Can't create cert only for this domain

My domain is:

I ran this command: I am calling a custom AWS lambda in order to generate the cert for this domain.

It produced this output: Updating cert for, received err Error: Forbidden: { "type": "urn:ietf:params:acme:error:orderNotReady", "detail": "Order's status (\"invalid\") is not acceptable for finalization", "status": 403 }, Error: Forbidden: { "type": "urn:ietf:params:acme:error:orderNotReady", "detail": "Order's status (\"invalid\") is not acceptable for finalization", "status": 403 } at (/var/task/src/acme/v2/sendSignedRequestV2.js:17:15) at <anonymous> at process._tickDomainCallback (internal/process/next_tick.js:228:7)

I see it says “403 forbidden” but I have no idea why I would be getting that response for this domain when other domains work as expected.

This is the challenge response url:

This is the status url:

My web server is (include version): Apache (not sure of version)

The operating system my web server runs on is (include version): CentOS (not sure of version)

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): no

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

This lambda has worked for many other domains, not sure why this one is failing. Thanks for any help.

1 Like

Hi @agentfitz

your challenge is invalid, so you can’t send the finalize command.

So your client command is wrong. First check, if the order is ready before sending a finalize command.

1 Like

You can -- for now -- open that URL in a browser. It shows that the challenge is invalid, and has some details about what happened.

ACME clients should log that information and display it when validation fails.

Is the domain supposed to have an IPv6 address pointing to a LiteSpeed web server on a different ISP?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.