a bunch of blue wires connected to each other

Fixing Let’s Encrypt “Invalid Response” Errors in Nginx

Leave a Comment / By / / Nginx

If you’re using Let’s Encrypt to secure your website with HTTPS, you may run into the following error when trying to issue or renew a certificate:

Let’s Encrypt got an invalid response from http://<DOMAIN>/.well-known/acme-challenge/<TOKEN>

This usually means that Let’s Encrypt was unable to reach the challenge file on your server over HTTP. Without being able to validate domain ownership, Let’s Encrypt will fail to issue or renew the SSL certificate.

Contents hide
Why This Happens
The Fix: Add a Dedicated HTTP Server Block
After Updating Nginx
Final Notes
Troubleshooting Tips

Why This Happens

Let’s Encrypt uses an HTTP-01 challenge to confirm you own the domain. This requires your web server to:

  1. Accept HTTP (port 80) requests.
  2. Serve static files under the path /.well-known/acme-challenge/.

However, in many secure Nginx setups, only HTTPS (port 443) is enabled. If you don’t explicitly allow HTTP requests — or you redirect everything to HTTPS without making an exception for the challenge path — Let’s Encrypt won’t be able to complete the validation.

🤓😎 More and more people are getting our Geek, Privacy, Dev & Lifestyle Tips

Want to receive the latest Geek, Privacy, Dev & Lifestyle blogs? Subscribe to our newsletter.

The Fix: Add a Dedicated HTTP Server Block

To resolve this, add a new server block in your Nginx configuration to handle HTTP requests, specifically allowing Let’s Encrypt to access the challenge path:

server {
    listen 80;
    listen [::]:80;
    server_name example.com;

    # Allow Let's Encrypt ACME challenge requests
    location /.well-known/acme-challenge/ {
        root /var/www/example.com/public;
        allow all;
    }

    # Redirect all other traffic to HTTPS
    location / {
        return 301 https://$host$request_uri;
    }
}

This configuration does two things:

  • It allows requests to /.well-known/acme-challenge/ so Let’s Encrypt can validate your domain.
  • It redirects all other HTTP traffic to HTTPS for security.

Note: Replace /var/www/example.com/public with the actual root path of your web app.

After Updating Nginx

Once you’ve added the server block:

  1. Test the configuration to ensure there are no syntax errors:
    sudo nginx -t
  2. Reload Nginx to apply the changes:
    sudo systemctl reload nginx

Now Let’s Encrypt should be able to access the challenge files and issue or renew your certificate without errors.

Final Notes

  • This solution assumes you’re using the HTTP-01 challenge method, which is the most common.
  • If you’re using a tool like Certbot or a hosting platform like Laravel Forge, they typically place the challenge files in the right location automatically — you just need to make sure your server allows access to them.
  • Make sure that no other rules in your config (such as those that block hidden files or certain folders) interfere with access to the /.well-known/ directory.

Troubleshooting Tips

If it’s still not working:

  • Check your firewall or cloud provider to ensure port 80 is open.
  • Make sure the challenge file actually exists in the correct path during the validation process.
  • Look at your Nginx logs (/var/log/nginx/error.log) for clues.

By allowing just enough access for Let’s Encrypt while keeping everything else locked down and redirected to HTTPS, you strike a perfect balance between security and automation.

Last Updated on 17 July 2025

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

en_USEnglish
de_DEDeutsch nl_NLNederlands fr_FRFrançais es_ESEspañol it_ITItaliano sv_SESvenska en_USEnglish
Scroll to Top