Validation fail for one special domain

We have a speical problem with below domain, other domains all working fine.

We try both DNS and Http validation, all failed. however, we check manually the URL and Dns text records, both return correctly

My domain is:

I ran this command:

The return error message is : Unable to update challenge :: authorization must be pending


1 Like

It would help to know what your ACME client is. Please fill in the questionnaire.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):


my domain:

I use the source code version of : GitHub - fszlin/certes: A client implementation for the Automated Certificate Management Environment (ACME) protocol

I am running on my local machine now. I also test it online with a server OS ubuntu 22.04.


1 Like

So are you writing your own client use Certes? ACME has a very specific flow that you need to follow:

  • Begin your certificate order, specifying the domains identifiers to include
  • get the list of authorizations you could complete per identifiers
  • choose which to complete for each identifier, check they are not already valid
  • then complete the challenge and submit the challenge so Let's Encrypt can check your answers are correct.
  • check each challenge status until it is either valid or invalid - this can take some time to complete
  • if all challenges are now valid and the order is "valid", finalize the order, then you can download your certificate.

Note that if you have previously completed challenges then new order may already have valid challenges that you don't need to submit again. This varies by CA.


yes, I generated a few 1000s certificates before, some was by mistake from hackers, which Ihave stopped them.

I used Let's encrypt for years, I have to modify the source code to add more issuers.

Rigth now, I have strange issue with this domain, which I do not understand what is going on.

Are you able to check the log on your side for me? domain:

I don't have any special access to check things but I can see that dig reports a SERVFAIL (i.e. the DNS server could not respond properly):


; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64535
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 1232
; EDE: 9 (DNSKEY Missing): (no SEP matching the DS found for
;                  IN      A

DNSViz is reporting multiple problems: | DNSViz

It may be worth you checking with your domain DNS provider that everything is ok.


Now, I see the problem.

The domain has a DNSSEC, while the resolver did not sign the record. Will fix that myself.

Thanks so much...


fixed and tested OK on staging now. Thanks.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.