Invalid response from 400

Hello letsencrypt Team!

I haven't been able to renew certificates for a few days. It works over ipv4 but not ipv6. We are not using iptables and have not made any changes to the domain or firewall. The website can be reached via ipv6 and 4 and on port 80 there is a redirect to 443. This has always worked flawlessly so far!

Tank you for help!

My domain is:

I ran this command: Thu, 11 Aug 2022 05:08:33 GMT

It produced this output:

2022-08-11 07:08:33,887:DEBUG:acme.client:Sending POST request to
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC82NDkwNzg5IiwgIm5vbmNlIjogIjAwMDJoQmRVNlFrdVR0TnVJWEhHQVlnd2hrT0o1V0ljLUlac3dsN0FMTFlaZUhFIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzMzMDE1MDEzODQifQ",
"signature": "lIKgDffeFEyJ55IVMgtAex8N2ScJ40PVsUCjVAT5tXfq1Lx2-LcMDzLv1JUMCLWTd5L_3WK3BGVbCY0fx_HgQ6tkLcRssu9QYNPvehGAlxv-_FObcqNkPMHfnSv9uhf51_QgZmoU7J-9vRGHFikON8jUjYIrCp1G5ySw1ovTPp5Ms_Mq7dcJU9UyBRR-dFuEyp3Y6eYcy5Gvx6m0wICuNI7fHwQa-slTO1nthUooCQGwcI-I_NMJWJyvW5-_rf3_x2tVNPCc2cwluUZMJGUuxbMuNgtv7xbL3nuLAMlJNOmkTzbRtJ6HamXO48hYSsA1h6EmmIbv-ZNhBQBJeiwH3w",
"payload": ""
2022-08-11 07:08:34,039:DEBUG:urllib3.connectionpool: "POST /acme/authz-v3/3301501384 HTTP/1.1" 200 1085
2022-08-11 07:08:34,041:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 11 Aug 2022 05:08:33 GMT
Content-Type: application/json
Content-Length: 1085
Connection: keep-alive
Boulder-Requester: 6490789
Cache-Control: public, max-age=0, no-cache
Replay-Nonce: 0001LBgT5A6-OP4IJi711-6XxuQt5zkyAGHs1m6EgmcKLbg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

"identifier": {
"type": "dns",
"value": ""
"status": "invalid",
"expires": "2022-08-18T05:08:32Z",
"challenges": [
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "2a01:4f8:1c0c:80b3::2: Invalid response from 400",
"status": 403
"url": "",
"token": "YJXtpoqNspEIpHpa7kDLz-JmP_FHqaUJTaJFpNGprqo",
"validationRecord": [
"url": "",
"hostname": "",
"port": "80",
"addressesResolved": [
"addressUsed": "2a01:4f8:1c0c:80b3::2"
"validated": "2022-08-11T05:08:32Z"
2022-08-11 07:08:34,042:DEBUG:acme.client:Storing nonce: 0001LBgT5A6-OP4IJi711-6XxuQt5zkyAGHs1m6EgmcKLbg
2022-08-11 07:08:34,042:WARNING:certbot.auth_handler:Challenge failed for domain
2022-08-11 07:08:34,043:INFO:certbot.auth_handler:http-01 challenge for
2022-08-11 07:08:34,043:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Type: unauthorized
Detail: 2a01:4f8:1c0c:80b3::2: Invalid response from 400

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2022-08-11 07:08:34,045:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/", line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/", line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2022-08-11 07:08:34,045:DEBUG:certbot.error_handler:Calling registered functions
2022-08-11 07:08:34,045:INFO:certbot.auth_handler:Cleaning up challenges
2022-08-11 07:08:34,046:DEBUG:certbot.plugins.webroot:Removing /var/www/
2022-08-11 07:08:34,046:DEBUG:certbot.plugins.webroot:All challenges cleaned up
2022-08-11 07:08:34,047:ERROR:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==0.40.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/", line 1382, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/", line 1265, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/usr/lib/python3/dist-packages/certbot/", line 116, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/lib/python3/dist-packages/certbot/", line 320, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File "/usr/lib/python3/dist-packages/certbot/", line 348, in obtain_certificate
orderr = self._get_order_and_authorizations(, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/", line 396, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python3/dist-packages/certbot/", line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/", line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

My web server is (include version): Server version: Apache/2.4.41 (Ubuntu), Server built: 2022-06-14T13:30:55

The operating system my web server runs on is (include version): Ubuntu 20.04.4 LTS

My hosting provider, if applicable, is: Hetzner ( vm )

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no (cli only)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

If you look at Let's Debug you will see that your domain points to both and IPv6 address and an IPv4 address. They are returning different results.

Usually this means you have a AAAA record in your dns that's pointing to the wrong server and you can either delete it or point it to the correct server (if your server does indeed have an IPv6 address).


Thanks for answering! But our server has the following IPs on eth0:

IPv4 address for eth0:
IPv4 address for eth0:
IPv6 address for eth0: 2a01:4f8:1c0c:80b3::2

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 96:00:00:d6:7f:24 brd ff:ff:ff:ff:ff:ff
inet scope global eth0
valid_lft forever preferred_lft forever
inet scope global dynamic eth0
valid_lft 78200sec preferred_lft 78200sec
inet6 2a01:4f8:1c0c:80b3::2/64 scope global
valid_lft forever preferred_lft forever
inet6 2a01:4f8:1c1c:fb4e::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::9400:ff:fed6:7f24/64 scope link
valid_lft forever preferred_lft forever

So the addresses in DNS are OK:

"addressesResolved": [

Thanks for help!


Cool, yes, that is right.

Nonetheless, they do produce very significantly different behavior when accessed from the outside world. You can see this by running curl -4 and curl -6 on a separate server that has IPv6 connectivity. (Or maybe even on that same server, potentially.) The response and error condition are quite different.

So, you must identify and remove the reason for this discrepancy in behavior. Specifically, it seems that the IPv6 connection (even though it is a correct address for your server) is producing an error which is not produced for IPv4.


Yes, make sure Apache is configured to listen on all required interfaces, including IPv6, see Binding to Addresses and Ports - Apache HTTP Server Version 2.4


Yes in our config:

<VirtualHost [2a01:4f8:1c0c:80b3::2]:443>
DocumentRoot ....

<VirtualHost [2a01:4f8:1c0c:80b3::2]:80>
Redirect 301 /


Listen 80

Listen 443 Listen 443

Greets Maik

1 Like

We have not adjusted or changed anything in our configuration. The problem was there all of a sudden.

Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.


We habe 301 redirect on ipv6 port 80 to Unfortunately, we now have the problem generally on the entire server with all domains.

The Error was found in config of an other vhost. There was a directive to ssl with port 80! Many Thanks for HELP! P.S. we donate more because it was Layer8 Problem :wink:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.