Trouble renewing using HTTP-01 when last use TLS-SNI-01


My domain is: My client won’t let me post it here :frowning: Yeah, I know they are in the public logs…

I ran this command: certbot renew --dry-run as root

My web server is (include version): Apache/2.4.18

The operating system my web server runs on is (include version): Ubuntu 16.04.5 LTS (Xenial)

I can login to a root shell on my machine (yes or no, or I don’t know): yup

I have a server that was built in May/18, and just did a normal certbot --apache and followed the prompts to install the needed certs. Looking back in logs, it looks like is renewed in Nov/18 using TLS-SNI-01. It is due for renewal now, and certbot 0.28.0 is trying to use HTTP-01 and failing.

The original vert covered four domains, each with its own DOCROOT, so the dry run shows

Processing /etc/letsencrypt/renewal/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
http-01 challenge for
http-01 challenge for
http-01 challenge for
Waiting for verification...
Cleaning up challenges

Then I get an “Invalid response from” because the challenge for got a 404.

I can wget and get a real file back. I see the 404 in my Apache log from the real challenge.

If I cd to /var/www/ I see foo.txt, but I never see and files related to the challenge while certbot renew --dry-run is running.

Oddly, I have a nearly identical setup (but same docroot for all domains), where a Nov renew did TLS-SNI-01 and a certbot renew --dry-run looks fine.

I am not sure where to start debugging this one.


Hi @mdonadio

then you have found your correct webroot. So use

certbot run -a webroot -i apache -d -w yourwebroot

and split authentication and installation.


Thanks, that worked and got that domain working (though it creates a new .conf)

Oddly, when I ran certbot renew is ran the HTTP-10 challenges for all four domains in the original conf, and they worked. I would love to know what really happened here but ¯_(ツ)_/¯


Got to the bottom of this.

The virtual host that wouldn’t renew had a line line this in it

ServerHost #

Apparently, the apache auth plugin doesn’t like this. Cleaned up all of the vhost config, and regenerated certs, one per vhost with certbot --apache and all is well.


So did you replace:
ServerHost #
with just:

? ? ?


@rg305 Correct, removing the comment from the ServerHost directive fixed this. I think this may be a bug in parsing the Apache conf files (may have seen something similar before), but need to spin up a test server to fully verify before I make a GitHub issue.