Invalid response from acme-challenge

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain

I ran this command: sudo certbot —apache

It produced this output:
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter ‘c’ to cancel): IMPORTANT NOTES:

The domain name and directory seem to be accessible (eg if I put an html file there) but certbot has put nothing in that directory

My web server is (include version):

The operating system my web server runs on is (include version):
Debian GNU/Linux 9.11 (stretch)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0

1 Like

What does this say:
apachectl -S

Also note:

--2019-11-23 18:18:33--
Resolving (
Connecting to (||:80... connected.
HTTP request sent, awaiting response... 401

401 means unauthorized.

Also worth noting: Apache Tomcat/9.0.20
[in case anyone reading missed that earlier]

1 Like

Ok now towards a solution…

Tomcat doesn’t play well with LE.
That said, some have managed to get certs for it.
In various clever ways I might add.
But they are mostly NOT simple tasks.
My suggestion is try using --webroot -w /path/to/your/DocumentRoot as that would keep certbot from trying to interact with the unfriendly Ally cat (I mean Tomcat).

Please show:
ls -l ${CATALINA_BASE}/webapps/ROOT
[does that look like your webroot/documentroot ?]

1 Like

-bash: apachectl: command not found

ls -l ${CATALINA_BASE}/webapps/ROOT`

-rw-r----- 1 tomcat tomcat 27235 May 3 2019 asf-logo-wide.svg
-rw-r----- 1 tomcat tomcat 713 May 3 2019 bg-button.png
-rw-r----- 1 tomcat tomcat 1918 May 3 2019 bg-middle.png
-rw-r----- 1 tomcat tomcat 1401 May 3 2019 bg-nav.png
-rw-r----- 1 tomcat tomcat 3103 May 3 2019 bg-upper.png
-rw-r----- 1 tomcat tomcat 21630 May 3 2019 favicon.ico
-rw-r–r-- 1 tomcat tomcat 150 Oct 16 13:18 index.html
-rw-r----- 1 tomcat tomcat 12208 May 3 2019 index.jsp
-rw-r----- 1 tomcat tomcat 6852 May 3 2019 RELEASE-NOTES.txt
-rw-r----- 1 tomcat tomcat 5581 May 3 2019 tomcat.css
-rw-r----- 1 tomcat tomcat 2066 May 3 2019 tomcat.gif
-rw-r----- 1 tomcat tomcat 5103 May 3 2019 tomcat.png
-rw-r----- 1 tomcat tomcat 2376 May 3 2019 tomcat-power.gif
-rw-r----- 1 tomcat tomcat 67795 May 3 2019 tomcat.svg
drwxr-x— 2 tomcat tomcat 4096 May 30 11:17 WEB-INF

sudo certbot --apache --webroot -w /opt/tomcat/latest/webapps/ROOT |tee log2
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Too many flags setting configurators/installers/authenticators ‘apache’ -> ‘webroot’

I am aware that the fact that the site is pasword protected may be a problem, but surely that should not stop certbot creating the file that is being sought, even if it cant be reached. I cant see a file ‘e7hgx…’ anywhere on the system.

The use of --webroot is to replace the use of --apache:

So try instead:

sudo certbot --webroot -w /opt/tomcat/latest/webapps/ROOT

And you may also have to include the domain name(s):

sudo certbot --webroot -w /opt/tomcat/latest/webapps/ROOT -d


sudo certbot --webroot -w /opt/tomcat/latest/webapps/ROOT -d -d

An update:-
certbot insisted that I use certonly mode. And I had to disable the user login while I ran it but
sudo certbot certonly --webroot -w /opt/tomcat/latest/webapps/ROOT
worked and produced a certificate and keyfile. Now I just need to work out what to do with them.

1 Like

If your are trying to secure a web server, that is very simple and there should be many online tutorials that show how to do so with your specific web server and O/S.

As always, if you still have questions involving the use of your LE cert, fell free to ask them here.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.