Invalid http challenge token sent by Lets encrypt validation server

adongare · February 10, 2025, 11:18pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: auth.panw.pro/

I ran this command: "GET /.well-known/acme-challenge/AGh83OQynTZe8stC4g6wQ1c7l62FZUZyDO6v1BrZikQ

It produced this output:HTTP/1.1" 200 with empty response

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): acme4j-client.version 2.11

Hi

We are seeing Lets encrypt sending invalid http challenge token in the well-known URL. The token value is different from the value that was obtained and stored on the web server initially. Can someone help check why the request are getting sent for invalid tokens. Also we are seeing only 3 requests received instead of total 5 from the Lets encrypt validation server.
Certificate renewals are failing for our customer's domain since the http challenge verification failed. Similar logs was seen for multiple domains

Please see example logs below for the domain - auth.panw.pro

"GET /.well-known/acme-challenge/AGh83OQynTZe8stC4g6wQ1c7l62FZUZyDO6v1BrZikQ HTTP/1.1" 200 0 "http://auth.panw.pro/.well-known/acme-challenge/AGh83OQynTZe8stC4g6wQ1c7l62FZUZyDO6v1BrZikQ" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "23.178.112.212" "auth.panw.pro" 

[ logs from the acme server service ] -  HTTP challenge obtained for domain=auth.panw.pro with tokenName=ykkl9FO4kGJkk_IYSW-SkhlazvVcIhWymcKL4e6M5ZA tokenValue=ykkl9FO4kGJkk_IYSW-SkhlazvVcIhWymcKL4e6M5ZA.T2cVsZoui77RnHprB72meoOPHJUF_ED8RKGIJSZ7yuE

MikeMcQ · February 10, 2025, 11:30pm

Before getting into those log entries can you explain how the routing should work with two IP addresses for that domain?

Because normally the DNS used by a domain along with an HTTP Challenge will have just the public IP for the target server. In this case the two IP are for Aws Global Accelerator endpoints. Other services like GoDaddy Domain Forwarding use AWS for this and can cause problems.

auth.panw.pro. 0 IN A 3.33.189.110
auth.panw.pro. 0 IN A 15.197.181.212

See: Let's Debug

Topic		Replies	Views
Invalid response from http://zak.paulx2.uk/.well-known/acme-challenge Help	4	439	August 21, 2023
Http challenge is failing Help	3	402	September 11, 2022
ERROR: Challenge is invalid! Help	2	1792	April 12, 2020
Letsencrypt failing on _acme_challenge error Help	8	410	July 23, 2024
Invalid response from .well-known/acme-challenge Help	32	8959	January 23, 2022

Invalid http challenge token sent by Lets encrypt validation server

Related topics