Invalid response

This works:
But not when trying to generate certification via certbot.

My domain is:

I ran this command:
sudo certbot certonly --apache

It produced this output:

My web server is (include version):
Apache/2.4.29 (Ubuntu)
Ubuntu 18.04LTS

I can login to a root shell on my machine

certbot 1.7.0

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using Set the ‘ServerName’ directive globally to suppress this message
VirtualHost configuration:
*:80 (/etc/apache2/sites-enabled/vhosts.conf:4)
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
PidFile: “/var/run/apache2/”
User: name=“www-data” id=33
Group: name=“www-data” id=33

When I visit, I see:

Traffic to your server is being blocked by Cloudflare.

I think that includes the traffic that Let’s Encrypt uses to validate your server, which results in your Certbot error.

My reasoning is that an actual 404 produced by your Apache server leads the response body with:


However, in your Certbot error, we see that the response body leads with exactly the HTML of the Cloudflare “access denied” page.

As such, i don’t think this is a webroot error. Try reducing your Cloudflare WAF’s sensitivity …

1 Like

Hi @TomasSj

then you have found the correct webroot. So use it with the webroot - parameter:

1 Like

I’m enforcing HTTPS on everything but /.well-known/acme-challenge/*
Hence why the access denied. I suppose there’s something else I’m missing in the setup of CloudFlare.
Removed HTTPS-rewrite, handle it by page rules after the well-known page rule.
Allowing HTTP-traffic in the firewalls leading to actually working.

Same response:
sudo certbot certonly --webroot -w /var/www/ -d

Is there something else I’m missing?
Been at it for a week without progress. I have the exact same setup as 2 other domains (almost, missing something).

What’s the absolute path of your test file?

1 Like

There’s a pretty straightforward way to prove that it’s the WAF’s fault.

In your access log, you should see 4 requests to /.well-known/acme-challenge/xxxxxxxxxxxxxxxx every time you try to issue the certificates using Certbot.

If you don’t see four requests (from user-agent Mozilla/5.0 (compatible; Let's Encrypt validation server; +, it means they’re being blocked by Cloudflare.

1 Like


I see them:

GET /.well-known/acme-challenge/HJ3F5UzvJzlOAfYwKoXGClXWi_XuQY_snkyhJuxf_tI HTTP/1.1" 404 490 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +”

That’s bizarre. For the record, I was the one who generated that certificate request with the challenge token HJ3F5UzvJzlOAfYwKoXGClXWi_XuQY_snkyhJuxf_tI.

On my side, the response was:

  "identifier": {
    "type": "dns",
    "value": ""
  "status": "invalid",
  "expires": "2020-09-14T10:02:27Z",
  "challenges": [
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Invalid response from [2606:4700:20::681a:524]: \"\u003c!DOCTYPE html\u003e\\n\u003c!--[if lt IE 7]\u00
3e \u003chtml class=\\\"no-js ie6 oldie\\\" lang=\\\"en-US\\\"\u003e \u003c![endif]--\u003e\\n\u003c!--[if IE 7]\u003e    \u003chtml class=\\\"no-js \"",
        "status": 403
      "url": "",
      "token": "HJ3F5UzvJzlOAfYwKoXGClXWi_XuQY_snkyhJuxf_tI",
      "validationRecord": [
          "url": "",
          "hostname": "",
          "port": "80",
          "addressesResolved": [
          "addressUsed": "2606:4700:20::681a:524"

But pretty plainly, visiting that page on your server does not produce that HTML. I still think something’s up with Cloudflare.

What if you pause Cloudflare temporarily?


Checked your validation file you see a problem -

The validation file is visible. But later there is a Cloudflare 403:

Visible Content: Please enable cookies. Error 1020 Ray ID: 5cefa931ccd1971e • 2020-09-07 10:14:06 UTC Access denied What happened? This website is using a security service to protect itself from online attacks. Cloudflare Ray ID: 5cefa931ccd1971e • Your IP : • Performance & security by Cloudflare
Info: Html-Content with meta and/or script, may be a problem creating a Letsencrypt certificate using http-01 validation


Nice catch, both of you. @_az and @JuergenAuer
I had a typo in fw rule. Which led to the issue. I would never have solved this without your help.