Question about correct way to obtain certificate using certonly


Hi friends,
I’ve just added a new website and request its certificates, but some problems I’ve found, here my situation.

On VPS Debian jessie, certbot 0.8.1-2~bpo8+1, and below configuration files:


# Use a 4096 bit RSA key instead of 2048.
rsa-key-size = 4096
# Set email and domains.
email =
# domains =,
# Text interface.
text = True
# No prompts.
non-interactive = True
# Suppress the Terms of Service agreement interaction.
agree-tos = True
# Use the webroot authenticator.
authenticator = webroot
webroot-path = /var/www/letsencrypt


Alias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/
<Directory "/var/www/letsencrypt/.well-known/acme-challenge/">
Options None
AllowOverride None
ForceType text/plain
# avoid access to anything not resembling a challenge
RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w­]{43}$)"


<VirtualHost *:80>


        DocumentRoot /var/www/

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined



<IfModule mod_ssl.c>
        <VirtualHost *:443>
                DocumentRoot /var/www/

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on

                SSLCertificateFile /etc/letsencrypt/live/
                SSLCertificateKeyFile /etc/letsencrypt/live/
                SSLCertificateChainFile /etc/letsencrypt/live/

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars

                BrowserMatch "MSIE [2-6]" \
                                nokeepalive ssl-unclean-shutdown \
                                downgrade-1.0 force-response-1.0

                BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown


Runing this command for obtain new certificates for a new one website domain:

certbot certonly --webroot -w /var/www/letsencrypt -d -d


1) the first time an error and the certificates do not come:

Failed authorization procedure. (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<title>404 Not Found</title>
<h1>Not Found</h1>

 - The following errors were reported by the server:

   Type:   unauthorized
   Detail: Invalid response from
   <title>404 Not Found</title>
   <h1>Not Found</h1>

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

2) running, some seconds later, the same command, obtain every certificates:

 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/ Your
   cert will expire on 2017-01-04. To obtain a new or tweaked version
   of this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:
   Donating to EFF:          

Now, if I try to go to obtain from Firefox: uses an invalid security certificate. The certificate is only valid for the following names:, Error code: SSL_ERROR_BAD_CERT_DOMAIN

On fullchain1.pem:

_X509v3 Subject Alternative Name _,

NB is another web site hosted by the same SERVER/VPS (

Many many thanks!


/etc/apache2/sites-enabled/ is missing a ServerName and ServerAlias

Also, SSLCertificateChainFile “should” point to chain.pem or you can point SSLCertificateFile to fullchain.pem and delete SSLCertificateChainFile if your Apache is version 2.4.8 or newer.


In this case I thought it was unnecessary (only) for the ssl configuration.I was wrong

Ah, I’ve never read before this feature!

Many thanks for all this information!



As you said, there’s another site hosted on the same server and without separate IP addresses for the sites/virtualhost, ServerName is necessary indeed.

And don’t forget to point SSLCertificateFile to fullchain.pem!!!


Many thanks for making these tests, really very useful!
I think I’ve put all right :slight_smile:
If possible, could you suggest using what tools you have performed these checks?

many thanks again @Osiris!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.