Acme challenge file not found

My domain is:

I ran this command: sudo certbot renew

It produced this output:

The following errors were reported by the server:

Type: unauthorized
Detail: Invalid response from
[2606:4700:30::6812:2b68]: “\n404 Not
Found\n<body bgcolor=“white”>\n

404 Not


My web server is (include version):
nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 18.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

And the path exists and I can see the results of a test file in acme-challenge directory.

What authenticator are you using?

cat /etc/letsencrypt/renewal/

renew_before_expiry = 30 days

version = 0.28.0
archive_dir = /etc/letsencrypt/archive/
cert = /etc/letsencrypt/live/
privkey = /etc/letsencrypt/live/
chain = /etc/letsencrypt/live/
fullchain = /etc/letsencrypt/live/

Options used in the renewal process

account = f7cf1599e6937c6a883a8dda1a3be819
authenticator = nginx
installer = nginx
server =

This is a common issue with Cloudflare CDN and Certbot’s nginx plugin: Certbot sets up the challenge response on your server’s port 80 virtualhost only.

Cloudflare causes all traffic between Cloudflare and your server to be secured with HTTPS. This means that the challenge response rule never gets a chance to be processed by the Let’s Encrypt validation request, and instead results in a 404.

Until this is fixed in Certbot, I believe that your best workaround is to use the webroot authenticator method.

A fairly foolproof method is to do something like:

mkdir -p /var/www/letsencrypt

and then to nginx (in your port 80 and port 443 virtual hosts), add:

location /.well-known/acme-challenge/ {
    root /var/www/letsencrypt;

Then renew your certificate like:

systemctl reload nginx
certbot renew --cert-name -a webroot -w /var/www/letsencrypt

Thanks for your response dear. But I already tried that (I created the exactly same directory ‘/var/www/html/.well-known/acme-challenge’) and I tested it by putting a test.html file in there.

So you think that the problem might be because of the all-redirecting code that cartbot added to nginx config?

if ($host = {
    return 301$request_uri;

That 301 is fine. I don’t think Cloudflare even hits it, because it probably goes directly to HTTPS when speaking to the origin.

My response had two parts - you also need to tell Certbot to use the webroot authenticator instead. The nginx authenticator does not use your webroot.

So try:

certbot renew --cert-name -a webroot -w /var/www/html --dry-run
1 Like

This is the result:

Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: The requested weboot plugin does not appear to be installed. Skipping.

Sorry, that’s my fault, a typo. It should be webroot not weboot.

The fault is mine my friend. I should have checked it.
And thanks. It worked. But I really didn’t get the point and the root of the problem :smile:
Is it because --dry-run ?

1 Like

--dry-run is just for testing. You should get rid of it and run the command without it.

What we changed was that we changed from the “nginx authenticator” to the “webroot authenticator” - it causes Certbot to perform the domain validation a little bit differently.

The root of the problem is an incompatibility between Certbot’s nginx authenticator and how Cloudflare CDN works.

edit: Now reported to Certbot:


Wow. well, thanks. You saved my life :sunflower: :heart:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.