Invalid response from /.well-known/acme-challenge

My domain is:

I ran this command: sudo docker-compose logs letsencrypt

It produced this output:

Creating/renewal certificates... (
letsencrypt_1  | [Sun Oct 22 01:27:57 UTC 2023] Using CA:
letsencrypt_1  | [Sun Oct 22 01:27:57 UTC 2023] Creating domain key
letsencrypt_1  | [Sun Oct 22 01:27:58 UTC 2023] The domain key is here: /etc/
letsencrypt_1  | [Sun Oct 22 01:27:58 UTC 2023] Single domain=''
letsencrypt_1  | [Sun Oct 22 01:27:58 UTC 2023] Getting domain auth token for each domain
letsencrypt_1  | [Sun Oct 22 01:27:59 UTC 2023] Getting webroot for domain=''
letsencrypt_1  | [Sun Oct 22 01:27:59 UTC 2023] Verifying:
letsencrypt_1  | [Sun Oct 22 01:28:02 UTC 2023] error: Invalid response from 404
letsencrypt_1  | [Sun Oct 22 01:28:02 UTC 2023] Please check log file for more details: /dev/null

My web server is (include version): Google Cloud Apache

The operating system my web server runs on is (include version): Ubuntu 20.04.6 LTS

My hosting provider, if applicable, is: a2hosting

I can login to a root shell on my machine (yes or no, or I don't know): idk

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Command 'certbot' not found


I'm trying to put the Judge0 compiler on a Google Cloud VM so I can access it through a page on my domain. I'm able to get this to work over HTTP via Insomnia, but I need it over HTTPS so it can work on my website. So I started a new HTTPS server and I'm getting this error:

Invalid response from 404

Whenever I run the SSH CLI it tries to make a cert but it fails. I made a .well-known/acme-challenge folder in my public_html folder to see if that would help but it didn't. I'm guessing if it ran properly it would make that for me? Not sure how to troubleshoot this since I'm not very familiar with Ubuntu, Nginx, LetsEncrypt, and Google Cloud VMs. It's seems like this is my last hurdle and I can move on.

Hi @dhust, and welcome to the LE community forum :slight_smile:

Since we are dealing with Apache, let's begin at the beginning.
Please show:
sudo apachectl -t -D DUMP_VHOSTS

And let's confirm you are at the right IP, with:
curl -4


Thanks for the help :slight_smile:

When I run sudo apachectl -t -D DUMP_VHOSTS, it states:

sudo: apachectl: command not found

When I run curl -4, it states:
This is the External IP of the VM Instance in Google Cloud.

Those IPs are very different.
HTTP-01 authorization requires reaching your server.

Can you explain the IP discrepancy?

3 Likes is the Google Cloud VM External IP, which is where the Judge0 compiler is running. is my domain where I will be using the compiler.


Which one will be using the certificate?
Which one will be running the ACME client to maintain that certificate?


Not sure how this is supposed to work.

There is a docker-compose.yml file in the judge0 container that asks me to set the VIRTUAL_HOST , LETSENCRYPT_HOST and LETSENCRYPT_EMAIL. I changed it to, which is the server's IP, but it still used, which is, when trying to make the cert. Ultimately, I'm not sure what to change.

HTTP-01 authentication will follow global DNS.
The IP for the name "" currently points to IP
That is where LE will try to connect to validate the certificate request.
If that is NOT where the ACME client is running, then we have a problem.

I still don't get the design/layout.
Perhaps a picture can provide enough words to explain it.
[I've heard they can paint one thousand words]


Hopefully this helps.

1 Like

If the site will be served by the nginx server on the right...
Via what name will the clients be connecting to it?
The current name points to the server on the left.


Maybe the picture still lacks some detail.
Where will the Internet clients be connecting to? [what FQDN?]
What port will that purple request use?


Users will only see the webpage on the left. When they press a "run" button, the code will be sent to the compiler on the right.

Ok. I think I know what may need to happen but it's still not clear how it will all work. But maybe I don't need to know and it will just work.

Now that I remember how I connected when I used the HTTP server, I believe the compiler's server (on the right) is the one that needs the cert. Which makes sense because when my website tries to connect to the compilier, it says it's missing a cert (or something like that). So now I have to figure out where to change it from to the

The thing I'm wondering though is how this whole certification stack will validate the letsencrypt token that's supposed to be sent to /.well-known/acme-challenge/ since, I believe, that's usually sent to the websites server, not the compiler's Ubuntu server which I will be sending it to now.

Via what FQDN? [if, then that site needs a cert]

I'm thinking both sides may need a cert. [but they can't use the same name]
You may need to give the one on the right its' own name.
[with its' own IP and cert]



Can't you just put it all in one place/system?

2 Likes already has a cert.
Does the compiler need it's own domain name or can I just use the IP address?

Can't you just put it all in one place/system?


1 Like

Do you want to encrypt that purple connection?
If so, do you want a free cert to do that with?


Do you want to encrypt that purple connection?
If so, do you want a free cert to do that with?

I don't know what connection needs HTTPS. All I know is that the website on the left already uses HTTPS, so we should be good there. And the compiler on the right needs a cert so that I can send information to it using HTTPS.

So, that's a yes, to:


Because although LE certs are free, they will NOT cover IP addresses.

Are you concerned about having the FQDN of the compiler known [to the Internet]?
If so, we can work to secure that more.


I probably wouldn't want that shown.