Failed authorization procedure: .well-known/acme-challenge/

I’m trying to renew my certificates, and I’m running into this problem. My configuration is a bit of a mess, as there were multiple certificates issued for the same domains, but hopefully this can be troubleshooted. There are multiple domains on the server and only some of them don’t work, and I’ve singled out just one for brevity.

Putting a test file in .well-known/acme-challenge/ works, as you can see here.

My domain is:

I ran this command: sudo /usr/bin/certbot --dry-run --apache certonly -d

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1):
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from []: “\n\n<html lang=”


My web server is (include version): Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04.2 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0

Sometimes, the apache plugin has trouble with serving the token file when the VirtualHosts are set up in a “non standard” (from the perspective of certbot :wink: ) manner.

There are two ways to fix it:

  • use the webroot authenticator plugin (with -a webroot) combined with the apache installer plugin (with -i apache) and point the webroot to the webroot path with -w /path/to/webroot/
  • show us your VirtualHost sections from your Apache configuration so we might be able to “fix” it, so you can use certbot like you are using now. Please use the “code” tags (see the logo looking like </> in the post editor bar).
1 Like

Hi @makbet

did you fix it? Now there is a new certificate, created today ( ):
expires in 90 days - 1 entry

But you have two dns entries, www and non-www. So your certificate works only with your non-www-version, your www version is insecure.

Domainname Http-Status redirect Sec. G 301 0.923 A 301 0.300 E 301 2.434 N
Certificate error: RemoteCertificateNameMismatch 200 3.257 B

So create one certificate with two domain names:

-d -d

and use that. Then both domains + connections are secure.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.