Error: Let's Encrypt validation status

Community Support Web
22

At this point, I should access the server to check it. If you agree, I can send you a PM with the instructions to give me access (though I can’t check it right now, it would be in a few hours).

1 Like
23 
==[Step 5]==
- status: 400
- url: https://acme-v02.api.letsencrypt.org/acme/chall/1826623107/649809422006/hBHDSQ
- nonce: 3aiLGgPYbiXa-1WAKHScYsjkXyP0unBt23b6sVy6FLNnWbnA4Do
- validation: 
- details: Unable to update challenge :: authorization must be pending
- answer: HTTP/2 400 
server: nginx
date: Wed, 28 Jan 2026 00:12:52 GMT
content-type: application/problem+json
content-length: 144
boulder-requester: 1826623107
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: 3aiLGgPYbiXa-1WAKHScYsjkXyP0unBt23b6sVy6FLNnWbnA4Do

{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Unable to update challenge :: authorization must be pending",
  "status": 400
}


==[Debug information Step 5]==
{
  "type": "http-01",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall/1826623107/649809422006/hBHDSQ",
  "status": "invalid",
  "validated": "2026-01-28T00:11:37Z",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "2606:4700:3035::6815:a9d: Invalid response from http://hugoasb.com/.well-known/acme-challenge/4hM8PAAgKIgMSj6dbHKhWGet-XG1vLXvnRF9H0zJptU: 404",
    "status": 403
  },
  "token": "4hM8PAAgKIgMSj6dbHKhWGet-XG1vLXvnRF9H0zJptU",
  "validationRecord": [
    {
      "url": "http://hugoasb.com/.well-known/acme-challenge/4hM8PAAgKIgMSj6dbHKhWGet-XG1vLXvnRF9H0zJptU",
      "hostname": "hugoasb.com",
      "port": "80",
      "addressesResolved": [
        "2606:4700:3035::6815:a9d",
        "2606:4700:3031::ac43:838b",
        "172.67.131.139",
        "104.21.10.157"
      ],
      "addressUsed": "2606:4700:3035::6815:a9d"
    }
  ]
}
24

For the record.

Apart from the Nginx issue that we had already solved, the problem that was preventing the certificate from being issued was that a modified proxy template was being used that included this section:

location ^~ /.well-known/acme-challenge/ {
    root %docroot%;
    default_type text/plain;
    try_files $uri =404;
}

That was preventing Nginx from returning the correct response to Let’s Encrypt. Once the domain template was changed to use the default one, the certificate could be issued successfully.

4 Likes