Error 403 using --expand


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
certbot-auto --expand -d,,,

It produced this output:

Type: unauthorized
Detail: Invalid response from . . .


  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized", . . .
   "detail": "Invalid response from
    "status": 403

My web server is (include version): Apache/2.4.7 (Ubuntu)

The operating system my web server runs on is (include version): ubuntu 14.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.30.2

I have been using a let’s encrypt certificate for the domains and for years. Now you want to add the domains and
I try to accomplish this by using --expand as shown above.
For both new domains, error 403 occurs.

Many thanks in advance for advices


Which authenticator is Certbot using for this certificate?

This detail is included in the full output of Certbot.


I cannot find anything like authenticator in then letsencrypt.log.
Is that anywhere else or how can I find what you are looking for?


It should be there, somewhere at the top when the command is ran.

You can also paste it here, preferably through sites such as pastebin.


In the meantime I found what you mean:
DEBUG:certbot.plugins.selection:Requested authenticator None and installer None

And here you find the complete log:


Hi @khg

do these domains (later) have different content? Or have they all the same webroot in your webserver-configuration?

You have old certificates from 2016-07-17, so perhaps you have used the deprecated tls-sni-validation.

Checking /.well-known/acme-challenge/random-filename your has a good http status 404, your has a forbidden.

So check your Apache to find your “DocumentRoot”. But before running the next command it’s important to know if all domains have the same DocumentRoot.

1 Like

they have different DocumentRoot:

 DocumentRoot /var/www/wordpress
 ServerAlias is connected to a Java-EE application:


DocumentRoot /var/www/tierfundus

             JkMount /* ajp13_worker

Oh, is it really a good idea to create one certificate with both domain names?

Use your current certificate with and create a second certificate with the new domain name.


OK, I didn’t expect problems with one certificate. But I will now create a second one.

Thank you


PS: has already a Letsencrypt certificate:
	20.04.2019, - 2 entries

But now your other domain has the wrong certificate.

One or two hours earlier I saw another thing - tierfundus was blocked, gesundetiere worked.

Does your Jave-App use the same webroot?


Apache’s mod_jk uses a custom network transport to talk to the Java application.

OP would need to use --apache authenticator to make it work, but even then I’m not sure how compatible it is with mod_jk.

#12 and point to total different sites (Wordpress and JavaEE).
Therefore, I agree with you, it is better to create two different certificates.

closed #13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.