Unable to update challenge : authorization must be pending

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.alltog.fr

I ran this command:I run my node app and greenlock-express is trying to answer the challenge for a new certificate.

It produced this output:
url GET http://alltog.fr/.well-known/acme-challenge/Ddjik3cghpZerKtEIWP9yK5HfmMQs8qGT1cXGdDnErs
{"error":{"message":"domain 'alltog.fr' has no token 'Ddjik3cghpZerKtEIWP9yK5HfmMQs8qGT1cXGdDnErs'."}}

url GET

  • "type": "http-01",*
  • "status": "invalid",*
  • "error": {*
  • "type": "urn:ietf:params:acme:error:unauthorized",*
  • "detail": "Invalid response from http://www.alltog.fr/.well-known/acme-challenge/Ddjik3cghpZerKtEIWP9yK5HfmMQs8qGT1cXGdDnErs []: 404",*
  • "status": 403*
  • },*
  • "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/7397618413/g-bRGQ",*
  • "token": "Ddjik3cghpZerKtEIWP9yK5HfmMQs8qGT1cXGdDnErs",*
  • "validationRecord": [*
  • {*
  •  "url": "http://alltog.fr/.well-known/acme-challenge/Ddjik3cghpZerKtEIWP9yK5HfmMQs8qGT1cXGdDnErs",*
  •  "hostname": "alltog.fr",*
  •  "port": "80",*
  •  "addressesResolved": [*
  •    ""*
  •  ],*
  •  "addressUsed": ""*
  • },*
  • {*
  •  "url": "http://www.alltog.fr/.well-known/acme-challenge/Ddjik3cghpZerKtEIWP9yK5HfmMQs8qGT1cXGdDnErs",*
  •  "hostname": "www.alltog.fr",*
  •  "port": "80",*
  •  "addressesResolved": [*
  •    ""*
  •  ],*
  •  "addressUsed": ""*
  • }*
  • ]*
    My web server is (include version):

The operating system my web server runs on is (include version):
I am trying to migrate from my raspberry pi2 to a pi4 that both run on debian. Everything is working fine on the pi2

My hosting provider, if applicable, is:
France- Orange

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):


I'm unfamiliar with this process.

But I do notice that it is trying to get certs for both names:

But they don't resolve to the same IP:

Name:    www.alltog.fr

Name:    alltog.fr

You need to point alltog.fr directly at your home IP address, using a DNS A record.

Same as you did for www.alltog.fr.

Currently, it is pointing at OVH's redirecting service. That's causing the validation process to fail for the non-www version of your domain.


thanks for the fast reply.
You you say DNA a record, not sure if you talk about ovh redirection or my synology routeur.
My home setup is tricky since I added a synology routeur to build a loopback, in addition of the Orange Live Box 3.
www.alltog.fr -> OVH -> (livebox only lan for routeur) -> (synology routeur with wifi) -> (my rasp pi4)
My ovh and nas configuration in pictures.


The "problem" starts here:
This may complicate modifying the above:

You fail to show the entry that performs the following:
www.alltog.fr A

But in order to get a cert with the alltog.fr name (via HTTP authentication), you will need a similar entry at OVH:
alltog.fr A

Which then can be combined into just one IP (and one CNAME to same IP):
alltog.fr A
www.alltog.fr to a domain (CNAME) alltog.fr

You don't have to change anything on the NAS


Certificate issued. Awesome support thank you so much


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.