Problem with certbot/apache/tomcat

My domain

I ran this command: i created a redirect from port 8080 of tomcat to port 80 and 8433 to port 433 and created "" in /etc/httpd/conf.d with this line of code :slight_smile:

<VirtualHost *:80>
DocumentRoot /var/www/html
ErrorLog /var/www/error.log
CustomLog /var/www/requests.log combined

The output of the error is:

"- The following errors were reported by the server:

Type: unauthorized
Detail: Invalid response from
["there is server ip inthere"]: "Apache Tomcat/7.0.76 - Error

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version):Server version: Apache/2.4.6 (CentOS)
Tomcat 7

The operating system my web server runs on is (include version):centos7

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.7.0


Welcome to the Let's Encrypt Community, Paolo :slightly_smiling_face:

There was a problem with your DNS in trying to access your CAA record, so Let's Encrypt cannot determine if it is authorized to issue a certificate for This issue could be sporadic as it appears to me that you don't have a CAA record.

It also looks like is using a private IPv6 address (AAAA fe80::3a60:77ff:fea3:4854) and thus Let's Encrypt won't be able to reach it to verify your control of the domain. You will need to either change that address to a public IP address that reaches or remove it.

Were you meaning to forward 8443 to 443? Your https port (443) is not working at all. You could be really into bulk transfers of articles from one server to another via the Network News Transfer Protocol via port 433 (NNSP), but I doubt it. :wink:


You should remove the AAAA record from your domain name.


Also worth noting for future readers/helpers:
Topic title: Problem with certbot/apache/tomcat
[cerbot and tomcat don't always play well together]


Hi @IlRabbino

I don't understand your initial setup:

May be that doesn't work.

Why: There

answers your Tomcat.

Your Tomcat has a webroot. So find that webroot, there create the two subdirectories


there a file (file name 1234), then try to load that file in your browser:

If that works, you have found your correct webroot. Then use that with --webroot, see


With redirect i mean that i add 2 rules on iptables that redirect connection from porto 80 to port 8080 and from port 443 to port 8443. Like this: "iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080"

1 Like

I've tried use "certbot certonly --webroot -w "my tomcat webroot" -d "my domain". But i get the same error

1 Like

Already done, but doesn't work. Keep getting the same error

1 Like

I am consistently getting a variety of DNS errors trying to look up records for and Is there a problem with your DNS provider?



1 Like

I don't know, i will ask my provider if something is wrong. But the setup in theory have to be correct. I'll check

1 Like

Then your webroot is wrong or you have additional definitions.

Your validation file doesn't work.


We're more than happy to help with your setup, but if Let's Encrypt is seeing anything like what Let's Debug is seeing, that's definitely the primary concern.

When I use though, I'm getting records consistently.

Could you try running the following, just to see what happens?

sudo certbot certonly --cert-name --apache -d "," --dry-run

This may not work, but it's worth a shot.

That's usually a good sign, unless you actually have a file named test in your webroot directory.

1 Like

If i run "sudo certbot certonly --cert-name --apache -d "," --dry-run" i'll get the same error.

1 Like

No, i don't have a file called test in my webroot. In webroot i have only the folder of my project

1 Like

What is your actual webroot? /var/www/html ? Can you create a file in it named 1234 as @JuergenAuer suggested containing the phrase "Let's Encrypt"?

1 Like

I've created 1234.html with a

Let's encrypt

in /var/www/html/ and in /var/lib/tomcat/webapps/
1 Like

Thanks. :slightly_smiling_face: That's a start. We usually use extensionless files though to test. I'll still look though.

The DNSLookup problems can be related to reverse dns configuration?

1 Like

Please read my reply. File name 1234 is required, not 1234.html.


doesn't work, so that's not your webroot.


According to my research, your webroot may be:


1 Like