Challenge verification failed! Error: urn:acme:error:unauthorized: Error parsing key authorization file: Invalid key authorization: 1 parts

[I-Am-Abacus]

I have a domain which is used for test websites - softapps-test1.uk. (Note, that's ".uk", not ".co.uk".)

I am using sub-domains for individual sites. I want to create a certificate for nkts.softapps-test1.uk which is Rails, so using letsencrypt_plugin.

I've followed the instructions at https://github.com/lgromanowski/letsencrypt-plugin/wiki/Installation-guide:-

1. gem in the gemfile + bundle install

• letsencrypt_plugin (0.0.7)
• acme-client (0.2.4)
• faraday (0.9.2)
• json-jwt (1.5.2)

2. config/letsencrypt_plugin.yml:-
   default: &default
   endpoint: 'https://acme-v01.api.letsencrypt.org/'

in Rails.root, path to private key

private_key: 'key/keyfile.pem'

in Rails.root, path where certificates

will be stored (on Heroku this variable is ignored)

output_cert_dir: 'certificates'

in Rails.root, path where challenge token

will be stored in case when DB will not be used

challenge_dir_name: 'challenge'

development:
<<: *default

test:
<<: *default

staging:
email: '[email protected]'
domain: 'nkts.softapps-test1.uk'
<<: *default

production:
email: 'xxx'
domain: 'xxx'
<<: *default

3. Initially I bypassed the migration step, because I wanted the challenge to go into the filesystem and not use a table.

Seems like this doesn't actually work???

Anyway, have now created the migration and db:migrated on the server (see logs below).

4. created private key

5. created key & certificates folders, and confirmed that challenge folder does not exist

6. made the changes to routes.rb. Output from Rake routes:-
   Routes for LetsencryptPlugin::Engine:
   GET /.well-known/acme-challenge/:challenge(.:format) letsencrypt_plugin/application#index

7. restarted server

However, the setup process fails:-

rake letsencrypt_plugin
I, [2016-02-20T06:00:34.896832 #24673] INFO -- : Loading private key...
I, [2016-02-20T06:00:34.898121 #24673] INFO -- : Trying to register at Let's Encrypt service...
I, [2016-02-20T06:00:35.408271 #24673] INFO -- : Already registered.
I, [2016-02-20T06:00:35.408564 #24673] INFO -- : Sending authorization request for: nkts.softapps-test1.uk...
I, [2016-02-20T06:00:35.731391 #24673] INFO -- : Storing challenge information...
I, [2016-02-20T06:00:38.129574 #24673] INFO -- : Waiting for challenge status...
E, [2016-02-20T06:00:39.894567 #24673] ERROR -- : Challenge verification failed! Error: urn:acme:error:unauthorized: Error parsing key authorization file: Invalid key authorization: 1 parts

AFAICT, NGINX is responding correctly to the requests:-
66.133.109.36 - - [20/Feb/2016:06:00:38 -0500] "GET /.well-known/acme-challenge/2fHlxgnhwBwSpQsnEVY-ZzF5O5eKuVaeHgCyK4onYoE HTTP/1.1" 200 5 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
80.189.71.195 - - [20/Feb/2016:06:10:36 -0500] "GET /.well-known/acme-challenge/2fHlxgnhwBwSpQsnEVY-ZzF5O5eKuVaeHgCyK4onYoE HTTP/1.1" 200 5 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:44.0) Gecko/20100101 Firefox/44.0"
66.133.109.36 - - [20/Feb/2016:06:21:20 -0500] "GET /.well-known/acme-challenge/jVDyDF02-3VB4x1igsLGi2n7sWE-iRs287YRiJkzdbw HTTP/1.1" 200 5 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

Rails is processing the request, and I can see the row in letsencrypt_plugin_challenges table after the request has run:-

I, [2016-02-20T06:21:16.615921 #25218] INFO -- : ** [Raven] Raven 0.15.5 configured not to send errors.
I, [2016-02-20T06:21:16.786728 #25218] INFO -- : ** [Raven] Raven 0.15.5 configured not to send errors.
D, [2016-02-20T06:21:17.671430 #25218] DEBUG -- : LetsencryptPlugin::Challenge Load (0.8ms) SELECT letsencrypt_plugin_challenges.* FROM letsencrypt_plugin_challenges ORDER BY letsencrypt_plugin_challenges.id ASC LIMIT 1
D, [2016-02-20T06:21:17.682295 #25218] DEBUG -- : (0.1ms) BEGIN
D, [2016-02-20T06:21:17.696225 #25218] DEBUG -- : SQL (7.0ms) UPDATE letsencrypt_plugin_challenges SET response = 'jVDyDF02-3VB4x1igsLGi2n7sWE-iRs287YRiJkzdbw.[10 chars here]_[32 chars here]', updated_at = '2016-02-20 11:21:17' WHERE letsencrypt_plugin_challenges.id = 1
D, [2016-02-20T06:21:17.700327 #25218] DEBUG -- : (3.0ms) COMMIT
I, [2016-02-20T06:21:20.431737 #2101] INFO -- : Started GET "/.well-known/acme-challenge/jVDyDF02-3VB4x1igsLGi2n7sWE-iRs287YRiJkzdbw" for 66.133.109.36 at 2016-02-20 06:21:20 -0500
I, [2016-02-20T06:21:20.436289 #2101] INFO -- : Processing by LetsencryptPlugin::ApplicationController#index as /
I, [2016-02-20T06:21:20.436361 #2101] INFO -- : Parameters: {"challenge"=>"jVDyDF02-3VB4x1igsLGi2n7sWE-iRs287YRiJkzdbw"}
I, [2016-02-20T06:21:20.438905 #2101] INFO -- : Rendered text template (0.0ms)
I, [2016-02-20T06:21:20.439240 #2101] INFO -- : Completed 200 OK in 3ms (Views: 0.8ms | ActiveRecord: 0.0ms)

NB I've edited the UPDATE of the response onto the table

In case it's relevant, this is my apps .conf file under nginx:-
server {
listen 80 default_server;
listen [::]:80 default_server;
passenger_enabled on;
root /home/rails/git/public;
passenger_app_env staging;
index index.html index.htm index.nginx-debian.html;
server_name nkts.softapps-test1.uk;
client_max_body_size 100m;
client_body_timeout 300s;
}

Would appreciate any help to work out why this isn't working.

Many thanks, Martin

[lgromanowski]

Hi,
could you please try to uncomment # challenge_dir_name: 'challenge' in your config file and check if it helps?

[richardriman]

I have exactly the same problem (w/ also w/o challenge_dir_name directive). When I use database, in table is created record with some token, nginx responded on /.well-known url with 200 OK and 31 bytes, but no success.

[I-Am-Abacus]

Sorry for taking a while to get back re this.

I went through a process of repeating the error before attempting the fix.

Unfortunately, the run of "rake letsencrypt_plugin" actually worked, so the problem seems to have fixed itself without me doing anything.

However, please note that I had originally hoped to use this plugin without having to create the table, so had started out with this line not commented out (and the folder also in place):-

challenge_dir_name: 'challenge'

Anyway, thanks for your help with this.

[mathieujobin]

what we need to do whether we want to use the challenge folder or the DB is a bit unclear...
does the folder must NOT exist to be able to use the tables? or it just check for the tables to exist?
I did both, I am not sure this is the reason I am getting this error

[mathieu@hz550 ]$  heroku run rake letsencrypt_plugin
Running rake letsencrypt_plugin on APPNAME... up, run.6790
I, [2016-05-03T21:05:51.293273 #3]  INFO -- : Trying to register at Let's Encrypt service...
I, [2016-05-03T21:05:51.293390 #3]  INFO -- : Loading private key...
I, [2016-05-03T21:05:51.629138 #3]  INFO -- : Already registered.
I, [2016-05-03T21:05:51.629468 #3]  INFO -- : Sending authorization request for: DOMAIN...
I, [2016-05-03T21:05:51.992051 #3]  INFO -- : Storing challenge information...
I, [2016-05-03T21:05:54.205137 #3]  INFO -- : Waiting for challenge status...
E, [2016-05-03T21:05:55.679980 #3] ERROR -- : Challenge verification failed! Error: urn:acme:error:unauthorized: The key authorization file from the server did not match this challenge [g0kxWJqg4BJQS8PA...snip....UwwxwhjHvgIZh2DCztaKf3m8] != [3NltvCaMQz5cmfC...snip...wxwhjHvgIZh2DCztaKf3m8]
[mathieu@hz550 ]$ 

[lgromanowski]

Hi,
the check is in store_challenge function:

def store_challenge(challenge)
    if @options[:challenge_dir_name].nil? || @options[:challenge_dir_name].empty?
      DatabaseStore.new(challenge.file_content).store
    else
      FileStore.new(challenge.file_content, @options[:challenge_dir_name]).store
    end
    sleep(2)
end

If challange_dir_name configuration variable is empty or it don't exist than DB is used, otherwise challange is stored in file.

[mkyed]

Removing challenge_dir_name from the config file did it for me. Thanx