Running Boulder Internally - DNS Configuration Means Certificates Aren't Issued

Hi, I ve been trying to solve this problem myself but I have found little success :sweat:

I m using ubuntu trusty and apache and cant get the response from my server.
I get this message after using : sudo ./certbot-auto certonly --agree-tos --renew-by-default -d --server --webroot -w /var/www/ (this is where I have bye.html)

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Using the webroot path /var/www/ for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from 404 not found


404 not found

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.

I have access to files I place in ./well-known/acme-challenge using curl from other machines and have thos same directories with 755 permissions and chown myUser.
Any help is welcome :sob:

Hi @Chopi64,

How did you choose --server That does not sound like the correct location of the Let’s Encrypt CA.

Apart from that, if you create a file /var/www/, can you see its contents at If so, if you create a file at /var/www/, can you see its contents at

Thanks for the response @schoen!
I just tried to access test.txt and test2.txt at those locations and no problems visualizing the message. :relaxed:

About the --server , I ve got a copy of Boulder CA running in that can be accessed through so I decided to add it here instead of changing my /etc/hosts.
As far as I m aware the problem shouldnt be in accessing the CA, as a tcpdump -i eth0 port 4000 in the CA VM returns me plenty of messages when launching ./certbot-auto from the other machine.
Btw, I have access to test.txt and test2.txt from :confused: so I guess the problem is that somehow the CA cannot complete the challenge? :confused:

Since you’re running your own copy of Boulder, is it possible that something is misconfigured in Boulder that prevents it from verifying HTTP-01 challenges, or that the version of that it sees is not the same version that you intended?

If you just wanted to experiment without running into rate limits, you can also use the Let’s Encrypt staging CA with --staging.

Solved!! :grin:
I had forgotten to change the FAKE_DNS field in my Boulder server, certbot was doing all right

hi @Chopi64

Congrats on getting it to work. In future it would be a good idea to state that you are using boulder internally up front so people don’t have to deduce it :smiley:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.