404 error at well-known/acme-challenge/

My domain is:protrack.by

I ran this command: sudo certbot certonly -a webroot --webroot-path=/var/www/html -d protrack.by

It produced this output:
Domain: protrack.by
Type: unauthorized
Detail: Invalid response from

My web server is (include version):nginx

The operating system my web server runs on is (include version): Debian 9.2

My hosting provider, if applicable, is: digitalocean

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): bash

In my Nginx configuration file at /etc/nginx/sites-available/default I add this code at **server **:
location ~ /.well-known {
allow all;
root /usr/share/nginx/html;
After running the command: sudo certbot certonly -a webroot --webroot-path=/var/www/html -d protrack.by I get the following errors reported.

Certbot and Nginx need to be configured to use the same location.

If changing one of them doesn’t work, what’s the rest of the Certbot error, and what does Nginx’s error.log say?

1 Like

Sorry, my mistake, I make copyright from another file. My true code

location ~ /.well-known {
allow all;
root /var/www/html;

What was the rest of the Certbot error?

What does /var/log/letsencrypt/letsencrypt.log contain?

What does Nginx’s error.log contain?

2017-10-15 12:32:01,991:DEBUG:certbot.main:Root logging level set at 30
2017-10-15 12:32:01,993:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-10-15 12:32:01,994:DEBUG:certbot.main:certbot version: 0.10.2
2017-10-15 12:32:01,994:DEBUG:certbot.main:Arguments: ['-q']
2017-10-15 12:32:01,995:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#webroot,PluginEntryPoin$2017-10-15 12:32:01,996:DEBUG:certbot.renewal:no renewal failures

Nginx’s error.log is empty

Certbot error

sudo certbot certonly -a webroot --webroot-path=/var/www/html -d protrack.by
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for protrack.by
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. protrack.by (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://protrack.by/.well-known/acme-challenge/k5dXhtkYzxkfjFcXKVKVMlQ5lS5BHxWsX3SRWDPoxt0: "

Page not"


That 404 Not Found page was generated by Django.

It seems Nginx isn’t handling /.well-known/acme-challenge/ statically, as you wanted it to. Instead it’s passing it to Django, which isn’t configured to handle it either.

What’s the Nginx virtual host’s whole configuration?

1 Like

In /etc/nginx/sites-available I have 2 files

Default server configuration

server {
	listen 80 default_server;
	listen [::]:80 default_server;

        # SSL configuration
          location ~ /.well-known {
                allow all;
          root /var/www/html;

	root /var/www/html;

	server_name _;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;


And protrack configurations

server {
    listen 80;
    server_name protrack.by;

    location = /favicon.ico { access_log off; log_not_found off; }
    location /static/ {
        root /home/gk/protrack;

    location / {
        include         uwsgi_params;
        uwsgi_pass      unix:/run/uwsgi/protrack.sock;

To the protrack configuration, add something like:

    location /.well-known/acme-challenge/ {
        root /var/www/html;
1 Like

It really works. Thank you very much for your help!:grinning:


Also, have you tried the Nginx-specific options described at https://certbot.eff.org/#ubuntutzesty-nginx ? That is:

sudo certbot --nginx

This should “just work” for your use case and save some trouble.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.