Invalid response from acme-challenge during renewal dry run


Hi! I am not sure what the problem is with this renewal attempt.

“client lacks sufficient authorization”
“Invalid response from…ACME-challenge related to the” domain name

The Mac mini is in use as a mail server using a dynamic DNS service provided by It also uses a mail service from noip; I am able to get mail remotely from the mini using my mobile devices (including iPhones and iPads). Note that my registrar is not

My domain is:
I ran this command: sudo certbot renew --dry-run
It produced this output:

Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from[long name]: "

404 Not Found

Not Found

<p". Skipping.

My web server is (include version): a 2014 Mac mini running macOS Sierra and Server

The operating system my web server runs on is (include version): macOS 10.12.6, macOS Server 5.3.1

My hosting provider, if applicable, is: —

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no




It seems that your website are not serving correct contents. (Although there are no contents)

I’m not sure what you should do at this time, but maybe try standalone mode (if you are not going to run websites) or create a vHost for Mac server.

Thank you


What is standalone mode, and what is a vHost?





standalone mode is setting up a temperory web server & not depend on your current server config.

vHost is a short name of Virtual Host…

I’ve found a guide for you… (However since i’m not using MacOS, i don’t know if that one works…)

Thank you


I created the script according to the macstrategy article at the indicated link above, and ran it. It failed.

After staring daggers at the gazouta for a while, decided it was objecting to being asked to renew, and removed that bit from the certbot command. Running the script then produced the following, which doesn’t actually tell me if it has been installed properly, so I’ll have to explore to see what’s what.

Will I have to cron two scripts, one for each, to keep 'em from tripping up?



cedar:letsencrypt boss$ ./
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Using the webroot path /Library/Server/Web/Data/Sites/ for all unmatched domains.
Waiting for verification…
Cleaning up challenges


  • Congratulations! Your certificate and chain have been saved at:
    Your key file has been saved at:
    Your cert will expire on 2018-10-16. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt:
    Donating to EFF:

1 identity imported.
2 certificates imported.


I ran into a complication that required some thought. Apparently some automated part of the process had detected that there already was a folder /etc/letsencrypt/live/ and created /etc/letsencrypt/live/ The script from macstrategy was aimed at, and performed the latter steps on the older files in that folder. Once I figured this out (I was seeing only the expiring cert showing up in macOS Server Certificates) I hacked a shorter script from the original that just did the last three steps but with the newer -0001 folder content and let 'er rip. The new cert showed up once I quit and restarted the Server app.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.