Acme.sh Invalid status. Verification error 404

Hello, I assume I messed up when I migrated my server at the end of last year. I have tried to find the solution for my problem via google but the suggested fixes there (like move all to a single server statement in config) only helped on 3/4 of my domains. The one where the issue still exists seems to have anything else bad in it that I can't find.

When I try to renew my certificate via acme.sh, I get the following output in my console:

root@server:~# acme.sh --renew -d cloud.kruse-familie.eu
[Sat Feb 15 02:04:54 PM UTC 2025] The domain 'cloud.kruse-familie.eu' seems to already have an ECC cert, let's use it.
[Sat Feb 15 02:04:54 PM UTC 2025] Renewing: 'cloud.kruse-familie.eu'
[Sat Feb 15 02:04:54 PM UTC 2025] Renewing using Le_API=https://acme-v02.api.letsencrypt.org/directory
[Sat Feb 15 02:04:55 PM UTC 2025] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Sat Feb 15 02:04:55 PM UTC 2025] Single domain='cloud.kruse-familie.eu'
[Sat Feb 15 02:04:58 PM UTC 2025] Getting webroot for domain='cloud.kruse-familie.eu'
[Sat Feb 15 02:04:58 PM UTC 2025] Verifying: cloud.kruse-familie.eu
[Sat Feb 15 02:04:58 PM UTC 2025] Nginx mode for domain: cloud.kruse-familie.eu
[Sat Feb 15 02:04:58 PM UTC 2025] Found config file: /etc/nginx/sites-enabled/50-cloud.kruse-familie.eu
[Sat Feb 15 02:04:58 PM UTC 2025] Backing /etc/nginx/sites-enabled/50-cloud.kruse-familie.eu up to /root/.acme.sh/cloud.kruse-familie.eu_ecc/backup/cloud.kruse-familie.eu.nginx.conf
[Sat Feb 15 02:04:58 PM UTC 2025] Checking the nginx config before setting up.
[Sat Feb 15 02:04:58 PM UTC 2025] OK, setting up the nginx config file
[Sat Feb 15 02:04:59 PM UTC 2025] nginx config has been written, let's check it again.
[Sat Feb 15 02:04:59 PM UTC 2025] Reloading nginx
[Sat Feb 15 02:05:01 PM UTC 2025] Pending. The CA is processing your order, please wait. (1/30)
[Sat Feb 15 02:05:05 PM UTC 2025] cloud.kruse-familie.eu: Invalid status. Verification error details: 2a01:4f8:c012:bc21::1: Invalid response from https://cloud.kruse-familie.eu/.well-known/acme-challenge/Bsrj0fxxyoCun2rnf9Th6Zx2JQhYrjDm-xLmGq4l94w: 404
[Sat Feb 15 02:05:05 PM UTC 2025] Restoring from /root/.acme.sh/cloud.kruse-familie.eu_ecc/backup/cloud.kruse-familie.eu.nginx.conf to /etc/nginx/sites-enabled/50-cloud.kruse-familie.eu
[Sat Feb 15 02:05:05 PM UTC 2025] Reloading nginx
2025/02/15 14:05:05 [warn] 1830116#1830116: duplicate extension "wasm", content type: "application/wasm", previous content type: "application/wasm" in /etc/nginx/sites-enabled/50-cloud.kruse-familie.eu:90
2025/02/15 14:05:05 [notice] 1830116#1830116: signal process started
[Sat Feb 15 02:05:05 PM UTC 2025] Please add '--debug' or '--log' to see more information.
[Sat Feb 15 02:05:05 PM UTC 2025] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

The previous server has used apache as a webserver while the new one uses nginx and the applications are hosted inside docker containers. And I guess I still have to learn a lot about nginx as I'm not able to get this fixed even after multiple hours of trying..

This is the current site configuration for this domain:

upstream php-handler-cloud {
    server 127.0.0.1:7168;
}

map $arg_v $asset_immutable {
    "" "";
    default ", immutable";
}

server {
    listen 80;
    listen [::]:80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name cloud.kruse-familie.eu;

    if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }

    root /var/www/nextcloud;

    ssl_certificate /etc/acme.sh/cloud.kruse-familie.eu/fullchain.pem;
    ssl_certificate_key /etc/acme.sh/cloud.kruse-familie.eu/privkey.pem;

    add_header Strict-Transport-Security max-age=15768000;

    server_tokens off;

    client_max_body_size 4G;
    client_body_timeout 300s;
    fastcgi_buffers 64 4K;

    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xm>

    client_body_buffer_size 512M;

    add_header Referrer-Policy                   "no-referrer"       always;
    add_header X-Content-Type-Options            "nosniff"           always;
    add_header X-Frame-Options                   "SAMEORIGIN"        always;
    add_header X-Permitted-Cross-Domain-Policies "none"              always;
    add_header X-Robots-Tag                      "noindex, nofollow" always;
    add_header X-XSS-Protection                  "1; mode=block"     always;

    fastcgi_hide_header X-Powered-By;

    include mime.types;
    types {
        text/javascript mjs;
        application/wasm wasm;
    }

    index index.php index.html /index.php$request_uri;

    location = / {
        if ( $http_user_agent ~ ^DavClnt ) {
            return 302 /remote.php/webdav/$is_args$args;
        }
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    location ^~ /.well-known {
        location = /.well-known/carddav { return 301 /remote.php/dav/; }
        location = /.well-known/caldav  { return 301 /remote.php/dav/; }

        location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
        location /.well-known/pki-validation    { try_files $uri $uri/ =404; }

        return 301 /index.php$request_uri;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }

    location ~ \.php(?:$|/) {
        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /inde>

        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        set $path_info $fastcgi_path_info;

        try_files $fastcgi_script_name =404;

        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;

        fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
        fastcgi_param front_controller_active true;     # Enable pretty urls
        fastcgi_pass php-handler-cloud;

        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;

        fastcgi_max_temp_file_size 0;
    }

    location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control                     "public, max-age=15778463$asset_immutable";
        add_header Referrer-Policy                   "no-referrer"       always;
        add_header X-Content-Type-Options            "nosniff"           always;
        add_header X-Frame-Options                   "SAMEORIGIN"        always;
        add_header X-Permitted-Cross-Domain-Policies "none"              always;
        add_header X-Robots-Tag                      "noindex, nofollow" always;
        add_header X-XSS-Protection                  "1; mode=block"     always;
        access_log off;     # Optional: Don't log access to assets
    }

    location ~ \.(otf|woff2?)$ {
        try_files $uri /index.php$request_uri;
        expires 7d;         # Cache-Control policy borrowed from `.htaccess`
        access_log off;     # Optional: Don't log access to assets
    }

    location /remote {
        return 301 /remote.php$request_uri;
    }

    location / {
        try_files $uri $uri/ /index.php$request_uri;
    }
}

Any hint or help would be really appreciated as this drives me insane... In the end it's probably just a single piece I have overlooked...

I am not an acme.sh expert and perhaps their github would be a better place for this particular problem.

But, it looks like you are using the nginx mode rather than webroot mode. This requires acme.sh to reload the nginx system that handles the incoming HTTP challenge from the Let's Encrypt server.

You mention containers. If acme.sh is not in the same container as your nginx it won't be able to reload it. At least not with the normal commands. With webroot mode acme.sh just writes the challenge token into a directory which matches your nginx root statement. Again, if containers are involved you'll need to be sharing the host and container volumes accordingly.

You used the renew command so did you ever get this working? Because usually the renew acts on a profile which contains commands that worked before. But, if you re-architected your system you should probably start with a fresh issue command.

I hope this at least helps frame the general issues.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.