Try to get certificate for my mail server but failed


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: letsencrypt certonly --standalone -d

It produced this output:
Failed authorization procedure. (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from "<meta name=“viewport” content=“width=device-width, initial-scale=1, s”


  • The following errors were reported by the server:

    Type: unauthorized
    Detail: Invalid response from
    challenge/BHxBvvqTYJoYZQHCMAoAfQZ6JrWTT4AMvvTEyyIIkCs: "<meta
    name=“viewport” content=“width=device-width, initial-scale=1, s”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): (node.js 8.11.1 on aws)

The operating system my web server runs on is (include version):
ubuntu 16.04 on aws

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): AWS

More Info:
I am using aws. The DNS is AWS route 53.
My web application is on My mail server is on They are on different hosts.

I am trying to get certificates for my mail server following

Thanks for your help.
Richard Xu


It looks like you’re running Certbot on your web server rather than on your mail server. But to obtain a certificate for your mail server, you should run Certbot directly on the mail server.

If you plan to always have Apache running on that system (as it currently is), you might want to try certbot --apache instead of certbot --standalone (the letsencrypt program was renamed to certbot two years ago). If you do want to use --standalone, you’ll need to stop Apache whenever you obtain or renew the certificate (which can be automated with --pre-hook and --post-hook options), because a running Apache would conflict with --standalone.

A certificate obtained using --apache can still be used by Postfix.


Thanks for your reply.

My ubuntu version is 16.04. I tried to install certbot but failed:

$ sudo apt-get update
Hit:1 xenial InRelease
Get:2 xenial-updates InRelease [109 kB]
Get:3 xenial-backports InRelease [107 kB]
Get:4 xenial-security InRelease [107 kB]
Fetched 323 kB in 0s (650 kB/s)
Reading package lists… Done

$ sudo apt-get install certbot python-certbot-apache
Reading package lists… Done
Building dependency tree
Reading state information… Done
E: Unable to locate package certbot
E: Unable to locate package python-certbot-apache

any suggestion? Thanks.

Richard Xu


So, your existing letsencrypt command will already support these options, and you might not need to upgrade it (although it may have some bugs or missing functionality compared to later versions). You could try using letsencrypt instead of certbot; I didn’t specifically mean to suggest that you had to upgrade to a new version of the client application.

If you do want to get a current version of Certbot on 16.04, we recommend using the PPA, as described in


Thank you very much.
I have removed the letsencrypt since it doesn’t have the certbot command.
and I have successfully installed certbot using PPA.

However, when I tried to get certificates, It still failed.
certbot run --apache -d
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from "<meta name=“viewport” content=“width=device-width, initial-scale=1, s”


Same for remove the -d option. It asked me to enter my domain and get failed too.



Which server are you running Certbot on for this request?


Ubuntu 16.04 on aws

cat /etc/lsb-release


Sorry, I don’t mean the OS version, I mean what’s the server name? The error you saw is characteristic of running Certbot on a server that doesn’t actually serve the site for which you’re requesting the certificate.




This is an AWS ec2 instance. I have aws route 53 (DNS) using point to this host.

The public ip address is

Richard Xu


But you’re most recently trying to get a certificate for, not The name points to a different server,, which is presumably a different AWS instance.

In order to get a certificate for, you should run Certbot on the instance. In order to get a certificate for, you should run Certbot on the instance. In each case, you would specify the name that the certificate should apply to with the -d option.


Yes, you are right.
I have told you this in my previous post that I have 2 aws instances.
So the -d option is not for domain, it is for the server name. Please correct me if I am wrong.

So the correct command I should run is:
certbot run -apache -d

Richard Xu


Sorry, we often use the term “domain name” informally to mean the complete DNS name that will be listed in the certificate. I realize that this isn’t necessarily the most precise use of terminology. (In PKI terminology it might better be described as a “subject name” and in DNS terminology as a “fully-qualified domain name”.)

But indeed, you should run on the mail server itself and provide -d

The --apache option is a long option and so following the GNU getopt command line syntax it requires two dashes, --apache rather than -apache.

I hope this helps!


Thank you very much.

It works now. Please modify the documentation so other people can easily understand what they should do.

It took me two days for this wrong documentation.

Richard Xu


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.