Unable to update challenge :: authorization must be pending. Exiting

Dear sir, madam,

My domain is: sexpertise-online.nl

I ran this command: I did not run a command - I received an email message with a problem report after automatic renew attempt of the certificate, I presume (see below for the problem message)

It produced this output:
The complete error message is
“Subject: Error during automated certificate renewal for sexpertise-online.nl
Requesting new certificate order…
Processing https://acme-v02.api.letsencrypt.org/acme/authz-v3/4819831468
Processing authorization for sexpertise-online.nl…
Waiting for domain verification…
Let’s Encrypt was unable to verify the challenge. Unable to update challenge :: authorization must be pending. Exiting…”

My web server is (include version): I cannot see the system info which should contain info about the web server (this info is hidden for me as reseller)

The operating system my web server runs on is (include version):
I don’t know - this info should be in the system info which I can’t see…

My hosting provider, if applicable, is: https://www.sity.nl/

I can login to a root shell on my machine (yes or no, or I don’t know): no

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): DirectAdmin - I can’t see a version number

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): I’m not aware of something like a ‘client’

Thanks for your help!
wkr, Otto

Validation failed, but the ACME client tried to proceed anyway, and failed with the “authorization must be pending” error message instead of showing you why the authorization failed. If you click on the authz link, you can see the original error message:

"detail": "DNS problem: SERVFAIL looking up CAA for sexpertise-online.nl - the domain's nameservers may be malfunctioning",

I’m not sure why, but there seem to be issues with the domain’s DNS.

Unboundtest.com shows the same thing:


1 Like

Hi MNordhoff,
Thanks for your quick response!
I’ll take your info and ask the company that hosts my domains and DNS setup what can be wrong here.
Thanks again for your help!
wkr, Otto

Hi Matt,

I did add the CAA record and don’t get an error message any more referring to CAA, but now I got another error message when Let’s Encrypt tried to update the cert last night:

“Error: http://sexpertise-online.nl/.well-known/acme-challenge/letsencrypt_1591058240 is not reachable. Aborting the script.
dig output for sexpertise-online.nl:
Please make sure /.well-known alias is setup in WWW server.”

I asked my hosting provider for the setup of this on their server and they confirmed that the .well-known is available on their server, but added as remart that in the DNS record also an A record for sexpertise-online.nl should be there (so without the www), but this is already the case since the domain was setup years ago…, so it seems that the problem lies somewhere else…

Could you provide me with another hint how to solve the problem of Let’s Encrypt not being able to update the cert for sexpertise-online.nl?
Thanks for your help!
wkr, Otto

Hi @obw

now you have a different error - see your check, ~~2 hours old - https://check-your-website.server-daten.de/?q=sexpertise-online.nl

Host Type IP-Address is auth. ∑ Queries ∑ Timeout
sexpertise-online.nl Server failure yes 3 0
www.sexpertise-online.nl A Alkmaar/North Holland/Netherlands (NL) - Infra Blocks B.V. Hostname: web3.hostingcp.eu yes 1 0
AAAA yes

Your www has an ip address. Your non-www has a fatal Server failure.

So creating a certificate with the non-www can’t work because no ip address is found.

Ah - no TCP connections:

X Fatal error: Nameserver doesn’t support TCP connection: ns3.domeinnaamreseller.nl / ServerFailure
X Fatal error: Nameserver doesn’t support TCP connection: ns4.domeinnaamreseller.nl / ServerFailure
X Fatal error: Nameserver doesn’t support TCP connection: ns5.domeinnaamreseller.nl / ServerFailure

And same with CAA- and TXT-checks - a lot of Server failures.


will block creating Letsencrypt certificates.

That’s part of some kind of self-check built into your ACME client.

It would be good if it has logs showing more information, but I don’t know about that.

A post was split to a new topic: Creating certificate doesn’t work - different ip addresses