acmesh-official
DNS-01 Challenge Fails with "Invalid" Status Using acme.sh for ZeroSSL
Steps to reproduce
Issue Description
I encountered an issue while trying to issue a certificate for my domain using acme.sh with DNS-01 challenge via ZeroSSL. Despite following the required steps and ensuring DNS records are correctly set, the verification fails with an "invalid" status.
Environment
- acme.sh version: v3.0.8
- Operating System: Ubuntu 20.04
- Shell: bash
Steps to Reproduce
- Run
acme.shwith--issue --dns dns_ali -d example.com --debug 2command. - Wait for the process to complete.
Expected Result
The certificate is issued successfully without any errors.
Actual Result
The DNS-01 challenge fails, and the status is marked as "invalid". No specific error details are provided in the logs.
Debug Log
Debug log
acme.sh --issue ..... --debug 2
=>> $ acme.sh --issue --dns dns_ali -d example.com --debug 2 [Mon Feb 19 11:32:31 PM CST 2024] Lets find script dir. [Mon Feb 19 11:32:31 PM CST 2024] SCRIPT='/root/.acme.sh/acme.sh' [Mon Feb 19 11:32:31 PM CST 2024] _script='/root/.acme.sh/acme.sh' [Mon Feb 19 11:32:31 PM CST 2024] _script_home='/root/.acme.sh' [Mon Feb 19 11:32:31 PM CST 2024] Using config home:/root/.acme.sh [Mon Feb 19 11:32:31 PM CST 2024] LE_WORKING_DIR='/root/.acme.sh' https://github.com/acmesh-official/acme.sh v3.0.8 [Mon Feb 19 11:32:31 PM CST 2024] Running cmd: issue [Mon Feb 19 11:32:31 PM CST 2024] _main_domain='example.com' [Mon Feb 19 11:32:31 PM CST 2024] _alt_domains='no' [Mon Feb 19 11:32:31 PM CST 2024] Using config home:/root/.acme.sh [Mon Feb 19 11:32:31 PM CST 2024] default_acme_server [Mon Feb 19 11:32:31 PM CST 2024] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90' [Mon Feb 19 11:32:31 PM CST 2024] _ACME_SERVER_HOST='acme.zerossl.com' [Mon Feb 19 11:32:31 PM CST 2024] _ACME_SERVER_PATH='v2/DV90' [Mon Feb 19 11:32:31 PM CST 2024] DOMAIN_PATH='/root/.acme.sh/example.com_ecc' [Mon Feb 19 11:32:31 PM CST 2024] 'dns_ali' does not contain 'dns' [Mon Feb 19 11:32:31 PM CST 2024] Le_NextRenewTime [Mon Feb 19 11:32:31 PM CST 2024] Using ACME_DIRECTORY: https://acme.zerossl.com/v2/DV90 [Mon Feb 19 11:32:31 PM CST 2024] _init api for server: https://acme.zerossl.com/v2/DV90 [Mon Feb 19 11:32:31 PM CST 2024] GET [Mon Feb 19 11:32:31 PM CST 2024] url='https://acme.zerossl.com/v2/DV90' [Mon Feb 19 11:32:31 PM CST 2024] timeout= [Mon Feb 19 11:32:31 PM CST 2024] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L --trace-ascii /tmp/tmp.HMYSvso4cX -g ' [Mon Feb 19 11:32:32 PM CST 2024] ret='0' [Mon Feb 19 11:32:32 PM CST 2024] response='{ "newNonce": "https://acme.zerossl.com/v2/DV90/newNonce", "newAccount": "https://acme.zerossl.com/v2/DV90/newAccount", "newOrder": "https://acme.zerossl.com/v2/DV90/newOrder", "revokeCert": "https://acme.zerossl.com/v2/DV90/revokeCert", "keyChange": "https://acme.zerossl.com/v2/DV90/keyChange", "meta": { "termsOfService": "https://secure.trust-provider.com/repository/docs/Legacy/20230516_Certificate_Subscriber_Agreement_v_2_6_click.pdf", "website": "https://zerossl.com", "caaIdentities": ["sectigo.com", "trust-provider.com", "usertrust.com", "comodoca.com", "comodo.com"], "externalAccountRequired": true } }' [Mon Feb 19 11:32:32 PM CST 2024] ACME_KEY_CHANGE='https://acme.zerossl.com/v2/DV90/keyChange' [Mon Feb 19 11:32:32 PM CST 2024] ACME_NEW_AUTHZ [Mon Feb 19 11:32:32 PM CST 2024] ACME_NEW_ORDER='https://acme.zerossl.com/v2/DV90/newOrder' [Mon Feb 19 11:32:32 PM CST 2024] ACME_NEW_ACCOUNT='https://acme.zerossl.com/v2/DV90/newAccount' [Mon Feb 19 11:32:32 PM CST 2024] ACME_REVOKE_CERT='https://acme.zerossl.com/v2/DV90/revokeCert' [Mon Feb 19 11:32:32 PM CST 2024] ACME_AGREEMENT='https://secure.trust-provider.com/repository/docs/Legacy/20230516_Certificate_Subscriber_Agreement_v_2_6_click.pdf' [Mon Feb 19 11:32:32 PM CST 2024] ACME_NEW_NONCE='https://acme.zerossl.com/v2/DV90/newNonce' [Mon Feb 19 11:32:33 PM CST 2024] Using CA: https://acme.zerossl.com/v2/DV90 [Mon Feb 19 11:32:33 PM CST 2024] _on_before_issue [Mon Feb 19 11:32:33 PM CST 2024] _chk_main_domain='example.com' [Mon Feb 19 11:32:33 PM CST 2024] _chk_alt_domains [Mon Feb 19 11:32:33 PM CST 2024] 'dns_ali' does not contain 'no' [Mon Feb 19 11:32:33 PM CST 2024] Le_LocalAddress [Mon Feb 19 11:32:33 PM CST 2024] d='example.com' [Mon Feb 19 11:32:33 PM CST 2024] Check for domain='example.com' [Mon Feb 19 11:32:33 PM CST 2024] _currentRoot='dns_ali' [Mon Feb 19 11:32:33 PM CST 2024] d [Mon Feb 19 11:32:33 PM CST 2024] 'dns_ali' does not contain 'apache' [Mon Feb 19 11:32:33 PM CST 2024] _saved_account_key_hash='/b3Bm6CdFc/qKfunMAJ7swxe51x98KfqId61He989FQ=' [Mon Feb 19 11:32:33 PM CST 2024] _saved_account_key_hash is not changed, skip register account. [Mon Feb 19 11:32:33 PM CST 2024] Read key length:ec-256 [Mon Feb 19 11:32:33 PM CST 2024] _createcsr [Mon Feb 19 11:32:33 PM CST 2024] domain='example.com' [Mon Feb 19 11:32:33 PM CST 2024] domainlist [Mon Feb 19 11:32:33 PM CST 2024] csrkey='/root/.acme.sh/example.com_ecc/example.com.key' [Mon Feb 19 11:32:33 PM CST 2024] csr='/root/.acme.sh/example.com_ecc/example.com.csr' [Mon Feb 19 11:32:33 PM CST 2024] csrconf='/root/.acme.sh/example.com_ecc/example.com.csr.conf' [Mon Feb 19 11:32:33 PM CST 2024] Single domain='example.com' [Mon Feb 19 11:32:33 PM CST 2024] seg='jupyterhub' [Mon Feb 19 11:32:33 PM CST 2024] _is_idn_d='example.com' [Mon Feb 19 11:32:33 PM CST 2024] _idn_temp [Mon Feb 19 11:32:33 PM CST 2024] _is_idn_d='example.com' [Mon Feb 19 11:32:33 PM CST 2024] _idn_temp [Mon Feb 19 11:32:33 PM CST 2024] _csr_cn='example.com' [Mon Feb 19 11:32:33 PM CST 2024] seg='jupyterhub' [Mon Feb 19 11:32:33 PM CST 2024] Getting domain auth token for each domain [Mon Feb 19 11:32:33 PM CST 2024] seg='jupyterhub' [Mon Feb 19 11:32:33 PM CST 2024] _is_idn_d='example.com' [Mon Feb 19 11:32:33 PM CST 2024] _idn_temp [Mon Feb 19 11:32:33 PM CST 2024] d [Mon Feb 19 11:32:33 PM CST 2024] _identifiers='{"type":"dns","value":"example.com"}' [Mon Feb 19 11:32:33 PM CST 2024] _notBefore [Mon Feb 19 11:32:33 PM CST 2024] _notAfter [Mon Feb 19 11:32:33 PM CST 2024] STEP 1, Ordering a Certificate [Mon Feb 19 11:32:33 PM CST 2024] =======Begin Send Signed Request======= [Mon Feb 19 11:32:33 PM CST 2024] url='https://acme.zerossl.com/v2/DV90/newOrder' [Mon Feb 19 11:32:33 PM CST 2024] payload='{"identifiers": [{"type":"dns","value":"example.com"}]}' [Mon Feb 19 11:32:33 PM CST 2024] EC key [Mon Feb 19 11:32:33 PM CST 2024] Get nonce with HEAD. ACME_NEW_NONCE='https://acme.zerossl.com/v2/DV90/newNonce' [Mon Feb 19 11:32:33 PM CST 2024] HEAD [Mon Feb 19 11:32:33 PM CST 2024] _post_url='https://acme.zerossl.com/v2/DV90/newNonce' [Mon Feb 19 11:32:33 PM CST 2024] body [Mon Feb 19 11:32:33 PM CST 2024] _postContentType='application/jose+json' [Mon Feb 19 11:32:33 PM CST 2024] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L --trace-ascii /tmp/tmp.GuEKuNQ9pz -g -I ' [Mon Feb 19 11:32:35 PM CST 2024] _ret='0' [Mon Feb 19 11:32:35 PM CST 2024] _headers='HTTP/2 200 server: nginx date: Mon, 19 Feb 2024 15:32:35 GMT content-type: application/octet-stream replay-nonce: 30ov3Yj-uCux2AuZ4_jnrz6jEXffx4_jptrveNrTa8E cache-control: max-age=0, no-cache, no-store access-control-allow-origin: * link: https://acme.zerossl.com/v2/DV90;rel="index" strict-transport-security: max-age=15724800; includeSubDomains ' [Mon Feb 19 11:32:35 PM CST 2024] _CACHED_NONCE='30ov3Yj-uCux2AuZ4_jnrz6jEXffx4_jptrveNrTa8E' [Mon Feb 19 11:32:35 PM CST 2024] nonce='30ov3Yj-uCux2AuZ4_jnrz6jEXffx4_jptrveNrTa8E' [Mon Feb 19 11:32:35 PM CST 2024] POST [Mon Feb 19 11:32:35 PM CST 2024] _post_url='https://acme.zerossl.com/v2/DV90/newOrder' [Mon Feb 19 11:32:35 PM CST 2024] body='{"protected": "eyJub25jZSI6ICIzMG92M1lqLXVDdXgyQXVaNF9qbnJ6NmpFWGZmeDRfanB0cnZlTnJUYThFIiwgInVybCI6ICJodHRwczovL2FjbWUuemVyb3NzbC5jb20vdjIvRFY5MC9uZXdPcmRlciIsICJhbGciOiAiRVMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS56ZXJvc3NsLmNvbS92Mi9EVjkwL2FjY291bnQvdVNoU2pnaDNwZk4wNUVuNEM4UG1UUSJ9", "payload": "eyJpZGVudGlmaWVycyI6IFt7InR5cGUiOiJkbnMiLCJ2YWx1ZSI6Imp1cHl0ZXJodWIuam1zdS50b3AifV19", "signature": "wgvAK2X-LpXZwqcALsEOuZa6xcEIS-j-UkqPbOjS34nn8wSE5RptBCgz7n12EqaNYf_Rt55ko414AGlS8XOhng"}' [Mon Feb 19 11:32:35 PM CST 2024] _postContentType='application/jose+json' [Mon Feb 19 11:32:35 PM CST 2024] Http already initialized. [Mon Feb 19 11:32:35 PM CST 2024] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L --trace-ascii /tmp/tmp.GuEKuNQ9pz -g ' [Mon Feb 19 11:33:23 PM CST 2024] _ret='0' [Mon Feb 19 11:33:23 PM CST 2024] responseHeaders='HTTP/2 201 server: nginx date: Mon, 19 Feb 2024 15:33:23 GMT content-type: application/json content-length: 281 replay-nonce: RAiQbkDbEWDKzOn5_W7wgFeUQy2Aib9PgP5StsDnUig cache-control: max-age=0, no-cache, no-store access-control-allow-origin: * location: https://acme.zerossl.com/v2/DV90/order/iPuUxh7a51GVsuItyZJNow strict-transport-security: max-age=15724800; includeSubDomains ' [Mon Feb 19 11:33:23 PM CST 2024] code='201' [Mon Feb 19 11:33:23 PM CST 2024] original='{"status":"pending","expires":"2024-05-19T14:51:44Z","identifiers":[{"type":"dns","value":"example.com"}],"authorizations":["https://acme.zerossl.com/v2/DV90/authz/npzON-RggabjEnh9fKGBLQ"],"finalize":"https://acme.zerossl.com/v2/DV90/order/iPuUxh7a51GVsuItyZJNow/finalize"}' [Mon Feb 19 11:33:23 PM CST 2024] response='{"status":"pending","expires":"2024-05-19T14:51:44Z","identifiers":[{"type":"dns","value":"example.com"}],"authorizations":["https://acme.zerossl.com/v2/DV90/authz/npzON-RggabjEnh9fKGBLQ"],"finalize":"https://acme.zerossl.com/v2/DV90/order/iPuUxh7a51GVsuItyZJNow/finalize"}' [Mon Feb 19 11:33:23 PM CST 2024] Le_LinkOrder='https://acme.zerossl.com/v2/DV90/order/iPuUxh7a51GVsuItyZJNow' [Mon Feb 19 11:33:23 PM CST 2024] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/iPuUxh7a51GVsuItyZJNow/finalize' [Mon Feb 19 11:33:23 PM CST 2024] _authorizations_seg='https://acme.zerossl.com/v2/DV90/authz/npzON-RggabjEnh9fKGBLQ' [Mon Feb 19 11:33:23 PM CST 2024] STEP 2, Get the authorizations of each domain [Mon Feb 19 11:33:23 PM CST 2024] _authz_url='https://acme.zerossl.com/v2/DV90/authz/npzON-RggabjEnh9fKGBLQ' [Mon Feb 19 11:33:23 PM CST 2024] =======Begin Send Signed Request======= [Mon Feb 19 11:33:23 PM CST 2024] url='https://acme.zerossl.com/v2/DV90/authz/npzON-RggabjEnh9fKGBLQ' [Mon Feb 19 11:33:23 PM CST 2024] payload [Mon Feb 19 11:33:23 PM CST 2024] Use cached jwk for file: /root/.acme.sh/ca/acme.zerossl.com/v2/DV90/account.key [Mon Feb 19 11:33:23 PM CST 2024] Use _CACHED_NONCE='RAiQbkDbEWDKzOn5_W7wgFeUQy2Aib9PgP5StsDnUig' [Mon Feb 19 11:33:23 PM CST 2024] nonce='RAiQbkDbEWDKzOn5_W7wgFeUQy2Aib9PgP5StsDnUig' [Mon Feb 19 11:33:23 PM CST 2024] POST [Mon Feb 19 11:33:23 PM CST 2024] _post_url='https://acme.zerossl.com/v2/DV90/authz/npzON-RggabjEnh9fKGBLQ' [Mon Feb 19 11:33:23 PM CST 2024] body='{"protected": "eyJub25jZSI6ICJSQWlRYmtEYkVXREt6T241X1c3d2dGZVVReTJBaWI5UGdQNVN0c0RuVWlnIiwgInVybCI6ICJodHRwczovL2FjbWUuemVyb3NzbC5jb20vdjIvRFY5MC9hdXRoei9ucHpPTi1SZ2dhYmpFbmg5ZktHQkxRIiwgImFsZyI6ICJFUzI1NiIsICJraWQiOiAiaHR0cHM6Ly9hY21lLnplcm9zc2wuY29tL3YyL0RWOTAvYWNjb3VudC91U2hTamdoM3BmTjA1RW40QzhQbVRRIn0", "payload": "", "signature": "O4lW8-gOEvGorzCKFqI3LsDUzNe9mqRfXDhs0bOqJU_RBZINjOjARRMisXKVg37EexjMZ2i4mBkitCrukLVbag"}' [Mon Feb 19 11:33:23 PM CST 2024] _postContentType='application/jose+json' [Mon Feb 19 11:33:23 PM CST 2024] Http already initialized. [Mon Feb 19 11:33:23 PM CST 2024] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L --trace-ascii /tmp/tmp.GuEKuNQ9pz -g ' [Mon Feb 19 11:34:06 PM CST 2024] _ret='0' [Mon Feb 19 11:34:06 PM CST 2024] responseHeaders='HTTP/2 200 server: nginx date: Mon, 19 Feb 2024 15:34:06 GMT content-type: application/json content-length: 298 replay-nonce: JCS6vHcyURdtQFIWOUKy7C6vKIKeYEdqALUvJBB_6II cache-control: max-age=0, no-cache, no-store access-control-allow-origin: * link: https://acme.zerossl.com/v2/DV90;rel="index" retry-after: 86400 strict-transport-security: max-age=15724800; includeSubDomains ' [Mon Feb 19 11:34:06 PM CST 2024] code='200' [Mon Feb 19 11:34:06 PM CST 2024] original='{"identifier":{"type":"dns","value":"example.com"},"status":"invalid","expires":"2024-03-20T14:51:44Z","challenges":[{"type":"dns-01","url":"https://acme.zerossl.com/v2/DV90/chall/Q3FRv8mtyHCGWxNV5w9oZA","status":"invalid","error":{},"token":"a-8oPPctJOSR8xneOnSEyF1jARou4LEn9-57Xrf9Tuo"}]}' [Mon Feb 19 11:34:06 PM CST 2024] response='{"identifier":{"type":"dns","value":"example.com"},"status":"invalid","expires":"2024-03-20T14:51:44Z","challenges":[{"type":"dns-01","url":"https://acme.zerossl.com/v2/DV90/chall/Q3FRv8mtyHCGWxNV5w9oZA","status":"invalid","error":{},"token":"a-8oPPctJOSR8xneOnSEyF1jARou4LEn9-57Xrf9Tuo"}]}' [Mon Feb 19 11:34:06 PM CST 2024] response='{"identifier":{"type":"dns","value":"example.com"},"status":"invalid","expires":"2024-03-20T14:51:44Z","challenges":[{"type":"dns-01","url":"https://acme.zerossl.com/v2/DV90/chall/Q3FRv8mtyHCGWxNV5w9oZA","status":"invalid","error":{},"token":"a-8oPPctJOSR8xneOnSEyF1jARou4LEn9-57Xrf9Tuo"}]}' [Mon Feb 19 11:34:06 PM CST 2024] get authz objec with invalid status, please try again later. [Mon Feb 19 11:34:06 PM CST 2024] _authorizations_seg='https://acme.zerossl.com/v2/DV90/authz/npzON-RggabjEnh9fKGBLQ' [Mon Feb 19 11:34:06 PM CST 2024] {"identifier":{"type":"dns","value":"example.com"},"status":"invalid","expires":"2024-03-20T14:51:44Z","challenges":[{"type":"dns-01","url":"https://acme.zerossl.com/v2/DV90/chall/Q3FRv8mtyHCGWxNV5w9oZA","status":"invalid","error":{},"token":"a-8oPPctJOSR8xneOnSEyF1jARou4LEn9-57Xrf9Tuo"}]} [Mon Feb 19 11:34:06 PM CST 2024] pid [Mon Feb 19 11:34:06 PM CST 2024] No need to restore nginx, skip. [Mon Feb 19 11:34:06 PM CST 2024] _clearupdns [Mon Feb 19 11:34:06 PM CST 2024] dns_entries [Mon Feb 19 11:34:06 PM CST 2024] skip dns. [Mon Feb 19 11:34:06 PM CST 2024] _on_issue_err [Mon Feb 19 11:34:06 PM CST 2024] Please check log file for more details: /root/.acme.sh/acme.sh.log [Mon Feb 19 11:34:06 PM CST 2024] _chk_vlist [Mon Feb 19 11:34:06 PM CST 2024] socat doesn't exist. [Mon Feb 19 11:34:06 PM CST 2024] Diagnosis versions: openssl:openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) apache: apache doesn't exist. nginx: nginx version: nginx/1.18.0 (Ubuntu) built with OpenSSL 3.0.2 15 Mar 2022 TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-zctdR4/nginx-1.18.0=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --add-dynamic-module=/build/nginx-zctdR4/nginx-1.18.0/debian/modules/http-geoip2 --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module socat:
Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
I also had this problem. Changing to letsencrypt fixed it.
but how to change to LetsEncrypt.
We also had a problem with it. Have switched to letsencrypt and it works. If anyone has a solution to fix the invalid status issue please help us.
I also had this problem. Changing to letsencrypt fixed it.
but how to change to LetsEncrypt. code example for guys don't know how to switch to letsencrypt
acme.sh --issue --dns dns_ali -d xxx.com --server letsencrypt
