Error obtaining certificate for naked domain without www


I'm trying to obtain a certificate for, whereas points elsewhere. But judging by the output it seems that LE tries to validate both with and without www?

I ran this command: dehydrated -c -d

It produced this output:

root@kahlan / # sudo -u letsencrypt dehydrated -c -d
# INFO: Using main config file /etc/dehydrated/config
# INFO: Using additional config file /etc/dehydrated/conf.d/
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for
 + 1 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for authorization...
 + Cleaning challenge tokens...
 + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]      "http-01"
["status"]      "invalid"
["error","type"]        "urn:ietf:params:acme:error:unauthorized"
["error","detail"]      " Invalid response from 404"
["error","status"]      403
["error"]       {"type":"urn:ietf:params:acme:error:unauthorized","detail":" Invalid response from 404","status":403}
["url"] ""
["token"]       "3joosWMd32c22u8lR9rH9U9sT0y7prH-qG__Fg-6vxc"
["validationRecord",0,"url"]    ""
["validationRecord",0,"hostname"]       ""
["validationRecord",0,"port"]   "80"
["validationRecord",0,"addressesResolved",0]    ""
["validationRecord",0,"addressesResolved"]      [""]
["validationRecord",0,"addressUsed"]    ""
["validationRecord",0]  {"url":"","hostname":"","port":"80","addressesResolved":[""],"addressUsed":""}
["validationRecord",1,"url"]    ""
["validationRecord",1,"hostname"]       ""
["validationRecord",1,"port"]   "443"
["validationRecord",1,"addressesResolved",0]    ""
["validationRecord",1,"addressesResolved",1]    "2607:f8b0:4007:809::2013"
["validationRecord",1,"addressesResolved"]      ["","2607:f8b0:4007:809::2013"]
["validationRecord",1,"addressUsed"]    "2607:f8b0:4007:809::2013"
["validationRecord",1]  {"url":"","hostname":"","port":"443","addressesResolved":["","2607:f8b0:4007:809::2013"],"addressUsed":"2607:f8b0:4007:809::2013"}
["validationRecord"]    [{"url":"","hostname":"","port":"80","addressesResolved":[""],"addressUsed":""},{"url":"","hostname":"","port":"443","addressesResolved":["","2607:f8b0:4007:809::2013"],"addressUsed":"2607:f8b0:4007:809::2013"}]
["validated"]   "2023-10-20T19:45:04Z")

My web server is (include version): apache 2.4.57

The operating system my web server runs on is (include version): Debian 12

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): dehydrated 0.7.0

Hi @mapreri,

The problem is that your site returns an HTTP redirect to The certificate authority validator follows this redirect (and then connects to the other server to attempt to download the challenge file).

If you want to get a certificate via this method, you'll have to disable this redirect, at least for /.well-known/acme-challenge/, if not for the whole site. The challenge file at this location needs to be downloadable as a static text file.



Thanks for pointing out this PEBKAC... This reminds me that of course I have this correctly set for so many other webistes -.-'


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.