Working dehydrate suddenly stops renewing certificates

I cannot figure out the cause of the "Challenge is invalid!". This configuration has been working for years. I was alerted to the issue because users were getting expired certificate errors.

My domain is:

I ran this command:

dehydrated -c

It produced this output:

INFO: Using main config file /usr/local/etc/dehydrated/config

Processing with alternative names:

My web server is (include version):
nginx version: nginx/1.10.1

The operating system my web server runs on is (include version):

FreeBSD 10.3-RELEASE-p7

I can login to a root shell on my machine (yes or no, or I don't know): Yes, ran commands as root

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

root@zeus:/usr/local/etc/dehydrated # dehydrated --version

INFO: Using main config file /usr/local/etc/dehydrated/config

Dehydrated by Lukas Schauer

Dehydrated version: 0.7.1
GIT-Revision: unknown

OS: FreeBSD 10.3-RELEASE-p7
Used software:
bash: 4.3.46(1)-release
curl: 7.50.1
awk, sed, mktemp, grep, diff: BSD base system versions
openssl: OpenSSL 1.0.1s-freebsd 1 Mar 2016
root@zeus:/usr/local/etc/dehydrated #

1 Like

I just checked various URLs to your server and you have the same symptoms as caused by a Palo Alto Networks firewall change. See here for the change needed in your firewall:

Let us know if you don't have a Palo Alto firewall but this is almost certainly the cause.


Exactly the right answer, Mike! Allowing acme-protocol solved the issue. Certificates have been renewed.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.