Letsencrypt fails to create certificate for Jellyfin in reverse proxy setup


Hello all,

I have migrated from Emby to Jellyfin very recently and tried to expose the Jellyfin server via reverse proxy (Apache in my case) as described in jellyfin documentation.

The setup basically works for non-secure connections. For secure connections I tried to obtain a letsencrypt certificate via certbot but I am receiving an error and the process fails. Obviously the browsers now complain when connecting, however the server behind still works if I overrule the security warning.

I am getting:
Domain: my.domain.de (anonymised:)
Type: unauthorized
Detail: Invalid response from my.domain.de/.well-known/acme-challenge/18tG4LkKOgfJ4rqJ0uHGpSJchojuwZhjlqhJJ1-2ZxM [2001:8d8:1000:5d:6995:cab3:a2ec:f82a]: 204

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.

Digging into the log files I see

  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "Invalid response from my.domain.de/.well-known/acme-challenge/18tG4LkKOgfJ4rqJ0uHGpSJchojuwZhjlqhJJ1-2ZxM [2001:8d8:1000:5d:6995:cab3:a2ec:f82a]: 204",
    "status": 403

Response “204” means “No Content”
Response “403” means “Forbidden”
The DNS is OK.Other domains that I own are OK with the letsencrypt certificates.

I now suspect that the challenge that the letsencrypt server sends to (my) apache and which is passed to Jellyfin fails to return correctly. Could that be because Jellyfin and Apache are running as different users?

Anyone managed to install letsencrypt certificates in an Apache/Jellyfin reverse proxy configuration?
Any hint?


This is because of how the default Let’s Encrypt challenge works.

  1. Let’s Encrypt places a file in the document root of the site
  2. Let’s Encrypt contacts the Acme challenge server
  3. The challenge server checks to see if that file from step 1 is accessible and has the right content

If step 3 succeeds, you get a cert. If it fails, you get the errors you saw.

Since Jellyfin doesn’t have a document root for putting the file, the check can’t succeed. What you need to do is either use a different authentication method or set up a directory for the challenged.

In Apache, you could do this by creating a directory and alias for .well-known/acme-challenge, like this:

Alias /.well-known/acme-challenge /var/www/html/.well-known/acme-challenge
<Directory /var/www/html>
    Options All -Indexes
    Allow from all
    AllowOverride All

Then, when you run Certbot or other tool for getting a Let’s Encrypt cert, make sure you set the webroot path to “/var/www/html”


Thank you for the quick and detailed response. Makes absolute sense and matches the documentation from letsencrypt. Unfortunately a quick attempt to try this out was not successful. I need to dig deeper in the log files of the apache2 server. I will do this later this week and report back.


Not really helpful but I use Caddy Server and set up https no problem.

1 Like

Hello all,

I am getting back to the issue that I was failing to install a letsencrypt certificate.
The root cause of the problem were my DNS record entries for IPv6.

I have a fixed IPv4 address and I am tweaking the DNS entries of my domain to point to my IPv4 address and I was ignoring any IPv6 related settings.

My domain provider started to add default IPv6 related entries to the DNS records and I had to remove the AAAA entries (or change it to correct values - which I did not test). After removing the IPv6 related entries everything worked as documented in the Jellyfin and letsencrypt documentation.