Renewing certificate:The client lacks sufficient authorization invalid response 404

Have been renewing certificates for this site for over 2 years without any issues. Now, all of a sudden, I start receiving the below error. This situation has been reported many times on this forum, but always under different circumstances. So far, I haven been able to find a similar case. The certificate hasn’t expired yet and the site is accessible.

My /etc/apache2/sites-available/nextcloud-le-ssl.conf looks like this:
<VirtualHost [2001:984:e2cf:1:df84:6298:91b:80b0]:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.

    # Redirect requests to HTTPS
    Redirect permanent "/" ""

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf
DocumentRoot "/var/www/html/nextcloud" ServerName ServerAdmin webmaster@localhost
    <IfModule mod_headers.c>
       Header always set Strict-Transport-Security "max-age=15768000; includeSubDomain$

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    <Directory /var/www/html/nextcloud/>
       Options +FollowSymlinks
       AllowOverride All

       <IfModule mod_dav.c>
          Dav off

       SetEnv HOME /var/www/html/nextcloud
       SetEnv HTTP_HOME /var/www/html/nextcloud
       Satisfy Any


    SSLCertificateFile /etc/letsencrypt/live/
    SSLCertificateKeyFile /etc/letsencrypt/live/

SSLCertificateFile /etc/letsencrypt/live/

SSLCertificateKeyFile /etc/letsencrypt/live/

SSLCertificateChainFile /etc/letsencrypt/live/

    Include /etc/letsencrypt/options-ssl-apache.conf

(don know how to copy/paste text in a readable format, but conf file ends here).

Appreciate any help to point me in the right direction. Ultimately I can always re-install Letsencrypt, but want to to postpone that scenario for the time being.

My domain is:

I ran this command: sudo certbot --apache --dry-run certonly -d

It produced this output:
Type: unauthorized
Detail: Invalid response from
[2001:984:e2cf:1:df84:6298:91b:80b0]: “\n\n404 Not

Not Found


My web server is (include version): Apache 2.4.25

The operating system my web server runs on is (include version): Raspbian Stretch (Debian)

My hosting provider, if applicable, is: self

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0

1 Like

Hi @masteryoda

first: Don't use ip addresses. Use *:80.

Second: Your ipv6 doesn't answer -

http / port 80 + ipv6 has only timeouts.

Do you have a correct Listen [::]:80 directive?

You need both listen - ipv4 and ipv6.


Thanks! Changed vhosts to *:80 and *:443 respectively and I was able to renew the certificates.
I still see the timeouts on http. I don worry about that too much since I don’t want any port 80 access to the site. The port 80 vhost contains a Redirect permanent directive in that respect.

The core issue is solved, however. Certificate renewed and able to access the site.


You may also want to upgrade your version of Certbot. It’s up to Certbot 0.36.0. Version 0.28.0 is a little outdated.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.