I ran this command:
/usr/local/dehydrated/dehydrated --cron --keep-going --config /etc/dehydrated/config-rsa
It produced this output:
No output beyond “Responding to challenge”, challenge status URI says pending and this never changes, but I can curl the challenge token URI and receive the expected token value immediately from 10 different machines across the world with IPv4 and IPv6.
Unfortunately I don’t use dehydrated, and it doesn’t seem to have a debug option to give more information that I’d recognise / use to help find the cause of the issue.
The best bet may be the dehydrated github ( so you can resolve this with the script author).
The only other thing I can suggest is trying one of the other scripts that does give detailed debug info, which may help.
I’ve read the relevant part of the client source code; it just does an HTTP request to the status URI until it succeeds or fails. LE isn’t requesting the token from the web server. I don’t believe this is a client-side problem.
Possibly - I have no access to letsencrypt servers though to be able to see / debug - so I can only debug from the client side info From my perspective I’d want to see the complete requests for the domain. My guess is that a different method ( perhaps DNS ? ) is validated for your account already, hence the LE isn’t asking you to validate since you are already validated. As such it would be a client issue, as it should check if it’s already validated.
A way to check that would be to change your account key - since for a different account key, it would not be validated, and LE would check the validation. If that completes, than I suspect that’s the issue. Without the full responses from the ACME server in the request for the domain though, it’s impossible for me to say.
I don’t think that’s the problem either, because that mentions it will still allow updates to the authorization for clients to continue behaving normally and they turned it on in staging first, which my client works with.
The response states it is “valid” but for http-01 it’s “pending”. In a case like this, if the client only checks what the type “http-01” is, it will always remain as pending - because it has responded that it’s valid for your account, for that domain. the ACME server will never check the http token - because it doesn’t need to … and the client will wait forever ( if it doesn’t check the overall validity )
Did you at some point in thepast validate the domain to obtain a certificate by a different method ?
see Stuck at "Pending" when using DNS challenge for the same issue describe ( although there, it was stuck in pending for DNS) - and what the fix on the client side was ( in that case it was GetSSL, which is a client I wrote.