Invalid response 404 without reason

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: wpopken.de

I ran this command: /root/.acme.sh/acme.sh --cron --home "/root/.acme.sh"

It produced this output: Invalid response from https://wpopken.de/.well-known/acme-challenge/IJXMYGLzfmRK11uYy1A3JANvfNlbecLaBMy9Vt36isI: 404

My web server is (include version): nginx/1.16.1

The operating system my web server runs on is (include version): Ubuntu 24.04 LTS

My hosting provider, if applicable, is: IONOS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol
v3.0.8

I used to run acme.sh for years without problems.

Recently I changed my system in 2 ways:

  • I switched one of my 2 machines to a different IP
  • and I switched dns servers for my 3 domains from server4you to cloudflare.

The daily renew routine works as usual.

Now one certificate is due for renewal and I get an error which is incomprehensible to me:

Invalid response from https://wpopken.de/.well-known/acme-challenge/IJXMYGLzfmRK11uYy1A3JANvfNlbecLaBMy9Vt36isI: 404

This domain is on the machine with the new IP.

Of course this message is correct, there is only one file called test in that directory and this is shown. Assuming that acme wants to write to this directory and cannot write due to permissions, I set the properties of acme-challenge from 755 to 777, to no avail.

Is this assumption true? I see from the machine where the other domain is served that there are several entries of this kind, 4 of them with the same date 06.04.2024 13:10:46 and one of 08.08.2024, the permissions of acme-challenge are set to 755.

Also, creating this missing file manually does not help, as there is a different filename at the next attempt.

I have a TXT entry _acme-challenge in my dns records which is used by acme, as I understand it, as proof that I am the legitimate owner of that domain.

Why do I get this error? Will I get the same error with the other 2 domains once they are due?

I thought about issuing a totally new certificate for this domain from scratch to get a new TXT entry, but I don't know how to get rid of the existing one. Also, this does not seem to be prudent, as everything worked fine for years.

Please enlighten me. I searched the web for days without getting a clue. I still have a few days off.

That is for the DNS-01 challenge however you are using the HTTP-01 challenge as demonstrated here

Using the online tool Let's Debug yields these results https://letsdebug.net/wpopken.de/2206956

All OK!
OK
No issues were found with wpopken.de. If you are having problems with creating an SSL certificate, please visit the Let's Encrypt Community forums and post a question there.

Here is what I see using curl
HTTP gets redirected to HTTPS

$ curl -Ii http://wpopken.de/.well-known/acme-challenge/sometestfile
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Thu, 29 Aug 2024 22:19:23 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://wpopken.de/.well-known/acme-challenge/sometestfile

And HTTPS get the expected HTTP/2 404 for a nonexistent file.

$ curl -Ii https://wpopken.de/.well-known/acme-challenge/sometestfile
HTTP/2 404
server: nginx
date: Thu, 29 Aug 2024 22:19:28 GMT
content-type: text/html; charset=utf-8
content-length: 146
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-frame-options: sameorigin
referrer-policy: strict-origin-when-cross-origin
3 Likes

We should have a look at the entire nginx configuration.

nginx -T

4 Likes

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

I did not manipulate this file for years.

I detect 4 relevant identical entries in section http, I think they are sufficient for assessment:

    server {    # redirect stuerenburg.com to 443
        listen 80;
        server_name stuerenburg.com www.stuerenburg.com;
        location ^~ /.well-known/acme-challenge/ {
            allow all;
            default_type "text/plain";
            try_files $uri =404; # /index.html;
            break;
        }

        return 301 https://$http_host$request_uri;
    } # server 80 redirect to 443

and again

    server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        ssl_certificate /etc/letsencrypt/live/wpopken.de.acme/fullchain.cer;
        ssl_certificate_key /etc/letsencrypt/live/wpopken.de.acme/wpopken.de.key;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_session_timeout 1d;
        ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
        ssl_session_tickets off;

        ssl_protocols TLSv1.3 TLSv1.2;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
        ssl_prefer_server_ciphers off;

        server_name wpopken.de;
        access_log  /var/www/wpopken.de/log/access.log  ;
        error_log  /var/www/wpopken.de/log/error.log  ;

        root /var/www/wpopken.de;
        index index.php index.html index.htm;


        location / {
            proxy_pass http://wp:82;            # container wp
            rewrite ^/wpopken.de(.*)$ $1 break;
        }


        location ~ \.php$ {
            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
            if (!-f $document_root$fastcgi_script_name) {
                return 404;
            }
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            include         fastcgi_params;
            fastcgi_param   SCRIPT_FILENAME    $document_root$fastcgi_script_name;
            fastcgi_param   SCRIPT_NAME        $fastcgi_script_name;
            fastcgi_connect_timeout 300s;
            fastcgi_read_timeout 300s;
            fastcgi_send_timeout 300s;
            proxy_read_timeout 300s;
            fastcgi_buffers 8 128k;
            fastcgi_buffer_size 256k;

            include fastcgi_params;
        }

        location ~ ^(images|img|ico|scripts|styles|css|jpg|js|gif|png|robots\.txt)$ {   # get all of them directly
            root /www;
            error_page 404 = /404.html;
        }

        location ^~ /.well-known/acme-challenge/ {
            allow all;
            default_type "text/plain";
        }

and again

    server {    # redirect stuerenburg.com to 443
        listen 80;
        server_name stuerenburg.com www.stuerenburg.com;
        location ^~ /.well-known/acme-challenge/ {
            allow all;
            default_type "text/plain";
            try_files $uri =404; # /index.html;
            break;
        }

        return 301 https://$http_host$request_uri;
    } # server 80 redirect to 443

and again

    server { # 443 stuerenburg.com
        listen 443 ssl;
        server_name stuerenburg.com www.stuerenburg.com;
        index index.php index.html index.htm;
        root /var/www/stuerenburg.com;

                ssl_certificate /etc/letsencrypt/live/acme.stuerenburg.com/fullchain.cer;                 # stuerenburg.com 03.03.2021
                ssl_certificate_key /etc/letsencrypt/live/acme.stuerenburg.com/stuerenburg.com.key;       # stuerenburg.com 03.03.2021

        location / {


            proxy_set_header   Host $host;
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Host $server_name;
proxy_set_header Accept-Encoding "gzip"; # is this prudent? See https://serverfault.com/questions/419984/what-is-the-best-way-to-compress-backend-to-nginx-reverse-proxy-data
            proxy_pass         http://joe;
            proxy_redirect     off;
        }



        location ~ /\.well-known/acme-challenge/ {
            allow all;
            try_files $uri =404;
            break;
        }

    } # server 443 stuerenburg.com

I hope this helps.

Those port 80 server blocks, with those location ^~ /.well-known/acme-challenge/ blocks are clearly not actually used by nginx, as we can see requests for that path are actually hitting the HTTP to HTTPS redirect.

The reason why Rudy asked for the ENTIRE nginx configuration is to see if there are perhaps redundant or some "default" server blocks "hijacking" the server blocks that you assume are being used. Which are not being used as evidentely shown by the HTTP to HTTPS redirect.

2 Likes

Note:
These are not the same outputs:

nginx -t | nginx -T

Please use the capital T.

3 Likes

Didn't I use nginx -T? I did.

Why should the same input produce a different output all of a sudden?

/ # nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
# https://www.domysee.com/blogposts/reverse-proxy-nginx-docker-compose

user root;

worker_processes  1;

events {
    worker_connections  1024;
}

http {
    charset utf-8;
    include       mime.types;
    default_type  application/octet-stream;
    gzip  on;
    sendfile on;
    server_tokens off;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;

    include /etc/nginx/sites-enabled/*.conf;
    server_names_hash_bucket_size 64;

    server {
        listen 80;
        server_name wpopken.de;
        location ~ /\.well-known/acme-challenge/ {
            allow all;
#            try_files $uri =404;
        }

        rewrite ^ https://$server_name$request_uri? permanent;
    }


    server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        ssl_certificate /etc/letsencrypt/live/wpopken.de.acme/fullchain.cer;
        ssl_certificate_key /etc/letsencrypt/live/wpopken.de.acme/wpopken.de.key;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_session_timeout 1d;
        ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
        ssl_session_tickets off;

        ssl_protocols TLSv1.3 TLSv1.2;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
        ssl_prefer_server_ciphers off;

        server_name wpopken.de;
        access_log  /var/www/wpopken.de/log/access.log  ;
        error_log  /var/www/wpopken.de/log/error.log  ;

        root /var/www/wpopken.de;
        index index.php index.html index.htm;


        location / {
            proxy_pass http://wp:82;            # container wp
            rewrite ^/wpopken.de(.*)$ $1 break;
        }


        location ~ \.php$ {
            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
            if (!-f $document_root$fastcgi_script_name) {
                return 404;
            }
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            include         fastcgi_params;
            fastcgi_param   SCRIPT_FILENAME    $document_root$fastcgi_script_name;
            fastcgi_param   SCRIPT_NAME        $fastcgi_script_name;
            fastcgi_connect_timeout 300s;
            fastcgi_read_timeout 300s;
            fastcgi_send_timeout 300s;
            proxy_read_timeout 300s;
            fastcgi_buffers 8 128k;
            fastcgi_buffer_size 256k;

            include fastcgi_params;
        }


        location ~ ^(images|img|ico|scripts|styles|css|jpg|js|gif|png|robots\.txt)$ {   # get all of them directly
            root /www;
            error_page 404 = /404.html;
        }

        location ^~ /.well-known/acme-challenge/ {
            allow all;
            default_type "text/plain";
        }

        location ~ /\. {
            deny  all;
        }
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
        add_header X-XSS-Protection "1; mode=block" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Frame-Options "sameorigin" always;

        #CSP
        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    }

# ============================================================= redirect stuerenburg.com to 443
    server {    # redirect stuerenburg.com to 443
        listen 80;
        server_name stuerenburg.com www.stuerenburg.com;
        location ^~ /.well-known/acme-challenge/ {
            allow all;
            default_type "text/plain";
            try_files $uri =404; # /index.html;
            break;
        }

        return 301 https://$http_host$request_uri;
    } # server 80 redirect to 443

 # ============================================================= 443 stuerenburg.com
    server { # 443 stuerenburg.com
        listen 443 ssl;
        server_name stuerenburg.com www.stuerenburg.com;
        index index.php index.html index.htm;
        root /var/www/stuerenburg.com;

                ssl_certificate /etc/letsencrypt/live/acme.stuerenburg.com/fullchain.cer;                 # stuerenburg.com 03.03.2021
                ssl_certificate_key /etc/letsencrypt/live/acme.stuerenburg.com/stuerenburg.com.key;       # stuerenburg.com 03.03.2021

        location / {


            proxy_set_header   Host $host;
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Host $server_name;
proxy_set_header Accept-Encoding "gzip"; # is this prudent? See https://serverfault.com/questions/419984/what-is-the-best-way-to-compress-backend-to-nginx-reverse-proxy-data
            proxy_pass         http://joe;
            proxy_redirect     off;
        }



        location ~ /\.well-known/acme-challenge/ {
            allow all;
            try_files $uri =404;
            break;
        }

    } # server 443 stuerenburg.com



}


# configuration file /etc/nginx/mime.types:

types {
    text/html                                        html htm shtml;
    text/css                                         css;
    text/xml                                         xml;
    image/gif                                        gif;
    image/jpeg                                       jpeg jpg;
    application/javascript                           js;
    application/atom+xml                             atom;
    application/rss+xml                              rss;

    text/mathml                                      mml;
    text/plain                                       txt;
    text/vnd.sun.j2me.app-descriptor                 jad;
    text/vnd.wap.wml                                 wml;
    text/x-component                                 htc;

    image/png                                        png;
    image/svg+xml                                    svg svgz;
    image/tiff                                       tif tiff;
    image/vnd.wap.wbmp                               wbmp;
    image/webp                                       webp;
    image/x-icon                                     ico;
    image/x-jng                                      jng;
    image/x-ms-bmp                                   bmp;

    font/woff                                        woff;
    font/woff2                                       woff2;

    application/java-archive                         jar war ear;
    application/json                                 json;
    application/mac-binhex40                         hqx;
    application/msword                               doc;
    application/pdf                                  pdf;
    application/postscript                           ps eps ai;
    application/rtf                                  rtf;
    application/vnd.apple.mpegurl                    m3u8;
    application/vnd.google-earth.kml+xml             kml;
    application/vnd.google-earth.kmz                 kmz;
    application/vnd.ms-excel                         xls;
    application/vnd.ms-fontobject                    eot;
    application/vnd.ms-powerpoint                    ppt;
    application/vnd.oasis.opendocument.graphics      odg;
    application/vnd.oasis.opendocument.presentation  odp;
    application/vnd.oasis.opendocument.spreadsheet   ods;
    application/vnd.oasis.opendocument.text          odt;
    application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                     pptx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                     xlsx;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                     docx;
    application/vnd.wap.wmlc                         wmlc;
    application/x-7z-compressed                      7z;
    application/x-cocoa                              cco;
    application/x-java-archive-diff                  jardiff;
    application/x-java-jnlp-file                     jnlp;
    application/x-makeself                           run;
    application/x-perl                               pl pm;
    application/x-pilot                              prc pdb;
    application/x-rar-compressed                     rar;
    application/x-redhat-package-manager             rpm;
    application/x-sea                                sea;
    application/x-shockwave-flash                    swf;
    application/x-stuffit                            sit;
    application/x-tcl                                tcl tk;
    application/x-x509-ca-cert                       der pem crt;
    application/x-xpinstall                          xpi;
    application/xhtml+xml                            xhtml;
    application/xspf+xml                             xspf;
    application/zip                                  zip;

    application/octet-stream                         bin exe dll;
    application/octet-stream                         deb;
    application/octet-stream                         dmg;
    application/octet-stream                         iso img;
    application/octet-stream                         msi msp msm;

    audio/midi                                       mid midi kar;
    audio/mpeg                                       mp3;
    audio/ogg                                        ogg;
    audio/x-m4a                                      m4a;
    audio/x-realaudio                                ra;

    video/3gpp                                       3gpp 3gp;
    video/mp2t                                       ts;
    video/mp4                                        mp4;
    video/mpeg                                       mpeg mpg;
    video/quicktime                                  mov;
    video/webm                                       webm;
    video/x-flv                                      flv;
    video/x-m4v                                      m4v;
    video/x-mng                                      mng;
    video/x-ms-asf                                   asx asf;
    video/x-ms-wmv                                   wmv;
    video/x-msvideo                                  avi;
}

# configuration file /etc/nginx/fastcgi_params:

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

Thanks for posting the entire output verbatim. It helps removing assumptions from the table.

I don't see anything obviously incorrect, but I find it very strange why your nginx server would redirect requests for paths starting with /.well-known/acme-challenge/ to HTTPS, because according to your nginx HTTP configurations, it should NOT do that. Although not every location directive is the same.. Unfortunately I'm not savvy enough with nginx configuration to really know if something buggy is going on there.

I also have no clue how your acme.sh is setup.. Does it use a webroot? If we ignore the HTTP to HTTPS redirect I don't understand, I do believe you need to put the location / {} block after the more specific location blocks.. That might be the reason why it doesn't work, but not entirely sure. Worth a shot though I think.

1 Like

No, their nginx is faulty. You must have a location section around the rewrite as well. With just the /.well-known in a location nginx just applies the items within it and then continues to process the rest of the server block (items that are not in other location blocks). So, it falls into the rewrite.

I would write the first HTTP block like this

    server {
        listen 80;
        server_name wpopken.de;
        root /var/www/wpopken.de;
        location /.well-known/acme-challenge/ {
            allow all;
#            try_files $uri =404;
        }
        location / {
            rewrite ^ https://$server_name$request_uri? permanent;
        }
    }

Of course, similar change to this server block too

EDIT: They have not changed their nginx yet so I am just noting that I added the root folder in the port 80 server block. The default value is not correct for their setup. I just used the one for their port 443 server block. A root folder would be added to the stuerenburg port 80 server block too if they change that.

4 Likes

Thank you all, but I don't see any error in a file that used to work for years.

Why do I get these problems now? I can copy a file to /.well-known/acme-challenge but acme.sh cannot? How can I debug this?

/var/www/wpopken.de/log/access.log shows 404 for their GET attemps, so I conclude that acme does not write to this dir for some reason.

The command you need to run is:
/root/.acme.sh/acme.sh --renew-all

That said, the error message indicates that the HTTP requests where heard and redirected to HTTPS:

2 Likes

Well, this is the problem:

Thu Sep 05 04:40 root@VPS-X ~$ /root/.acme.sh/acm/root/.acme.sh/acme.sh --renew-all
[Thu Sep  5 04:40:44 UTC 2024] Renewing: 'stuerenburg.com'
[Thu Sep  5 04:40:44 UTC 2024] Renewing using Le_API=https://acme-v02.api.letsencrypt.org/directory
[Thu Sep  5 04:40:44 UTC 2024] Skipping. Next renewal time is: 2024-10-24T00:27:26Z
[Thu Sep  5 04:40:44 UTC 2024] Add '--force' to force renewal.
[Thu Sep  5 04:40:44 UTC 2024] Skipped stuerenburg.com
[Thu Sep  5 04:40:44 UTC 2024] Renewing: 'wpopken.de'
[Thu Sep  5 04:40:44 UTC 2024] Renewing using Le_API=https://acme-v02.api.letsencrypt.org/directory
[Thu Sep  5 04:40:45 UTC 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Thu Sep  5 04:40:46 UTC 2024] Multi domain='DNS:wpopken.de,DNS:www.wpopken.de'
[Thu Sep  5 04:40:48 UTC 2024] Getting webroot for domain='wpopken.de'
[Thu Sep  5 04:40:49 UTC 2024] Getting webroot for domain='www.wpopken.de'
[Thu Sep  5 04:40:49 UTC 2024] Verifying: wpopken.de
[Thu Sep  5 04:40:49 UTC 2024] Pending. The CA is processing your order, please wait. (1/30)
[Thu Sep  5 04:40:53 UTC 2024] wpopken.de: Invalid status. Verification error details: 213.165.82.33: Invalid response from https://wpopken.de/.well-known/acme-challenge/tHVt13Z7NtVWBC0TSZjUIXRhhBRUioMeOTMeZ-Bn2fk: 404
[Thu Sep  5 04:40:53 UTC 2024] Please check log file for more details: /root/.acme.sh/acme.sh.log
[Thu Sep  5 04:40:55 UTC 2024] Error renewing wpopken.de.
[Thu Sep  5 04:40:55 UTC 2024] Sending via: mail
[Thu Sep  5 04:40:55 UTC 2024] mail Success
Thu Sep 05 04:40 root@VPS-X ~$

Obviously, the test did not succeed. How do I understand this?

What does acme do, how can I understand?

I got a lot of output with --debug 2 or --debug 3, what do I search for?

What shows?:
grep -Ri le_webroot /root/.acme.sh/ | grep conf:

3 Likes

That code is still redirecting the ACME challenge requests to HTTPS:

curl -Ii stuerenburg.com/.well-known/acme-challeng/Test_File-1234
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Thu, 05 Sep 2024 11:22:45 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://stuerenburg.com/.well-known/acme-challeng/Test_File-1234
2 Likes
~$ grep -Ri le_webroot /root/.acme.sh/ | grep conf:
/root/.acme.sh/stuerenburg.com/stuerenburg.com.conf:Le_Webroot='/var/www/stuerenburg.com'
/root/.acme.sh/wpopken.de/wpopken.de.conf:Le_Webroot='/www'

There is an obvious difference in the definition of Le_Webroot. How come? And is it the cause of the problem?

For wpopken.de I commented out the redirection in the codeblock and restartet nginx, but http://wpopken.de is nevertheless redirected to https://wpopken.de in Firefox, which could be a function on Firefox, though. I have a redirection for stuerenburg.com, though.

I can only guess...
My guess is that those were the document root paths when their certs were issued.

I'd have to assume that it is.
Compare the related root statements:

3 Likes

My fault, I didn't check that the corrected file was uploaded, there was a confirm dialog.

But alas the same error:

 wpopken.de: Invalid status. Verification error details: 213.165.82.33: Invalid response from http://wpopken.de/.well-known/acme-challenge/Q5WmU-oheMBcHeW91YmIG2xQ7PRhg2S9w0R7qFpffBY: 404

These paths do not match:

/www does not equal /var/www/wpopken.de

3 Likes