Order's status ("invalid") is not acceptable for finalization


My domain is: homelandcreamery.com

I ran this command: I am calling a custom AWS lambda in order to generate the cert for this domain.

It produced this output:

Updating cert for homelandcreamery.com, received err Error: Bad Request: { "type": "urn:ietf:params:acme:error:malformed", "detail": "Order's status (\"invalid\") is not acceptable for finalization", "status": 400 }, Error: Bad Request: { "type": "urn:ietf:params:acme:error:malformed", "detail": "Order's status (\"invalid\") is not acceptable for finalization", "status": 400 } at agent.post.type.send.catch.err (/var/task/src/acme/v2/sendSignedRequestV2.js:17:15) at <anonymous> at process._tickDomainCallback (internal/process/next_tick.js:228:7)

My web server is (include version): Apache (not sure of version)

The operating system my web server runs on is (include version): CentOS (not sure of version)

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): no

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

This lambda has worked for many other domains, not sure why this one is failing. Thanks for any help.


Hi @agentfitz

this is not the real problem.

Looks like this ACME - client tries to send a finalization request (with the Certificate Signing Request), but the order is invalid, because the challenge isn’t confirmed.

So the question: Why is the challenge failed?

Do you have an order url?


Thank you for responding. I am a bit unfamiliar with the terminology here, what is the “order”? I guess it is the specific domain for which a cert is being requested? When you say “do you have an order url,” I’m not quite sure what you mean. Can you guide me a bit more there?

As far as the question “Why is the challenge failed?” yes, that is what I am after. I would put a url in here to show that the challenge page (http verification) is indeed outputting the expected “challenge response” (I am confident that it is), but my system would incorrectly stamp the record in my db (thinking it was coming from Let’s Encrypt). Anyhow, I’m going to create a “read only” version of that challenge response page in the morning to demonstrate it is outputting the expected string if you think that would be helpful.

Thanks again


When you start creating a new certificate, you create a new order. This is something like (from the test system):


There are links to the authorizations, there is the reason why the challenge is failed.

split this topic #5

A post was split to a new topic: Getting a certificate when one or more domains fails validation

closed #6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.