Acme.sh error: authorization must be pending

I have the error with renew wildcard certificate:
Unable to update challenge :: authorization must be pending

[Fri Jun 14 09:57:42 MSK 2019] [psychiatr.ru](http://psychiatr.ru):Challenge error: {
“type”: “urn:ietf:params:acme:error:malformed”,
“detail”: “Unable to update challenge :: authorization must be pending”,
“status”: 400
} 

I read a few days and can not find a solution… :frowning:

1 Like

@Yuri1 I replied to your message. Hope it helps. :slight_smile:

1 Like

I don't understand that pending - problem. So I don't have a solution.

DNS records Ok:
#>nslookup -q=txt _acme-challenge.psychiatr.ru. 8.8.8.8
_acme-challenge.psychiatr.ru text = “1djULRwmB7PwcIcwWs1JqbGW5kZEGangfiflpKgWIsA”
_acme-challenge.psychiatr.ru text = “n4Fn8PqGmlDnbXBRc2_osCamrPjkAlkMI3wG-JFbknM”

Let’s debug checking OK:
https://letsdebug.net/psychiatr.ru/43934 (http-01 Ok)
https://letsdebug.net/psychiatr.ru/43939 (dns-01 Ok)

But renew is not worked:
# acme.sh --renew -d psychiatr.ru -d .psychiatr.ru --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Fri Jun 14 09:57:40 MSK 2019] Renew: ‘psychiatr.ru
[Fri Jun 14 09:57:41 MSK 2019] Multi domain='DNS:psychiatr.ru,DNS:
.psychiatr.ru’
[Fri Jun 14 09:57:41 MSK 2019] Getting domain auth token for each domain
[Fri Jun 14 09:57:41 MSK 2019] Verifying: psychiatr.ru
[Fri Jun 14 09:57:42 MSK 2019] psychiatr.ru:Challenge error: {
“type”: “urn:ietf:params:acme:error:malformed”,
“detail”: “Unable to update challenge :: authorization must be pending”,
“status”: 400
}
[Fri Jun 14 09:57:42 MSK 2019] Please check log file for more details: /root/.acme.sh/acme.sh.log
[Fri Jun 14 09:57:43 MSK 2019] The dns manual mode can not renew automatically, you must issue it again manually. You’d better use the other modes instead.

acme.sh.log.txt (15.9 KB)

@Neilpang do you know what might lead acme.sh to run into the Unable to update challenge :: authorization must be pending error?

I notice that the log file is not making a post to newOrder.

Is it possible that acme.sh is re-using old, invalid authzs?

I received this certificate 6 months ago, and updated it manually 3 months ago, but now it has expired again and I can’t get a new certificate for a few days :frowning:

acme.sh -v
https://github.com/Neilpang/acme.sh
v2.8.2

Perhaps try to create a new Letsencrypt account.

Or do you have a second machine? Then run it there (with something like certonly).

show me the domain conf

~/.acme.sh/domain/domain.conf

it seems that he is using dns manual mode.

show me the domain conf

Le_RealCertPath=''
Le_RealCACertPath=''
Le_RealKeyPath='/etc/nginx/acme.sh/psychiatr.ru/key.pem'
Le_ReloadCmd='__ACME_BASE64__START_c2VydmljZSBuZ2lueCBmb3JjZS1yZWxvYWQ=_ACME_BASE64__END'
Le_RealFullChainPath='/etc/nginx/acme.sh/psychiatr.ru/cert.pem'
Le_Domain='psychiatr.ru'
Le_Alt='*.psychiatr.ru'
Le_Webroot='dns'
Le_PreHook=''
Le_PostHook=''
Le_RenewHook=''
Le_Keylength=''
Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/32843959/553861181'
Le_Vlist='psychiatr.ru#Jr7iHNy2s9qJBgGpS6b7d3w7tnLOGAtf_NxEgIT2gLw.HG7BdQYFIW1jOSnH7pAv7QQQaac_Cr3L7prdQABp2Zc#https://acme-v02.api.letsencrypt.org/acme/challenge/2px-J7_g_qGtSv8pdqoGFSZNZypITh8IBYt58RDkEoE/17029271759#dns-01#dns,*.psychiatr.ru#rt72l2QajT4iziT0KDq2UFbT0_YtzaMvWB2S0Uoi2vQ.HG7BdQYFIW1jOSnH7pAv7QQQaac_Cr3L7prdQABp2Zc#https://acme-v02.api.letsencrypt.org/acme/challenge/MGQZyFr6DnexGNfnDI8VvDf_2b-ZrDoB_l1j6HQq320/17029271754#dns-01#dns,'

it seems that he is using dns manual mode.

Yes, you are right: --yes-I-know-dns-manual-mode-enough-go-ahead-please

Perhaps try to create a new Letsencrypt account.

You mean acme.sh --deactivate-account option?

These values there?

Looks like acme.sh saves these order-specific entries and continue the last order.

I would replace these values with ''.

After that, the new TXT records was generated, so I need change DNS again....

Then you have a new order, that's good. So the new order is pending.

Did you use an option to reuse the older order?

I just use --renew option as in acme.sh wiki:

acme.sh --renew -d psychiatr.ru-d *.psychiatr.ru --yes-I-know-dns-manual-mode-enough-go-ahead-please

Now I see:

[Fri Jun 14 12:20:24 MSK 2019] Renew: 'psychiatr.ru'
[Fri Jun 14 12:20:25 MSK 2019] Multi domain='DNS:psychiatr.ru,DNS:*.psychiatr.ru'
[Fri Jun 14 12:20:25 MSK 2019] Getting domain auth token for each domain
[Fri Jun 14 12:20:25 MSK 2019] Verifying: psychiatr.ru
[Fri Jun 14 12:20:28 MSK 2019] psychiatr.ru:Verify error:Incorrect TXT record
[Fri Jun 14 12:20:28 MSK 2019] Please check log file for more details: /root/.acme.sh/acme.sh.log
[Fri Jun 14 12:20:29 MSK 2019] The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead.

...waiting for DNS renewal....

[Fri Jun 14 12:44:23 MSK 2019] Renew: 'psychiatr.ru'
[Fri Jun 14 12:44:24 MSK 2019] Multi domain='DNS:psychiatr.ru,DNS:*.psychiatr.ru'
[Fri Jun 14 12:44:24 MSK 2019] Getting domain auth token for each domain
[Fri Jun 14 12:44:24 MSK 2019] Verifying: psychiatr.ru
[Fri Jun 14 12:44:25 MSK 2019] psychiatr.ru:Challenge error: {
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Unable to update challenge :: authorization must be pending",
  "status": 400
}
[Fri Jun 14 12:44:25 MSK 2019] Please check log file for more details: /root/.acme.sh/acme.sh.log
[Fri Jun 14 12:44:26 MSK 2019] The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead.

What am I doing wrong?!

Looks like if you have an incorrect TXT record, acme.sh doesn't remove the order. So the order is invalid, not pending.

Incorrect TXT record -> start new, cleanup that file domain.conf.

PS: But it's speculative.

Successfully renewed the certificate for the root domain with certbot command:

certbot --server https://acme-v02.api.letsencrypt.org/directory -d psychiatr.ru --manual --preferred-challenges dns-01 certonly

I think that the problem with acme.sh or LE with several domains: -d psychiatr.ru -d *.psychiatr.ru or something like this…

1 Like

Then use

certbot --server https://acme-v02.api.letsencrypt.org/directory -d psychiatr.ru -d *.psychiatr.ru --manual --preferred-challenges dns-01 certonly

and create two TXT entries with the same name and different values to have a wildcard certificate.

Thank you. I will continue the experiments on Monday.

But why acme.sh is not working for me? For the last three days I tried 10+ times to delete and add new TXT records…

1 Like

I have no idea. Looks like a bug or a not working combination of some parameters.