Let's Encrypt validation status 400. Details: Unable to update challenge :: authorization must be pending

Hello
I know there are many threads on this subject on the forum. Believe me I have read them all and I can’t find the solution.

I think the DNS are set up correctly and my domain is pointed to my IP.

This is my DNS configuration

$TTL 14400
@    IN    SOA    ns1.mydomain.com.    root.mydomain.com. (
                                        2021021614
                                        7200
                                        3600
                                        1209600
                                        180 )

@       14400   IN      NS              ns1.mydomain.com.
@       14400   IN      NS              ns2.mydomain.com.
@       14400   IN      A               111.99.111.99
ns1     14400   IN      A               111.99.111.99
ns2     14400   IN      A               111.99.111.99
www     14400   IN      A               111.99.111.99
ftp     14400   IN      A               111.99.111.99
mail    14400   IN      A               111.99.111.99
smtp    14400   IN      A               111.99.111.99
pop     14400   IN      A               111.99.111.99
imap    14400   IN      A               111.99.111.99
webmail 14400   IN      A               111.99.111.99
@       14400   IN      MX      0       mail.mydomain.com.
@       14400   IN      TXT             "v=spf1 a mx ip4:111.99.111.99 -all"
_dmarc  14400   IN      TXT             "v=DMARC1; p=quarantine; pct=100"
_domainkey      14400   IN      TXT             "t=y; o=~;"
mail._domainkey 14400   IN      TXT             "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYOs/9WNhIm9Sj3aMQo7K9j1RNkkM9Otw3xJMh4j7mol+7u0ndShgDkOOOedojjEYWvjFDe7kDf/m70IAkrL0D>
_acme-challenge 14400   IN      TXT             "MNpNuMUQG_rdwaISqMEbX68BduUpD8Z1j2Wd_iM7yBE"
@       14400   IN      CAA             0 issue "letsencrypt.org"

Use Hestia v1.3.3. & Ubuntu 20.04

DNS are propagated according to dnschecker.org

Any ideas that can help me?

Thanks!!!

can you check the logs? At what step does it fail?

Maybe you have another web alias on the domain, besides the default www ?
If you have another alias (e.g. super.mydomain.com) then you need to have an A record “super” to point to the server’s IP (like the www one). If you have more aliases, then you need an A record for each one of them.

No, only default www

What does the log file say? (as @Dennis already asked)
I see in this post that you can find the log file at var/log/hestia/LE-user-domain-timestamp

This is the log

=============================
WEB_SYSTEM: apache2
PROXY_SYSTEM: nginx
user: closego
domain: domain.com


- aliases: www.domain.com
- proto: http-01
- wildcard:


==[Step 1]==
- status: 200
- nonce: 0103oTm83bMzKrpRC7w5oNYvMnFOkWBZfjPQPrdhYitICJU
- answer: HTTP/2 200
server: nginx
date: Wed, 17 Feb 2021 19:22:29 GMT
content-type: application/json
content-length: 658
cache-control: public, max-age=0, no-cache
replay-nonce: 0103oTm83bMzKrpRC7w5oNYvMnFOkWBZfjPQPrdhYitICJU
x-frame-options: DENY
strict-transport-security: max-age=604800

==[API call]==
exit status: 0


==[Step 2]==
- status: 201
- nonce: 0103E2RQox51sKbRa6t8UUNoZUvdqBQePIUzIEhys2J0XGg
- authz: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10949437898
https://acme-v02.api.letsencrypt.org/acme/authz-v3/10950170444
- finalize: https://acme-v02.api.letsencrypt.org/acme/finalize/101825866/7968129214
- payload: {"identifiers":[{"type":"dns","value":"domain.com"},{"type":"dns","value":"www.domain.com"}]}
- answer: HTTP/2 201
server: nginx
date: Wed, 17 Feb 2021 19:22:29 GMT
content-type: application/json
content-length: 470
boulder-requester: 101825866
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
location: https://acme-v02.api.letsencrypt.org/acme/order/101825866/7968129214
replay-nonce: 0103E2RQox51sKbRa6t8UUNoZUvdqBQePIUzIEhys2J0XGg
x-frame-options: DENY
strict-transport-security: max-age=604800

{
  "status": "pending",
  "expires": "2021-02-24T19:22:29Z",
  "identifiers": [
{
  "type": "dns",
  "value": "domain.com"
},
{
  "type": "dns",
  "value": "www.domain.com"
}
  ],
  "authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/10949437898",
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/10950170444"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/101825866/7968129214"
}

==[API call]==
exit status: 0


==[Step 3]==
- status: 200
- nonce: 0104ONd_bdY-oUE9HhdQeKGpCObWUluL5HfYr7Z0lUtVJOY
- url:
- token:
- answer: HTTP/2 200
server: nginx
date: Wed, 17 Feb 2021 19:22:30 GMT
content-type: application/json
content-length: 453
boulder-requester: 101825866
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: 0104ONd_bdY-oUE9HhdQeKGpCObWUluL5HfYr7Z0lUtVJOY
x-frame-options: DENY
strict-transport-security: max-age=604800

{
  "identifier": {
"type": "dns",
"value": "domain.com"
  },
  "status": "valid",
  "expires": "2021-03-19T18:44:25Z",
  "challenges": [
{
  "type": "dns-01",
  "status": "valid",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/10949437898/J1YXCg",
  "token": "OSBaqQTIOdDp830aSir5wFrW4ln-oa3Pzn7URXsFXkE",
  "validationRecord": [
    {
      "hostname": "domain.com"
    }
  ]
}
  ]
}
==[API call]==
exit status: 0


==[Step 3]==
- status: 200
- nonce: 0103E7i5uvyrenMwnwLKWTFHWm1IzQzR9MFOIxEQIReuUuU
- url: https://acme-v02.api.letsencrypt.org/acme/chall-v3/10950170444/Kv1keQ
- token: R-mEDsgGsG3j2m5K66JJnxhiijf8ZGLHhXEauEFN7Tw
- answer: HTTP/2 200
server: nginx
date: Wed, 17 Feb 2021 19:22:31 GMT
content-type: application/json
content-length: 796
boulder-requester: 101825866
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: 0103E7i5uvyrenMwnwLKWTFHWm1IzQzR9MFOIxEQIReuUuU
x-frame-options: DENY
strict-transport-security: max-age=604800

{
  "identifier": {
"type": "dns",
"value": "www.domain.com"
  },
  "status": "pending",
  "expires": "2021-02-24T19:22:29Z",
  "challenges": [
{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/10950170444/Kv1keQ",
  "token": "R-mEDsgGsG3j2m5K66JJnxhiijf8ZGLHhXEauEFN7Tw"
},
{
  "type": "dns-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/10950170444/E62sTg",
  "token": "R-mEDsgGsG3j2m5K66JJnxhiijf8ZGLHhXEauEFN7Tw"
},
{
  "type": "tls-alpn-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/10950170444/jhsQ8g",
  "token": "R-mEDsgGsG3j2m5K66JJnxhiijf8ZGLHhXEauEFN7Tw"
}
  ]
}
==[API call]==
exit status: 0


==[Step 5]==
- status: 200
- nonce: 01046zRKuvyxXQA8p0vaqZN3_gJFUeBxYMhxTSkGtN3VEw4
- validation: pending
- details:
- answer: HTTP/2 200
server: nginx
date: Wed, 17 Feb 2021 19:22:37 GMT
content-type: application/json
content-length: 186
boulder-requester: 101825866
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
link: <https://acme-v02.api.letsencrypt.org/acme/authz-v3/10950170444>;rel="up"
location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/10950170444/Kv1keQ
replay-nonce: 01046zRKuvyxXQA8p0vaqZN3_gJFUeBxYMhxTSkGtN3VEw4
x-frame-options: DENY
strict-transport-security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/10950170444/Kv1keQ",
  "token": "R-mEDsgGsG3j2m5K66JJnxhiijf8ZGLHhXEauEFN7Tw"
}


==[API call]==
exit status: 0
==[Step 5]==
- status: 400
- nonce: 01032wL1oykZZP4au6SKYA5uAZZzA2p1lXp5iManm5mT2q8
- validation:
- details: Unable to update challenge :: authorization must be pending
- answer: HTTP/2 400
server: nginx
date: Wed, 17 Feb 2021 19:22:41 GMT
content-type: application/problem+json
content-length: 144
boulder-requester: 101825866
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: 01032wL1oykZZP4au6SKYA5uAZZzA2p1lXp5iManm5mT2q8

{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Unable to update challenge :: authorization must be pending",
  "status": 400
}


==[Abort Step 5]==
=> Wrong status

Try reloading nginx or use nginx -t

If you are using a custom template. Make sure .well-know is not blocked.

nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

I have restarted nginx, but the problem persists.

Error: Let's Encrypt validation status 400. Details: Unable to update challenge :: authorization must be pending

I use a laravel default template

Thanks

check dns entries for your domain if it has a ipv6 assigned.

above you can see the DNS entries and no IPV6 is assigned

It’s already solved!!! I changed the alias of www.domain.com to *.domain.com and the certificate has been generated :wink:

1 Like

well, thats interresting, do you run hestia with own dns servers?

Yes!!

Do you have glue records set for your domain with your registrar?

check yourdomain.tld whois lookup - who.is and find the nameserver section.