Invalid response from


Hello everybody

I installed certbot on my root and I executed the webroot command

certbot certonly --webroot -w /var/www/ -d -d

and got this error:

Failed authorization procedure. (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from "

404 Not Found

Not Found

<p", (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from " 404 Not Found

Not Found



  • The following errors were reported by the server:

Type: unauthorized
Detail: Invalid response from

404 Not Found

Not Found


Type: unauthorized
Detail: Invalid response from

404 Not Found

Not Found


To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.

I already tried creating a file in my .well-known directory named “test” and wrote in it “ok” and executed this command (stolen from another helping post from @serverco )

curl -I

this gave me this message:

302 Found


The document has moved "" here.

How do I continue now?

I am using apache2 on a debian 8 root.


Hi @asdf1414, could you try a similar test in /.well-known/acme-challenge rather than just /.well-known?


So I created the “acme-challenge” directory and put the “test” file in there and got this output
(executed command: curl -I

HTTP/1.1 302 Found
Date: Thu, 16 Feb 2017 22:51:06 GMT
Server: Apache/2.4.10 (Debian)
Content-Type: text/html; charset=iso-8859-1


What does curl -I do?


I posted that ouput in the upper post


You posted the output of curl -I, which responds with a redirect to

curl -I gives a 404 Not Found error, as shown in Let’s Encrypt’s original error message.

It looks like you need to change your web server configuration in one of two ways:

  • Configure the HTTP vhosts not to redirect requests to /.well-known/acme-challenge/ to HTTPS.
  • Configure the HTTPS vhosts to serve files in /.well-known/acme-challenge/ from /var/www.

If you post your web server configuration, and which path you’d prefer to take, we should be able to help you configure it. :slight_smile:


So which configuration from which path do you now actually want to see? because in /var/www/.well-known/acme-challenge is only this “test” file.

and “curl -I” gives me

curl: (51) SSL: no alternative certificate subject name matches target host name ‘


With -k you can tell curl to ignore that. Let’s Encrypt will do so too :slight_smile: It even accepts self-signed certificates.

Anyway, the 404 error is legit. That’s because although you already have a redirect in place for to HTTPS, your webserver currently isn’t “listening” on HTTPS for, but for! And your “Mailcow” probably has a different webroot as the webroot you’re pointing certbot at.

So you’ve got a few options, just like @mnordhoff already said. You can:

  • Modify your current HTTP -> HTTPS redirect in Apache to ignore everything that begins with /.well-known/acme-challenge
  • Add a HTTPS <VirtualHost> configuration for which points to the correct webroot;
  • Don’t use the webroot authenticator, but the apache authenticator which uses the tls-sni-01 challenge.

Which one you choose depends on how comfortable you are with manually configuring your Apache (for option 1 or 2) or if option 3 didn’t work for you in the past (perhaps we can fix that?)


So for the first option. How can I configure this?


First you need to identify where the current redirect code is. To know that, if you don’t know how or where to look, we’ll need more understanding about the architecture of your server… What OS is it? Is it a “standard” installation of Apache or custom? That sort of things…


First I installed a mailserver and this installed apache2 aswell so idk if there was something special that mailcow installed with the mailserver. And I am using Debian 8 jessie


You just followed the guide on from the How to install? section?


Yes, I watched a Video and they made it the same as the “how to install” on the mailcow website


OK, very interesting software. It takes care of all the installation and configuring.

Did you already add a configuration file to Apache and made a document root for the intended site for


I didn’t add anything to the webserver


Well, there’s your problem. Currently, the only thing on your webserver is Mailcow. And the Apache configuration file for the webmail has the redirect in place. But this redirect should be only for

The reason you’re getting a redirect for too is because you don’t have that hostname configured! The only thing currently configured on your webserver is If you want to use the webroot plugin, you need to configure your Apache to actually have a site for

But I’m quite puzzled now… You want a certificate for and, but you don’t have a site configured for it? Why do you need the certificate if you don’t have a site which will use it?


Well if I type in in my browser, google chrome tells me this is not a safe website so I can’t check if there is a webserver configured for or not but I think there is. Can I check that?

Should I try to install apache2 again or in another way?


If you look at the error message closely, you’ll see why:

This server could not prove that it is; its security certificate is from

Did someone configure your Apache for you to add a site for

Anyway, to check the currently configured sites, you can run a2dissite:

echo $'\cc' | a2dissite

(The first bunch is so the program will quit by itself so you don’t have to manually press Ctrl-C…)

Reinstalling Apache won’t produce a site out of nothing I’m afraid :slight_smile:


I ran the a2dissite command and got this output:

Your choices are: 000-0-mailcow 000-default
Which site(s) do you want to disable (wildcards ok)?
ERROR: Site does not exist!


Hmm, interesting, don’t know where the 000-default comes from… Probably Debians default. I’m don’t have much experience with Debian (or distro’s based upon Debian), but what I can tell that doesn’t help you further… (Unless someone modified 000-default.conf.)

Looks like you don’t have a site for set up!

Question remains though: if you don’t have a site set up for, why do you want a TLS certificate for the hostname?

Because if you do want a site for those domain names, setting that up is probably beyond the scope of this forum.

But if you need the certificates for something else, we’ll be happy to help you with that :slight_smile: