E-mail domain Let'sEncrypt fails


would like to get an SSL for my email domain, but I always end up with the following:

Error: Let’s Encrypt validation status 400 (mail.diff.hu). Details: 403:“ Invalid response from http://mail.diff.hu/.well-known/acme-challenge/Wf4pwzlyrs1dX0upJzgPGvQlqrMK4vQIj6c6ck-z7Fs: 404”

If I ping mail.diff.hu, or webmail.diff.hu it resolves to the desired

Simply created an e-mail domain for diff.hu and clicked the SSL button, no other web domains are present. Roundcube itself is loading - however I tried also disabling it and getting the cert like that - still no go. :confused:

What else should I check?

Ty in advance!

Hi @Jess,

mail.diff.hu can’t answer to the acme challenge but webmail.diff.hu does:

$ curl -ikL http://webmail.diff.hu/.well-known/acme-challenge/test
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 27 Mar 2024 11:15:42 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 48
Connection: keep-alive


Could you please show the nginx conf for your domain? (replace YourUser by the actual user)

cat /home/YourUser/conf/mail/diff.hu/nginx.conf
cat /home/YourUser/conf/mail/diff.hu/nginx.conf_letsencrypt


this seems quite stock to me:

server {
        server_name webmail.diff.hu mail.diff.hu;
        root        /var/lib/roundcube;
        index       index.php index.html index.htm;
        access_log  /var/log/nginx/domains/webmail.diff.hu.log combined;
        error_log   /var/log/nginx/domains/webmail.diff.hu.error.log error;

        include /home/different/conf/mail/diff.hu/nginx.forcessl.conf*;

        location ~ /\.(?!well-known\/) {
                deny all;
                return 404;

        location ~ ^/(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
                deny all;
                return 404;

        location / {
                alias /var/lib/roundcube/;

                try_files $uri $uri/ =404;


                location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|woff2|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|bmp|mid|midi|wav|rtf|css|js|jar)$ {
                        expires 7d;
                        fastcgi_hide_header "Set-Cookie";

        location @fallback {

        location /error/ {
                alias /var/www/document_errors/;

        include /home/different/conf/mail/diff.hu/nginx.conf_*;


root@hestia:~# cat /home/different/conf/mail/diff.hu/nginx.conf_letsencrypt
location ~ "^/\.well-known/acme-challenge/([-_A-Za-z0-9]+)$" {
    default_type text/plain;
    return 200 "$1.IxkLLtnoVLDbhGNkvQ52tRU0Fyf0BzxsdT5oK-1OjcI";

Looks fine, show the output of this command (as root):

grep -R '\smail\.diff\.hu' /etc/nginx/
root@hestia:~# grep -R '\smail\.diff\.hu' /etc/nginx/
/etc/nginx/conf.d/domains/webmail.diff.hu.conf: server_name webmail.diff.hu mail.diff.hu;
/etc/nginx/conf.d/domains/mail.diff.hu.conf:    server_name mail.diff.hu ;

This one shouldn’t be there.

Well, haven’t touched these files for sure… :slight_smile: I think I tried to create a web domain with the name, but it failed. Should I simply remove that file?

simply remove the related domain, you dont need to create mail.domain.tld as webdomain - that’s the reason it fails.

omg… I was totally certain that it failed creating it… But it was there. Removed and it is working like a charm. 100% user error - sorry. :confused: