[solved] Invalid response from

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:


I am using no-ip (ddns.net) and successfully renewed 3 months ago. I did some research and noticed a few people had issues not being configured for IPv6. I wasn’t, but have addressed that (no affect). The renewal file under the letsencrypt folder has manual renewal specified. I have ensured that the file in .well-known is accessible via a browser.

In reviewing logs I noticed that there is no entry from nginx in the access or error logs for an access attempt after running certbot. So it appears that the challenge is not getting to nginx, although the IP address specified is correct; so it does seem to be resolving from no-ip.

Any suggestions on where to look next or what to try?

I ran this command:

sudo certbot certonly --manual --preferred-challenge http

It produced this output:

Failed authorization procedure. xxxx.ddns.net (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://xxxx.ddns.net/.well-known/acme-challenge/rBTSDEg-JbBMGS_q4mIEECdBeA3O_aYjDS26-QGjcjE [xxx.yyy.zzz.www]: 500


My web server is (include version):

nginx 1.12.0

The operating system my web server runs on is (include version):

mac 10.12.6

My hosting provider, if applicable, is:


I can login to a root shell on my machine (yes or no, or I don’t know):


I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


This is obviously NOT your IP.
Is this your actual domain name or was it also obfuscated:

[If NOT your actual domain name, then your just wasting our time...]

The issue is that, for one or more of a great many possible reasons, your server is not properly responding to an HTTP GET request for the noted challenge file: http://xxxx.ddns.net/.well-known/acme-challenge/rBTSDEg-JbBMGS_q4mIEECdBeA3O_aYjDS26-QGjcjE

As for the reasons why, the best way to enable anyone to help you would be to post your non-obfuscated domain name. Without that, we are really just stabbing in the dark, as this particular failure can be caused by a vast multitude of reasons, as @rg305 mentioned as well.

Both the IP address and the domain name have been obfuscated; I have my reasons. I did and do realize it makes it a bit more difficult to solve. However, I was looking for suggestions on what I might check.

In the process of writing this up and then thinking about it for a bit; I figured out the problem. Like a lot of these it’s pretty stupid once you find it. I had checked “everything”, except the address my router was resolving to my self hosted server; that hasn’t changed in months. But guess what, it did change in the last day or two (I’ve been updating the application and haven’t had the application available, so I wasn’t checking). So the no-ip redirect is and was working just fine. Then the router got it and sent the in coming redirect to the wrong machine. Once I updated the router to the correct local IP address all was right with the world again.

I appreciate the time you took to review and respond, thank you.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.