CURL the challenge OK but `Invalid response` with certbot

My domain is:

I ran this command: certbot certonly --manual

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel):
Requesting a certificate for
Performing the following challenges:
http-01 challenge for

Create a file containing just this data:


And make it available on your web server at this URL:

Press Enter to Continue
Waiting for verification...
Challenge failed for domain
http-01 challenge for
Cleaning up challenges
Some challenges have failed.


My web server is (include version): nginx + node js

The operating system my web server runs on is (include version): Alpine with Nodejs inside docker

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.13.0

I tried to run following command at a few locations, all responded with 200 with correct content

Letsdebug also responsed OK for my site

I think somewhere in the middle of my server and let's encrypt, something block the access the response with some HTML. Is there anyway to get the full body response from let's encrypt. I believe there may be error message in the HTML.


1 Like

I still keep the old challenge file in case someone need it to help me debugging


No, Let's Encrypt looks at the first 128 bytes of the response only, and discards the rest.

The HTML you see in the Certbot output is the extent of what's available:

Since this is a Kubernetes setup, might cert-manager be more suitable than doing a manual certificate setup?

Well, I used cert-manager but it produce the same error. So I try manual to remove all moving parts

Also, I tried switching server to another ACME server ("b**pass") and it's fine. So I guess something could be wrong with the connection

That's an interesting detail.

BuyPass only download the challenge response file a single time.

Let's Encrypt, however, performs 4 simultaneous requests (from different locations) to download the challenge file (see here).

Is there anything about the way you are publishing the file, that would prevent it being downloaded 4 times? Or from different locations? Like "deleted after the first time it is downloaded"?


I have a nginx log that contains below requests. I believe they all responded 200 and with the content size, I think it couldn’t be a full HTML response. - - [03/Mar/2021:08:23:30 +0000] "GET /.well-known/acme-challenge/8fAJUJWT8kvxydwu6Pd_Gm1zydHnxiyz9HTiA_ZpKEo HTTP/1.1" 200 87 "-" "cert-manager/v1.2.0 (clean)" 195 0.002 [default-cm-acme-http-solver-vbp65-8089] 87 0.001 200 8d1695b6506757f9918e7bc5d7f66d8d - - [03/Mar/2021:08:23:32 +0000] "GET /.well-known/acme-challenge/8fAJUJWT8kvxydwu6Pd_Gm1zydHnxiyz9HTiA_ZpKEo HTTP/1.1" 200 87 "-" "cert-manager/v1.2.0 (clean)" 195 0.001 [default-cm-acme-http-solver-vbp65-8089] 87 0.001 200 3ba53bc7e35de41058234d65330eb93b - - [03/Mar/2021:08:23:34 +0000] "GET /.well-known/acme-challenge/8fAJUJWT8kvxydwu6Pd_Gm1zydHnxiyz9HTiA_ZpKEo HTTP/1.1" 200 87 "-" "cert-manager/v1.2.0 (clean)" 195 0.001 [default-cm-acme-http-solver-vbp65-8089] 87 0.001 200 0179d5c02bbaa12e930ff6ff86b19a98 - - [03/Mar/2021:08:23:36 +0000] "GET /.well-known/acme-challenge/8fAJUJWT8kvxydwu6Pd_Gm1zydHnxiyz9HTiA_ZpKEo HTTP/1.1" 200 87 "-" "cert-manager/v1.2.0 (clean)" 195 0.002 [default-cm-acme-http-solver-vbp65-8089] 87 0.001 200 365f64c03dfa74a10414a769cbd28c21 - - [03/Mar/2021:08:23:38 +0000] "GET /.well-known/acme-challenge/8fAJUJWT8kvxydwu6Pd_Gm1zydHnxiyz9HTiA_ZpKEo HTTP/1.1" 200 87 "-" "cert-manager/v1.2.0 (clean)" 195 0.001 [default-cm-acme-http-solver-vbp65-8089] 87 0.001 200

Those are the cert-manager preflight requests, not the ones from Let's Encrypt.

The Let's Encrypt requests are identifiable by a distinctive user-agent.

Is it hard for a firewall to block this somehow? Are 4 IPs made public and remain unchanged?


What IP addresses does Let’s Encrypt use to validate my web server?

We don’t publish a list of IP addresses we use to validate, and these IP addresses may change at any time. Note that we now validate from multiple IP addresses.

But if you're having trouble figuring out what's happening, one useful technique is to just run a packet capture (using tcpdump or tshark) on port 80, while you request a certificate.

That will show you the full request/response bodies and will hopefully let you identify what exactly is happening.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.