 2018 2:29 am
by plutocrat
Yes I did get blocked once and got the "LetsEncrypt challenge request Error 429" (which is when you exceed the number of allowed requests).
But most of the time I'm getting the key mismatch error. Still have 80 days to figure it out before the key expires. :-)
Re: Letsencrypt Authorization no longer working
Posted: Wed Jan 31, 2018 6:44 am
by plutocrat
Further investigation ... checking nginx config by running these two commands.
curl
http://domainNotWorking.com/.well-known ... ge/123test
curl
http://domainWorking.com/.well-known/ac ... ge/123test
The Working domain responds with the correct answer: 123test.7S7fqQLuC750VgVgynDuEhxfyE5yGH5o_lf43LUBWvQ
The NotWorking domain responds with a different one! : 123test.Iee1t8LEgpgulk8DICcovfY3TZRuBetz-Q3GlnBA7j
Both have IDENTICAL conf_letsencrypt files. WTF? How is this possible? Where is my server getting Iee1t8LEgpgulk8DICcovfY3TZRuBetz-Q3GlnBA7jYY from? Freaky. More news when I have it ...
Re: Letsencrypt Authorization no longer working
Posted: Wed Jan 31, 2018 6:55 am
by plutocrat
NOOOOOOOO.
Someone changed the DNS on me. DomainNotWorking.com is on an entirely different Vesta CP server, and just needs to be removed from the one throwing the errors.
Case closed. Desk-shaped mark on forehead will heal in time. DNS changing colleague will be hunted down.