Can't get cert for one domain only

I have a system which process many domains. Most often they go through without problems. Sometimes they fail for reasonable reasons, i.e. dns not pointed appropriately, etc.

Other times, I have no idea why a particular domain is failing. For example, with this domain:

www.divorcesourceapp.com

This is the response I receive
[{"msg":"Updating cert for www.divorcesourceapp.com, received err Error: Forbidden: {\n \"type\": \"urn:ietf:params:acme:error:orderNotReady\",\n \"detail\": \"Order's status (\\\"invalid\\\") is not acceptable for finalization\",\n \"status\": 403\n}, Error: Forbidden: {\n \"type\": \"urn:ietf:params:acme:error:orderNotReady\",\n \"detail\": \"Order's status (\\\"invalid\\\") is not acceptable for finalization\",\n \"status\": 403\n}\n at agent.post.type.send.catch.err (/var/task/src/acme/v2/sendSignedRequestV2.js:17:15)\n at <anonymous>\n at process._tickDomainCallback (internal/process/next_tick.js:228:7)","err":true}]

When I hit the status url, this is the output:
{ "type": "urn:ietf:params:acme:error:malformed", "detail": "Expired authorization", "status": 404 }

Not sure what it means with “expired authorization”

Here is the challenge url: http://www.divorcesourceapp.com/.well-known/acme-challenge/DC1OqDIeTJfIXsFRrfNyRuOerDqt2tL67W9N-KKqNzk

Here is the status url: https://acme-v02.api.letsencrypt.org/acme/chall-v3/891629786/R1pb7g

Any ideas?

Hi @agentfitz

that configuration is buggy - https://check-your-website.server-daten.de/?q=divorcesourceapp.com

There are ipv4- and ipv6 addresses:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
divorcesourceapp.com A 18.235.135.157 Ashburn/Virginia/United States (US) - Amazon.com, Inc. Hostname: ec2-18-235-135-157.compute-1.amazonaws.com yes 2 0
AAAA 2407:e700:2:11::cb Meridan Plains/Queensland/Australia (AU) - Net Virtue Pty Ltd yes
www.divorcesourceapp.com C divorcesourceapp.com yes 1 0
A 18.235.135.157 Ashburn/Virginia/United States (US) - Amazon.com, Inc. Hostname: ec2-18-235-135-157.compute-1.amazonaws.com yes
AAAA 2407:e700:2:11::cb Meridan Plains/Queensland/Australia (AU) - Net Virtue Pty Ltd yes

But a lot of different answers - ipv4 answers with a 301, ipv6 with a 200 etc.

Looks like your ipv6 doesn't work -> fix your ipv6.

Same with your certificates - ipv6 has the correct certificate, ipv4 has a wrong cert 117photography.com.

Looks like your vHost configuration is broken.

1 Like

Very helpful response, thank you!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.