Challenge validation has failed

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
/usr/bin/dehydrated -c

It produced this output:

INFO: Using main config file /etc/dehydrated/config

INFO: Running /usr/bin/dehydrated as xxxxx/wheel

INFO: Using main config file /etc/dehydrated/config


  • Signing domains...
  • Generating private key...
  • Generating signing request...
  • Requesting new certificate order from CA...
  • Received 1 authorizations URLs from the CA
  • Handling authorization for
  • 1 pending challenge(s)
  • Deploying challenge tokens...
  • Responding to challenge for authorization...
  • Cleaning challenge tokens...
  • Challenge validation has failed :frowning:
    ERROR: Challenge is invalid! (returned: invalid) (result: {
    "type": "http-01",
    "status": "invalid",
    "error": {
    "type": "urn:ietf:params:acme:error:caa",
    "detail": "CAA record for prevents issuance",
    "status": 403
    "url": "",
    "token": "CdBLgEwasFq2ETIVpmSB1jEy0fa9iMSZ35uRctpT8W0",
    "validationRecord": [
    "url": "",
    "hostname": "",
    "port": "80",
    "addressesResolved": [
    "addressUsed": ""
    "validated": "2022-02-26T19:26:25Z"

My web server is (include version):
Apache 2.4.52

The operating system my web server runs on is (include version):
Linux Slackware 14.2 kernel 4.4.276
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

The output of dig -t txt 3600 IN TXT "kpn-domain verification=f8f5431b486c44e489f37d56e89e8277"

What could be the problem here.

You need to add a CAA record to override the CAA records for your parent domain (which are kind of a mess)

dig caa

; <<>> DiG 9.16.11 <<>> caa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56523
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 512
;                     IN      CAA

;; ANSWER SECTION:              3600    IN      CAA     0 issuewild ""              3600    IN      CAA     0 issuewild ""              3600    IN      CAA     0 issue ""              3600    IN      CAA     0 issue ""

;; Query time: 63 msec
;; WHEN: Sat Feb 26 20:50:11 CET 2022
;; MSG SIZE  rcvd: 171
1 Like

Thanks for your quick answer.
Where should i do that is my provider and i am on a subdomain.

Do you have any control over your DNS records?

Read here: Certificate Authority Authorization (CAA) - Let's Encrypt

Otherwise, ask them to modify their records like this:              3600    IN      CAA     0 issue ""              3600    IN      CAA     0 issue ""              3600    IN      CAA     0 issue ""

(issue includes issuewild)


No i have no control over the DNS records.
I was trying to see if i could get it working .
But i am moving to an other provider next month, so i will try it there and i have some control over DNS

You can use any other dynamic dns provider, like duckdns or afraid.

1 Like

Thanks for the tip i will look at that

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.