Letsencrypt is for some reason unable to reach the challenge token URL


My domain is: wallbee.nhl.dk (for testing)
ACME Client: GetSSL
output: getssl: for some reason could not reach http://wallbee.nhl.dk/.well-known/acme-challenge/OwQNDbPCBrR3Sloh56qZkFee5LFAJb1JNC0zObwxUpo - please check it manually
My web server is (include version): Apache


So I have set up Letsencrypt on a number of Linux servers now, and I have never had this issue before. I’m using the GetSSL ACME client.

As a test domain I’m using wallbee.nhl.dk - and the getssl client issues the challange token and stores the token fil just fine, however when it asks letsencrypt to confirm it, letsencrypt fails with getssl: for some reason could not reach http://wallbee.nhl.dk/.well-known/acme-challenge/OwQNDbPCBrR3Sloh56qZkFee5LFAJb1JNC0zObwxUpo

THe URL works just fine, I have tried from several computers on different locations and the DNS record has existed for 4-5 days now…

How can I debug further with the Letsencrypt service is unable to hit my challange URL ?



Hi @haggren

what’s the error message? Checking your domain (via https://check-your-website.server-daten.de/?q=wallbee.nhl.dk ) I don’t see a problem.

Your url works, a not-existing file (via /.well-known/acme-challenge) has a 404, no dnssec or CAA problems.

And the content of your validation file looks good - the token, the dot and a hash value with the correct length.

PS: Is there an order url? Something like


This is helpful to get the correct error message.


Hi Jurgen,

Thanks for your participation - I completely agree. I don’t see anything should be wrong, I mean the URL it reports that it cannot visit works fine and the response is correct.

The only difference between this server and the 4 others I have running is that it located in another Public IP subnet AND that it has a Cisco ASA firewall in front, however the ports (http/80 + https/443) are opened and working.

What do you mean by order URL ? In my getssl conf I only have the following conf items:



Set an email address associated with your account - generally set at account level rather than domain.


The command needed to reload apache / nginx or whatever you use


The time period within which you want to allow renewal of a certificate

this prevents hitting some of the rate limits.


Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp,

smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which

will be checked for certificate expiry and also will be checked after

an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true


Use the following 3 variables if you want to validate via DNS



If you are behind NAT or anything like that, then disabling getssl’s preflight check may help. Add to the config file above:



If you create a new order, the ACME server sends an order url. It’s possible to visit this url with a browser.

There are the authorizations listet. And - if the challenge fails - the exact reason why Letsencrypt can’t verify your domain name.

Certbot has a protocol where this order url is listed.

So if a client doesn’t show the exact reason, the order url helps.


Thanks for the clarification


SKIP_HTTP_TOKEN_CHECK=“true” did the trick. The script still takes a long time (a call to openssl needs to time out I guess) but eventually it gets through. I will investigate this setting further. Thanks for your help.

closed #8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.