Procedure for working around TLS_SNI-01: renewal failure


My domain is: & www.golftripscoring.come

After following the directions on the post “How to stop using TLS-SNI-01 with Certbot”, I ran this command: sudo certbot renew --dry-run

It produced this output:
1 renew failure(s), 0 parse failure(s)

_ - The following errors were reported by the server:_

_ Domain: www.golftripscoring.com_
_ Type: unauthorized_
_ Detail: Invalid response from_
_ aPY8ai_iWwCmp1lEH0c8h_Jk:_
_ “\n\n500 Internal Server_
_ Error\n\n


_ To fix these errors, please make sure that your domain name was_
_ entered correctly and the DNS A/AAAA record(s) for that domain_
_ contain(s) the right IP address._

My web server is (include version): Apache

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):Yes, AWS EC2 Control Panel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0

Since this is a renewal, I know the DNS works since I can get to the site when I enter the address into my browser.

I’ve also tried the suggestion made in another post to add: ‘preferred-challenges = http’ to the /etc/letsencrypt/cli.ini file. It also didn’t solve the problem.

FYI, the /etc/letsencrypt/renewal/ file looks like this:
# renew_before_expiry = 30 days
version = 0.19.0
archive_dir = /etc/letsencrypt/archive/
cert = /etc/letsencrypt/live/
privkey = /etc/letsencrypt/live/
chain = /etc/letsencrypt/live/
fullchain = /etc/letsencrypt/live/

# Options used in the renewal process
authenticator = apache
installer = apache
account = XXXXXXXXX

Any help is much appreciated.



All return:
HTTP request sent, awaiting response… 500 Internal Server Error
2019-01-23 05:11:27 ERROR 500: Internal Server Error.


Ok, how do I fix that?


I would only be able to guess.
I have no idea why…
I would:

  • Check the access and error logs for any clues.
  • Restart the web service


Hi @psanchir

as @rg305 wrote: Your website doesn’t like /.well-known/acme-challenge. Your other urls are ok ( ) - redirects or http status 200 :

But if you use http-01 validation, Certbot creates a file in /.well-known/acme-challenge, Certbot checks this file.

So a http status 404 is expected if the file doesn’t exist.

Create both directories manual and recheck your domain.


Thanks Juergen. I apologize if this is something I should know the answer to, but where do I put the directory ‘/.well-known/acme-challenge’ and what’s the name and contents of the file I put there?


You have to find your DocumentRoot. Check the vHost file, there should be your DocumentRoot defined.

Use as filename 1234, same as content, a simple text file.


Thanks again Juergen. I got it to work. Here are the steps I followed:
1/ created the directories ‘/.well-known/acme-challenge’ in my Document Root directory.
2/ Since my website was created using flask, I had to add the following to my views file:
def acme_challenge(key):
return send_from_directory(os.path.join(app.root_path, ‘.well-known/acme-challenge’), key)
3/ran the following command in my console:
sudo certbot certonly –manual –preferred-challenges http
4/followed the instructions and created files with keys and placed them in …/.well-known/acme-challenge directory
5/It worked!