Invalid response from


Hi, I have a probleme with my ACME-challenge, so I get no certificate. I tried with:

certbot --apache -d -d

I got the answer:

Performing the following challenges:
http-01 challenge for
http-01 challenge for
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from “\n\n404 Not Found\n\n

Not Found


nslookups for both URL’s are OK.
What could be the reason for that answer?



The method used has placed the authentication challenge response token in an incorrect location.
That is hard to say. But something may have changed (even just slightly).
Or the certbot plugin was updated and now doesn’t understand your config precisely.

You could troubleshoot it better by adding more detail to the logs and uploading them here (if needed):

certbot -vvv --apache -d -d

Or you could try removing the --apache plugin and replace it with --webroot -w /your/site/root


Sorry, I thought you were having trouble renewing a cert.
But I see now that is your first one.

The --apache plugin can’t “understand” where to put the response token.


why it works with
, and not with ? By the first url I get an “status”: “valid”,


I would have to see the entire config to understand why it works with one and not the other.


Hi @bblana

you have a curious configuration ( ):

Domainname Http-Status redirect Sec. G 301 0.063 D 200 0.046 H -4 0.080 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. The handshake failed due to an unexpected packet format. -4 0.080 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. The handshake failed due to an unexpected packet format. 200 0.047 Q 200 0.043 Q 301 0.057 D 404 0.043 A
Not Found

Your non-www is redirected to www, your port 443 sends http content, not https.

So it looks that Certbot doesn’t understand your configuration. I don’t understand why non-www works, but www fails.

Share your Apache config file. And share the output of

certbot --version


One thing that @joohoi has recently determined is that in many cases where --apache fails to satisfy the HTTP-01 challenge, there are multiple Apache virtualhosts with overlapping coverage (in the sense that they potentially refer to the same hosts or paths). In this case Certbot doesn’t know for sure which one to use for the challenge, and it guesses one, which may be wrong.

This is a likely explanation for most recent cases of 404 errors with --apache. The behavior will be changed in an upcoming release of Certbot so that all potentially relevant virtualhosts are modified to be capable of passing the challenge, but I would agree that it’s potentially a symptom of an ambiguous Apache configuration in which the existing virtualhosts weren’t entirely as intended.


Here is the output:

certbot --version
certbot 0.28.0
And there are the apache2.conf, ssl.conf and the files. If you need more, please let me know.


apache2.conf.txt (7.1 KB)
ssl.conf.txt (6.3 KB) (582 Bytes)


In your log, there is your DocumentRoot /var/www/

So use that:

certbot run -a webroot -i apache -w /var/www/ -d -d


I tried that, but it comes the same error.



I made the check with, but in this case with https:// in front. Both URL’s shows a



http + non www works

http + www doesn’t work.

But you have


so both should use the same config.

So it looks that you have another VirtualHost which is used instead.


I switched all server names to:


and Alias to:

and now it works, I have the certifikates.


I believe the conflict may have been caused by also using:
in the apache2.conf file.

The actual ServerName serves no real purpose there.
You could just as easily replace it with the Internet IP address or localhost.

closed #15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.