Failed authorization procedure


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
./certbot-auto certonly --standalone -d (or use --webroot)

It produced this output:
Type: unauthorized
Detail: Invalid response from"<!DOCTYPE html>\n<html class="" lang=“zh-cn”>\n<head>\n<meta charset=“utf-8” />\n <meta name="renderer"content=“webkit”>\n "

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.

My web server is (include version): tomcat-7.0.67

The operating system my web server runs on is (include version): CentOS release 6.5

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0


Hi @chuck_llh

loading your site with a browser there is a message:





2、若涉及到公安备案,请登录全国公安机关互联网站安全管理服务平台 进行操作。



Using Google translate

The site is temporarily unavailable for access

Because the website has not been filed or involved in the release of prohibited 
information, it is inaccessible due to violation of the relevant regulations of the 
Ministry of Industry and Information Technology and the Ministry of Public Security.

In order to restore the normal access of the website, the webmaster needs 
to handle it in time:

1. To complete the ICP filing of the website, please go to the UCloud filing 
system for operation.

2. If it involves public security filing, please log on to the national public security organ's 
Internet station security management service platform to operate.

If you have any questions, the administrator can consult UCloud for customer service.

Thank you for your cooperation!

you have to do something.

So Letsencrypt can’t validate your domain if your webserver is blocked.


hi @JuergenAuer
I change to which is accessible, but still fail.

the output message is:
Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from “<!DOCTYPE html>\n<html class=”" lang=“zh-cn”>\n<head>\n <meta charset=“utf-8” />\n <meta name=“renderer” content=“webkit”>\n "

Type: unauthorized
Detail: Invalid response from “<!DOCTYPE html>\n<html class=”" lang=“zh-cn”>\n<head>\n <meta charset=“utf-8” />\n <meta name=“renderer” content=“webkit”>\n "


Your server answers curious ( ):

Domainname Http-Status redirect Sec. G 200 0.547 H -2 1.690 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 200 0.530

The https error is not relevant, if you don’t have installed a certificate.

But using http-01, Certbot creates a file in YourDocumentRoot/.well-known/acme-challenge, Letsencrypt checks this file.

Checking such a file with an unknown file name a http status 404 / Not Found is expected.

Your server sends a http status 200. There is html content with JavaScript.

There is a running webserver. Is it possible to use the webroot / DocumentRoot of this webserver, if --standalone doesn’t work?

Find your webroot, then create there the two subdirectories


then add there a file (file name 1234) and try to load this file via

If that works, use your webroot:

./certbot-auto certonly --webroot YourWebroot -d
1 Like

I don’t have installed a certificate yet.
This project uses NodeJs as front-end server, which returned html content with JavaScript as you can see.
So I should create “.well-known/acme-challenge” at webroot of nodeJs, and run “./certbot-auto certonly --webroot” to generate a certificate, then use it in tomcat, is it right ?


So this server handles the http - port 80 requests.

Yes, if Certbot can write in this webroot, that should work.


Don’t forget to include the root path.
[-w /path/to/your/site/root]


thanks, it’s working now.

1 Like

btw, I use below command to generate pfx file for tomcat.
openssl pkcs12 -export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:xxx
And if certificates are renewed automatically, whether I need to rerun openssl command ?

Create pfx-certificate

Yes, you must rerun this command again.


perhaps you can run a --deploy-hook - script:

 If you want your hook to run only after a successful renewal, use --deploy-hook in a command like this.

certbot renew --deploy-hook /path/to/deploy-hook-script

to do that.


Tomcat seems ok now.
Since we use nodeJs as front-end server, so I use privkey.pem to create certificate for nodeJs by running below two steps:

  1. openssl req -new -key privkey.pem -out csr.pem (this step ask me to fill country/state/company infomation, I just do that casually)
  2. openssl x509 -req -days 365 -in csr.pem -signkey privkey.pem -out file.crt

The certificate file.crt is created successfully, however, my website( still shows Not Secure, do you have any idea about it?
Many thanks.


I see only your http version, not your https - version.

So I don’t know if the certificate is expired or if there is another problem.

closed #13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.