Can't generate cert. 404 not found

I know. There are many similar topics. I think I read them all. But not a single answer solved my problem.Three months ago, I successfully received a certificate. When trying to update, I got various errors.

My domain is:
My hosting provider, if applicable, is: digital ocean
I ran this command: sudo certbot renew --dry-run
It produced this output:

Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Missing command line flag or config entry for this setting:
    Select the webroot for
    Choices: ['Enter a new webroot', '/var/www/well-known']

    (You can set this with the --webroot-path flag). Skipping.
    The following certs could not be renewed:
      /etc/letsencrypt/live/ (failure)

I decided it by adding a line.

My web server is (include version): nginx version: nginx/1.14.0 (Ubuntu)

Further there was such an error:

Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Failed authorization procedure. (http-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for Skipping.
The following certs could not be renewed:
  /etc/letsencrypt/live/ (failure)

. I had to add a domain from www and add an A record to digital ocean.
(although how did it work for the first time without all this ???)
Well and finally I have a 404 error and i can not access to test file in acme directory: error:Invalid response from []:
[Wed Oct 16 07:44:26 UTC 2019] Please check log file for more details: /home/letsencrypt/

(I don’t know, maybe this is not the end of my adventures). What am I doing wrong? please, help.

There are my files:

upstream zzz {
server localhost:5000;

server {
listen 80;

   location ~ /.well-known/acme-challenge/ {
allow all;
location / {
return 301 https://$host$request_uri;

server {
listen *:443 ssl http2;


ssl_certificate /etc/letsencrypt/live/;
ssl_certificate_key /etc/letsencrypt/live/;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
"/etc/nginx/sites-available/default" [readonly] 39L, 749C


account = 7f3fae13f882f4eb6794552e2246e3c1
rsa_key_size = 2048
authenticator = webroot
webroot-path = /var/www/html/well-known
server =
post_hook = service nginx reload
[[webroot_map]] = /var/www/well-known = /var/www/html/well-known

Hi @sipakov

please answer the following questions:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

1 Like

Are you using, Certbot or both? is using a different directory than the other two -- no ".../html/..." in the middle.

1 Like


I gradually supplement my issue, thanks.
I tried this and that.
The issue lists errors as root and certbot.
I also created a separate letsencrypt user and used acme. as in this manual:
the result is the same - 404

There is a check, created yesterday -

Host T IP-Address is auth. ∑ Queries ∑ Timeout A City of London/England/United Kingdom (GB) - DigitalOcean, LLC No Hostname found yes 1 0
AAAA yes Name Error yes 1 0

The www version isn't defined, so it's impossible to create a certificate with the www name via http-validation.

Domainname Http-Status redirect Sec. G GZip used - 384 / 612 - 37,25 % 200 Html is minified: 129,94 % 0.063 H Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0 404 2.450 N
Not Found
Certificate error: RemoteCertificateChainErrors GZip used - 141 / 178 - 20,79 % Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0 404 Html is minified: 108,54 % 0.070 A
Not Found
Visible Content: 404 Not Found nginx/1.14.0 (Ubuntu)

http + /.well-known/acme-challenge/random-filename isn't redirected to https.

The listen 80 server doesn't have a root. But I don't know exactly, if this is an error using --webroot.

Perhaps try --nginx as authenticator.

PS: You have created one new certificate yesterday:

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2019-10-15 2020-01-13
1 entries duplicate nr. 1
Let's Encrypt Authority X3 2019-07-17 2019-10-15,
2 entries

But your expired certificate has two domain names.

So first step: Add a www A entry, so the www version has an ip address.

1 Like
|www.amver.netCopy|directs to |
|3600 Copy|More |
|www.amver.netCopy|directs to |
|1800 Copy|More |
|www.amver.netCopy|directs to |
|1800 Copy|More |
|www.amver.netCopy|directs to |
|1800 Copy|More|

A record already created for
but before it was gone and everything worked fine
(only for was A record)

Sorry, I took the first entry from you in an attempt to acme. but the essence is the same with certbot

Ah, rechecked the domain, now both domain names have A-records.

Next step:

Your port 80 server doesn't have a server_name.


is required, then a restart.

Then try

certbot -d -d --nginx

really? :hushed: :grinning: adding the server name to port 80 and further running the command to add the certificate fixed everything!
Thank you so much for your support and prompt assistance. Perhaps this line I did not see in the existing answers


Yep, that's required, so Certbot / the --nginx authenticator can find the vHost with the same list of domain names like your command.

Happy to read it had worked :+1:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.