Failed authorization procedure. Error getting validation data


Hi, trying to setup certbot using apache2 with debian 8. Having some troubles passing the webroot challenge.

OS: Debian 8.11(Jessie)
Cerbot version: 0.10.2
Apache config:
Command: sudo certbot certonly -a webroot -w /var/www/html/ -i apache --staging
Error log:

At first, I thought it was having trouble accessing the acme-challenge directory, so I tried adding a test.html file:

I can access it so I don’t think that’s the problem.

Any help is appreciated.




Let’s Encrypt won’t access an IP address URL. :anguished: won’t work. will.

Can you change it to redirect to a hostname, or not redirect at all?


Right. Should I change that at the DNS level(I use or in my apache configuration?


It looks like it’s using Gandi’s web forwarding service, so you’d have to change it in Gandi’s control panel somewhere.

Can you turn off the forwarding service and change it to a regular A record?


Yes. I just entered the following A record:

* 1800 IN A

It seems it still changes the hostname to the ip



Now your domain is not resolved correctly. (No IP is found)
Could you please try to stop the web-forwarding service (if you haven’t) and add the following records to Gandi’s Control Panel? 1800 IN A 1800 IN A

(Gandi might pre-populated the domain for you, you might need to use

www 1800 IN A
@ 1800 IN A 

if things do not work out)

After you added those DNS records, please wait a few minutes and try to visit the following links to check if the changes are in effect.

Thank you


Hi, it worked :). Thanks for your help. It worked with these lines:

www 1800 IN A
@ 1800 IN A

I assume that www refers to and @ to * How do you know if your DNS provider is using one syntax or the other?


Normally it would be using the @ and www…
(I actually have no idea how those providers choose in between… But I believe that’s the only two wide spread syntax for DNS Management(in a user friendly interface)

Glad it works!

Thank you


It works in staging but for some reason, when I remove the --staging flag, it doesn’t work. It gives me the following error:

Apache config:

sudo certbot certonly -a webroot -w /var/www/html/ -d --pre-hook “systemctl stop apache2” --post-hook “systemctl start apache2”


Hi @fxleblanc

your command

is “special”: If you use the webroot as authenticator, you need a running webserver. So your pre-hook and your post-hook is wrong.

Remove both.

“Connection refused” - you have stopped your webserver.


Good to know. Thanks. I remove the hooks:

sudo certbot certonly -a webroot -w /var/www/html/ -d

and it regenerates the certificates and chain but when I go to the https url(, it says it’s an insecure connection. I’m guessing it has to do with my apache config:


If you use the

option, you have to install the certificate manual. There is the Fake LE - Certificate installed (from the test system).


Where’s the Fake LE certificate? I currently use the generated full chain and private key in my config:

SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/

Maybe it has something to do with the fact that I reference only the full chain and privkey. There’s 4 files in the /etc/letsencrypt/live/ directory. Which one(s) should I reference in my apache config?


I see the Fake LE:


These are symlinks. Perhaps they point to the wrong certificate. Check your certificates with

certbot certificates

perhaps delete three (certbot delete ...) - but first make a backup of the folder.

PS: Now I see the new productive certificate:;include_subdomains:false;


Great. The site works now. Turns out, I just needed to restart apache2 after deleting all the certs and getting a new one.



Yep, now I see the correct certificate.




Quick question. Do you use a special plugin in firefox to get the certificate hierarchy in your screenshots or is it something different?


This is the normal Windows-Firefox.

Click the certificate


Then use >.


There the link at the end.


There you see the FireFox page informations, there you can see the certificate.


There select “Details”.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.