[GH-ISSUE #19] Error getting validation data

kerem commented

2026-02-25 21:30:49 +03:00

Owner

Originally created by @anestevemo on GitHub (Nov 17, 2020).
Original GitHub issue: https://github.com/certera-io/certera/issues/19

Hi again,

I read all your documentation and even all the github posts, I also followed all the configurations mentioned in "https://docs.certera.io/#home".

Said this, I'm trying to renew some certificates, but I've only managed to renew one of them... no matter what I do, I can't renew any other certificate even with the same vhost configuration on the same machine.

I've already activated debug logs, but they do not provide any useful information.

dbug: Certera.Web.Services.CertificateAcquirer[0]
[mydomain.example] - starting certificate acquisition
dbug: Certera.Web.Services.CertificateAcquirer[0]
[mydomain.example] - creating ACME order
dbug: Certera.Web.AcmeProviders.CertesAcmeProvider[0]
Order created: https://acme-v02.api.letsencrypt.org/acme/order/102358678/6260472891
dbug: Certera.Web.Services.CertificateAcquirer[0]
[mydomain.example] - requesting ACME validation
dbug: Certera.Web.Services.CertificateAcquirer[0]
[mydomain.example] - completing order
dbug: Certera.Web.AcmeProviders.CertesAcmeProvider[0]
1 incomplete authorizations.
dbug: Certera.Web.AcmeProviders.CertesAcmeProvider[0]
1 incomplete authorizations.
dbug: Certera.Web.AcmeProviders.CertesAcmeProvider[0]
0 incomplete authorizations.
fail: Certera.Web.Services.CertificateAcquirer[0]
[mydomain.example] - error obtaining certificate: BadRequest urn:ietf:params:acme:error:connection Fetching https://mycerteraserver.com/.well-known/acme-challenge/YJ8o-u2TvjKqiR41hpJLGOzw9VrGVltiQDNX6i7eqU: Error getting validation data
dbug: Certera.Web.Services.CertificateAcquirer[0]
[mydomain.example] - done

I do not understand how is it possible that only one certificate avoided the error "Error getting validation data".

¿Is there any other procedure to follow in order to troubleshoot this issue?

Thanks in advance,
Kind regards,
Toni.

Originally created by @anestevemo on GitHub (Nov 17, 2020). Original GitHub issue: https://github.com/certera-io/certera/issues/19 Hi again, I read all your documentation and even all the github posts, I also followed all the configurations mentioned in "https://docs.certera.io/#home". Said this, I'm trying to renew some certificates, but I've only managed to renew one of them... no matter what I do, I can't renew any other certificate even with the same vhost configuration on the same machine. I've already activated debug logs, but they do not provide any useful information. dbug: Certera.Web.Services.CertificateAcquirer[0] [mydomain.example] - starting certificate acquisition dbug: Certera.Web.Services.CertificateAcquirer[0] [mydomain.example] - creating ACME order dbug: Certera.Web.AcmeProviders.CertesAcmeProvider[0] Order created: https://acme-v02.api.letsencrypt.org/acme/order/102358678/6260472891 dbug: Certera.Web.Services.CertificateAcquirer[0] [mydomain.example] - requesting ACME validation dbug: Certera.Web.Services.CertificateAcquirer[0] [mydomain.example] - completing order dbug: Certera.Web.AcmeProviders.CertesAcmeProvider[0] 1 incomplete authorizations. dbug: Certera.Web.AcmeProviders.CertesAcmeProvider[0] 1 incomplete authorizations. dbug: Certera.Web.AcmeProviders.CertesAcmeProvider[0] 0 incomplete authorizations. fail: Certera.Web.Services.CertificateAcquirer[0] [mydomain.example] - error obtaining certificate: BadRequest urn:ietf:params:acme:error:connection Fetching https://mycerteraserver.com/.well-known/acme-challenge/YJ8o-u2TvjKqiR41hpJLGOzw9VrGVltiQDNX6i7eqU: Error getting validation data dbug: Certera.Web.Services.CertificateAcquirer[0] [mydomain.example] - done I do not understand how is it possible that only one certificate avoided the error "Error getting validation data". ¿Is there any other procedure to follow in order to troubleshoot this issue? Thanks in advance, Kind regards, Toni.

kerem closed this issue

2026-02-25 21:30:49 +03:00

kerem commented

2026-02-25 21:30:50 +03:00

Author

Owner

@certeraio commented on GitHub (Nov 17, 2020):

Hi @anestevemo
Looks like these are HTTP-01 validation, is that correct? Are you able to hit that endpoint to see if traffic can flow to it? Looks like you altered the domain before posting (please correct me if I'm wrong). If so, is it really trying to hit the .well-known via HTTPS? I thought it would do it over HTTP by default.

@certeraio commented on GitHub (Nov 17, 2020): Hi @anestevemo Looks like these are HTTP-01 validation, is that correct? Are you able to hit that endpoint to see if traffic can flow to it? Looks like you altered the domain before posting (please correct me if I'm wrong). If so, is it really trying to hit the .well-known via HTTPS? I thought it would do it over HTTP by default.

kerem commented

2026-02-25 21:30:50 +03:00

Author

Owner

@anestevemo commented on GitHub (Nov 18, 2020):

Hi @certeraio,

Thanks for the quick response, yes, that's not the real domain, but it's correctly configured, with a standard Let's Encrypt local renovation work perfect.

With the intention of test the access to the "/.well-known/acme-challenge/" path, I created it manually inside the "wwwroot" directory, then added a "test.txt" file and I was able to download it from the server that allocates "mydomain.example" with "wget https://mycerteraserver.com/.well-known/acme-challenge".

I'm using your redirection:
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
rewrite /.well-known/acme-challenge/(.*) https://mycerteraserver.com/.well-known/acme-challenge/$1 break;
}

Regards,
Toni.

@anestevemo commented on GitHub (Nov 18, 2020): Hi @certeraio, Thanks for the quick response, yes, that's not the real domain, but it's correctly configured, with a standard Let's Encrypt local renovation work perfect. With the intention of test the access to the "/.well-known/acme-challenge/" path, I created it manually inside the "wwwroot" directory, then added a "test.txt" file and I was able to download it from the server that allocates "mydomain.example" with "wget https://mycerteraserver.com/.well-known/acme-challenge". I'm using your redirection: location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; rewrite /.well-known/acme-challenge/(.*) https://mycerteraserver.com/.well-known/acme-challenge/$1 break; } Regards, Toni.

kerem commented

2026-02-25 21:30:50 +03:00

Author

Owner

@certeraio commented on GitHub (Nov 18, 2020):

The way it should work is like this (please double check and confirm). Let's use the two servers:

mycerteraserver.com
mydomain.example

You should place the rewrite rule on mydomain.example to forward all /.well-known/acme-challenge/* traffic to your certera server (try using HTTP instead of HTTPS. Even though Let's Encrypt should work with HTTPS, when an expired cert is being used, if you don't yet have a cert, this can be a problem as there's no connection that can be established. Best to use HTTP to make sure it always works, I'll update the documentation examples).

error obtaining certificate: BadRequest urn:ietf:params:acme:error:connection Fetching https://mycerteraserver.com/.well-known/acme-challenge/YJ8o-u2TvjKqiR41hpJLGOzw9VrGVltiQDNX6i7eqU: Error getting validation data

This error message should have had the mydomain.example domain, not mycerteraserver.com in it (unless Let's Encrypt followed the rewrite/redirect and is displaying the "last" endpoint is saw). One good way to test/validate things is to put a test.txt file in mycerteraserver.com/.well-known/acme-challenge/test.txt and see if you can reach that using mydomain.example.com/.well-known/acme-challenge/test.txt. mydomain should forward/redirect to mycerteraserver.com Try that out with both HTTP and HTTPS.

Let me know how that goes and we can continue from there.

Cheers!

@certeraio commented on GitHub (Nov 18, 2020): The way it should work is like this (please double check and confirm). Let's use the two servers: * mycerteraserver.com * mydomain.example You should place the rewrite rule on mydomain.example to forward all `/.well-known/acme-challenge/*` traffic to your certera server (try using HTTP instead of HTTPS. Even though Let's Encrypt should work with HTTPS, when an expired cert is being used, if you don't yet have a cert, this can be a problem as there's no connection that can be established. Best to use HTTP to make sure it always works, I'll update the documentation examples). > _error obtaining certificate: BadRequest urn:ietf:params:acme:error:connection Fetching https://mycerteraserver.com/.well-known/acme-challenge/YJ8o-u2TvjKqiR41hpJLGOzw9VrGVltiQDNX6i7eqU: Error getting validation data_ This error message should have had the `mydomain.example` domain, not mycerteraserver.com in it (unless Let's Encrypt followed the rewrite/redirect and is displaying the "last" endpoint is saw). One good way to test/validate things is to put a test.txt file in `mycerteraserver.com/.well-known/acme-challenge/test.txt` and see if you can reach that using `mydomain.example.com/.well-known/acme-challenge/test.txt`. mydomain should forward/redirect to mycerteraserver.com Try that out with both HTTP and HTTPS. Let me know how that goes and we can continue from there. Cheers!

kerem referenced this issue

2026-03-07 19:51:51 +03:00

[GH-ISSUE #16] [Feature Request] More Certificate Chain Options (Low Priority) #13

Rows
Columns

[GH-ISSUE #19] Error getting validation data #16