Retrieving new certificate failing - Please help

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: sudo /usr/local/bin/certbot-auto --apache (on debian jessie)

It produced this output:

Challenge failed for domain
http-01 challenge for
Cleaning up challenges
Some challenges have failed.


  • The following errors were reported by the server:

    Type: unauthorized
    Detail: Invalid response from
    []: “\n<html
    lang=“de-DE”>\n\n\t<meta charset=“UTF-8” />\n\t<meta
    http-equiv=“X-UA-Compatible” content=“IE=10” />\n\t<ti”

My web server is (include version):
The operating system my web server runs on is (include version):
Debian Jessie
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.37.1

According to this site:
the https-site as well as the http-site have the following status: -->http-status 200 --> http-status 302

I guess it should be ok but the challenge is failing (so far the certificate was renewed manually, now we want to switch to automatic).

Could somebody please help and tell me what is going wrong and how to fix it?

Hi @sdittrich

please read the complete output:

Fatal: All checks of /.well-known/acme-challenge/random-filename have a redirect, destination doesn't have the random filename. Creating a Letsencrypt certificate via http-01 challenge may not work.

Checking the standard urls:

Domainname Http-Status redirect Sec. G 302 0.030 A 302 KAPRION Technologies GmbH 3.030 A 301 9.157 B 301 9.160 B
KAPRION Technologies GmbH 301 9.150 B -14 10.030 T
Timeout - The operation has timed out 302 0.030 A
Visible Content: Found The document has moved here . Apache/2.4.25 (Debian) Server at Port 80 302 KAPRION Technologies GmbH 3.033 A
Visible Content: Found The document has moved here . Apache/2.4.25 (Debian) Server at Port 80

It's curious that you use --apache, but there is a redirect to the /. Looks like the apache authenticator doesn't understand your configuration.

What says

apachectl -S
1 Like

PS: There are two different Apache:

Port 80:

Server: Apache/2.4.25 (Debian)

Port 443:

Server: Apache/2.4.10 (Debian)

Looks like Certbot picks the wrong Apache, so --apache doesn’t work.

1 Like

Ok, thanks, @JuergenAuer. I will try to resolve it. I will give feedback when I got it done or need some more help.

1 Like

You have different options.

One - create a correct redirect http -> https with http + folder+file -> https + folder+file.

Then use the webroot of your https and webroot as authenticator.

Looks, that your Certbot picks the https Apache to add the location definition, but that’s ignored because the other Apache answers.

1 Like

@JuergenAuer, that’s a very clever thing to test for in your tool!


Thanks for the help, it was the SNI preventing the challenge from successfully running.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.