Invalid status. Verification error details: Invalid response from

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: webajm.com

I ran this command: .acme.sh/acme.sh --issue -d webajm.com -d www.webajm.com --server letsencrypt -w /home/webaixaj/webajm.com

It produced this output: webajm.com: Invalid status. Verification error details: 162.213.255.37: Invalid response from https://webajm.com/.well-known/acme-challenge/dZrbVHH-BlCLzvWSyNZYqU1_UBXKTx9OnK447Zj89-M: 404

My web server is (include version): ngix

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: namecheap

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): cPanel

What was working is no longer working... I'm unable to renew my cert.. can anyone assist?

from the logs, not sure if its requested...

[Fri Jul 18 11:02:01 EDT 2025] original='{
"identifier": {
"type": "dns",
"value": "webajm.com"
},
"status": "invalid",
"expires": "2025-07-25T15:01:56Z",
"challenges": [
{
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall/2122556295/555056424611/DfOV-w",
"status": "invalid",
"validated": "2025-07-18T15:01:58Z",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "162.213.255.37: Invalid response from https://webajm.com/.well-known/acme-challenge/dZrbVHH-BlCLzvWSyNZYqU1_UBXKTx9OnK447Zj89-M: 404",
"status": 403
},
"token": "dZrbVHH-BlCLzvWSyNZYqU1_UBXKTx9OnK447Zj89-M",
"validationRecord": [
{
"url": "http://webajm.com/.well-known/acme-challenge/dZrbVHH-BlCLzvWSyNZYqU1_UBXKTx9OnK447Zj89-M",
"hostname": "webajm.com",
"port": "80",
"addressesResolved": [
"162.213.255.37"
],
"addressUsed": "162.213.255.37"
},
{
"url": "https://webajm.com/.well-known/acme-challenge/dZrbVHH-BlCLzvWSyNZYqU1_UBXKTx9OnK447Zj89-M",
"hostname": "webajm.com",
"port": "443",
"addressesResolved": [
"162.213.255.37"
],
"addressUsed": "162.213.255.37"
}
]
}
]
}'
[Fri Jul 18 11:02:01 EDT 2025] response='{"identifier":{"type":"dns","value":"webajm.com"},"status":"invalid","expires":"2025-07-25T15:01:56Z","challenges":[{"type":"http-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/2122556295/555056424611/DfOV-w","status":"invalid","validated":"2025-07-18T15:01:58Z","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"162.213.255.37: Invalid response from https://webajm.com/.well-known/acme-challenge/dZrbVHH-BlCLzvWSyNZYqU1_UBXKTx9OnK447Zj89-M: 404","status": 403},"token":"dZrbVHH-BlCLzvWSyNZYqU1_UBXKTx9OnK447Zj89-M","validationRecord":[{"url":"http://webajm.com/.well-known/acme-challenge/dZrbVHH-BlCLzvWSyNZYqU1_UBXKTx9OnK447Zj89-M","hostname":"webajm.com","port":"80","addressesResolved":["162.213.255.37"],"addressUsed":"162.213.255.37"},{"url":"https://webajm.com/.well-known/acme-challenge/dZrbVHH-BlCLzvWSyNZYqU1_UBXKTx9OnK447Zj89-M","hostname":"webajm.com","port":"443","addressesResolved":["162.213.255.37"],"addressUsed":"162.213.255.37"}]}]}'
[Fri Jul 18 11:02:01 EDT 2025] original='{"identifier":{"type":"dns","value":"webajm.com"},"status":"invalid","expires":"2025-07-25T15:01:56Z","challenges":[{"type":"http-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/2122556295/555056424611/DfOV-w","status":"invalid","validated":"2025-07-18T15:01:58Z","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"162.213.255.37: Invalid response from https://webajm.com/.well-known/acme-challenge/dZrbVHH-BlCLzvWSyNZYqU1_UBXKTx9OnK447Zj89-M: 404","status": 403},"token":"dZrbVHH-BlCLzvWSyNZYqU1_UBXKTx9OnK447Zj89-M","validationRecord":[{"url":"http://webajm.com/.well-known/acme-challenge/dZrbVHH-BlCLzvWSyNZYqU1_UBXKTx9OnK447Zj89-M","hostname":"webajm.com","port":"80","addressesResolved":["162.213.255.37"],"addressUsed":"162.213.255.37"},{"url":"https://webajm.com/.well-known/acme-challenge/dZrbVHH-BlCLzvWSyNZYqU1_UBXKTx9OnK447Zj89-M","hostname":"webajm.com","port":"443","addressesResolved":["162.213.255.37"],"addressUsed":"162.213.255.37"}]}]}'
[Fri Jul 18 11:02:01 EDT 2025] response='{"identifier":{"type":"dns","value":"webajm.com"},"status":"invalid","expires":"2025-07-25T15:01:56Z","challenges":[{"type":"http-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/2122556295/555056424611/DfOV-w","status":"invalid","validated":"2025-07-18T15:01:58Z","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"162.213.255.37: Invalid response from https://webajm.com/.well-known/acme-challenge/dZrbVHH-BlCLzvWSyNZYqU1_UBXKTx9OnK447Zj89-M: 404","status": 403},"token":"dZrbVHH-BlCLzvWSyNZYqU1_UBXKTx9OnK447Zj89-M","validationRecord":[{"url":"http://webajm.com/.well-known/acme-challenge/dZrbVHH-BlCLzvWSyNZYqU1_UBXKTx9OnK447Zj89-M","hostname":"webajm.com","port":"80","addressesResolved":["162.213.255.37"],"addressUsed":"162.213.255.37"},{"url":"https://webajm.com/.well-known/acme-challenge/dZrbVHH-BlCLzvWSyNZYqU1_UBXKTx9OnK447Zj89-M","hostname":"webajm.com","port":"443","addressesResolved":["162.213.255.37"],"addressUsed":"162.213.255.37"}]}]}'
[Fri Jul 18 11:02:01 EDT 2025] status='invalid
invalid'
[Fri Jul 18 11:02:01 EDT 2025] error='"error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"162.213.255.37: Invalid response from https://webajm.com/.well-known/acme-challenge/dZrbVHH-BlCLzvWSyNZYqU1_UBXKTx9OnK447Zj89-M: 404","status": 403'
[Fri Jul 18 11:02:01 EDT 2025] errordetail='162.213.255.37: Invalid response from https://webajm.com/.well-known/acme-challenge/dZrbVHH-BlCLzvWSyNZYqU1_UBXKTx9OnK447Zj89-M: 404'
[Fri Jul 18 11:02:01 EDT 2025] webajm.com: Invalid status. Verification error details: 162.213.255.37: Invalid response from https://webajm.com/.well-known/acme-challenge/dZrbVHH-BlCLzvWSyNZYqU1_UBXKTx9OnK447Zj89-M: 404
[Fri Jul 18 11:02:02 EDT 2025] pid
[Fri Jul 18 11:02:02 EDT 2025] No need to restore nginx config, skipping.
[Fri Jul 18 11:02:02 EDT 2025] _clearupdns
[Fri Jul 18 11:02:02 EDT 2025] dns_entries
[Fri Jul 18 11:02:02 EDT 2025] Skipping dns.
[Fri Jul 18 11:02:02 EDT 2025] _on_issue_err
[Fri Jul 18 11:02:02 EDT 2025] Please check log file for more details: /home/webaixaj/.acme.sh/acme.sh.log
[Fri Jul 18 11:02:02 EDT 2025]

2

I see a WordPress setup running on a LiteSpeed server at that domain name.

Is that new? Because it isn't an nginx server

curl -i https://webajm.com/
HTTP/2 200
content-type: text/html; charset=UTF-8
link: <https://webajm.com/wp-json/>; rel="https://api.w.org/"
server: LiteSpeed
x-turbo-charged-by: LiteSpeed
2 Likes
3

Thanks for the quick reply..

Sorry, I made an incorrect assumption after gleaning something out of the log... LiteSpeed could be since this is hosted via NameCheap??

1 Like
4

Something must have changed if that exact command worked before. The 404 in the error msg is an HTTP Not Found. For that command it usually means the -w directory is not the same as you have for the DocumentRoot folder in the VirtualHost for that domain in LiteSpeed

Your prior cert also had a mail subdomain. It is fine if you no longer want that but at least this much has changed since you did not request it this time.

2 Likes
5

Is that path I assume, set in the config file in the .acme.sh folder?

Le_Webroot='/home/webaixaj/webajm.com'

This error that keeps coming up seems like some sort of DNS resolution issue or setup issue where its unable find/match acme-challenge??? :

Invalid response from https://www.webajm.com/.well-known/acme-challenge/

.. and I just verified the config points to the correct location...

/home/webaixaj/webajm.com/.well-known/pki-validation

The log just give enough specific info. for me to understand the reason... here's an update from the log.

[Fri Jul 18 14:36:22 EDT 2025] Http already initialized.
[Fri Jul 18 14:36:22 EDT 2025] _CURL='curl --silent --dump-header /home/webaixaj/.acme.sh/http.header -L -g '
[Fri Jul 18 14:36:22 EDT 2025] _ret='0'
*[Fri Jul 18 14:36:22 EDT 2025] responseHeaders='HTTP/2 200 *
server: nginx
date: Fri, 18 Jul 2025 18:36:22 GMT
content-type: application/json
content-length: 1039
boulder-requester: 2122556295
cache-control: public, max-age=0, no-cache
link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
replay-nonce: ru1tQmT3EaRpU1QnynowPW8SqFcbWYphtVBMNmKQbG1ukksoUQI
x-frame-options: DENY
strict-transport-security: max-age=604800

'
[Fri Jul 18 14:36:22 EDT 2025] code='200'
[Fri Jul 18 14:36:22 EDT 2025] original='{

6

The pki-validation directory is not part of the Let's Encrypt URL so not sure what that proves.

You said you had this working before. Did you always use acme.sh before?

Do you know how to configure that LiteSpeed server? Can you find its VirtualHost for these domain names? There should be a DocumentRoot setting there which must match what you specify in the acme.sh command -w option.

No, not DNS unless the DNS is not pointing to the public IP for your server.

2 Likes
7

Acme was working, correct.. and it does for some other sub domains ajmmame.webajm.com with a separate certificate.

Document root is /public_html for webajm.com and /ajmmame.webajm.com for ajmmame.webajm.com

and respectively from the config file

Le_Webroot='/home/webaixaj/webajm.com'
Le_Webroot='/home/webaixaj/ajmmame.webajm.com'

Slightly different error after changing the -w command:

[webaixaj@server145 ~]$ .acme.sh/acme.sh --issue -d webajm.com -d www.webajm.com -d mail.webajm.com -w /home/public_html/webajm.com --force
[Fri Jul 18 15:43:12 EDT 2025] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Fri Jul 18 15:43:12 EDT 2025] Multi domain='DNS:webajm.com,DNS:www.webajm.com,DNS:mail.webajm.com'
[Fri Jul 18 15:43:15 EDT 2025] Getting webroot for domain='webajm.com'
[Fri Jul 18 15:43:15 EDT 2025] Getting webroot for domain='www.webajm.com'
[Fri Jul 18 15:43:15 EDT 2025] Getting webroot for domain='mail.webajm.com'
[Fri Jul 18 15:43:16 EDT 2025] Verifying: webajm.com
mkdir: cannot create directory ‘/home/public_html’: Permission denied
[Fri Jul 18 15:43:16 EDT 2025] webajm.com: Cannot write token to file: /home/public_html/webajm.com/.well-known/acme-challenge/qAfYbzSDqPV6mXKNQtEikhplpVTSTwJLji5TQumo8bM
[Fri Jul 18 15:43:16 EDT 2025] Please check log file for more details: /home/webaixaj/.acme.sh/acme.sh.log

8

So you must have changed either DocumentRoot or acme.sh command since your last good cert. Right? Because they need to match

You should not use --force except special cases. Often causes trouble. Does not force the system to ignore problems.

That looks just like what it is. A permissions problem in your config. You should review what you have for your working systems to see what is different about this one.

3 Likes
9

Thanks for the guidance.. I finally go it figured I believe.

The command was incorrect, I should have been using: -w /home/webaixaj/public_html as opposed to -w /home/public_html/webajm.com this resolved the problem and the permissions issue.

Many thanks!

10

Hoping you have a little more insight... .specifically in regard to the cron job that is setup and why it is unable to install the certs when scheduled??

I have to manually add them with the following command: acme.sh --deploy --deploy-hook cpanel_uapi --domain webajcom

I'm assuming this is related to the lack of API usage allowed on NameCheap somehow???

11

I don't know. I don't use acme.sh very much. I thought it combines the --issue and --deploy using its renew command as part of the cronjob.

You might try asking on the github for acme.sh. Or wait for someone here who knows more about that. We don't see acme.sh w/cPanel deploy very much here.

1 Like
12

One last follow up on this topic if I may... I have a number of other subdomains, for instance webmail.webajm.com or webdisk.webajm.com, when added to to the acme.sh command to get a certificate for it fails:
.acme.sh/acme.sh --issue -d webajm.com -d www.webajm.com -d mail.webajm.com -d webmail.webajm.com -w /home/public_html/webajm.com

The error message is:
webmail.webajm.com: Cannot write token to file: /home/public_html/webajm.com/.well-known/acme-challenge/MmO_bkAnRoGphzNfYsewtrawVC0wkh6DH5vKS2uvhcQ

[Mon Jul 21 08:27:54 EDT 2025] Verifying: webmail.webajm.com
mkdir: cannot create directory ‘/home/public_html’: Permission denied

Is this pointing me back to a document root issue?

13

Probably. If different domains have different DocumentRoots you do something like

acme.sh --issue -d example.com -d www.example.com -w /home/docroot1 -d mail.example.com -w /home/docroot2

Note each domain uses the -w directory that follows it

See: How to issue a cert · acmesh-official/acme.sh Wiki · GitHub

I thought this was the correct webroot directory for webajm. Why did you switch back to -w /home/public_html/webajm.com Note you might also need different -w directories as described above if your domains use different ones.

2 Likes
14

2 posts were split to a new topic: Production API service disruption

15

I inadvertently reverted back to the incorrect path...ugh! That error would be expected when using public_html...

I am seeing the following error though when adding webmail.webajm.com or any other the A rrecords.. so not sure what the problem is.

*[webaixaj@server145 ~]$ .acme.sh/acme.sh --issue -d webmail.webajm.com -w /home/webaixaj/public_html[Mon Jul 21 16:41:04 EDT 2025] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Mon Jul 21 16:41:04 EDT 2025] Single domain='webmail.webajm.com'
[Mon Jul 21 16:41:05 EDT 2025] Error creating new order. Le_OrderFinalize not found. {
"type": "urn:ietf:params:acme:error:serverInternal",
"detail": "Error *

16

Yes, there is an active outage incident. It should be shown at top of Forum. But is also here

3 Likes
17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.