Can't issue certs for two domains on one IP with nginx

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domains are: and

I ran this command:

certbot certonly \
--expand \
--webroot \
--webroot-path /root/sys/config/tmpsite \
-d \
--webroot-path /root/sys/config/tmpsiteptif \
-d \
--agree-tos \
--email \
--verbose \
--rsa-key-size 4096 \
--keep-until-expiring \

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate for and
Performing the following challenges:
http-01 challenge for
Using the webroot path /root/sys/config/tmpsiteptif for all unmatched domains.
Waiting for verification...
Challenge failed for domain
http-01 challenge for

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Type:   unauthorized
  Detail: 2a01:7e00::f03c:93ff:fe20:886d: Invalid response from 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
I am using the Nginx Docker image: nginx:latest
Nginx is in a Docker Container, Certbot is Not in a Container. Certbot is installed on the host.

The operating system my web server runs on is (include version):
Debian GNU/Linux 11 (bullseye)

My hosting provider is:

I can login to a root shell on my machine (yes or no, or I don't know):
I can login as root.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
I am using certbot 2.6.0

My problem:

The problem above is using Certbot on the host but uses Nginx which is in a Docker container. So, the first hurdle is deciding if the problem is Nginx config, Docker compose, or the certbot command I'm using. I can't expect any help with docker or nginx but perhaps I could be pointed to some information somewhere that might help.

Perhaps I am not understanding what certbot/Let's encrypt needs. For example, in my nginx, both domains are using root /tmp/acme-challenge;

I did get one certificate successfully for, but that was requested on its own and not at the same time as

My testing nginx configuration file is:

server {

    listen 80;
    listen [::]:80;

    location /.well-known/acme-challenge/ {
        root /tmp/acme-challenge;

    location / {
	root /usr/share/nginx/html;
	index index.html;

server {

    listen 80;
    listen [::]:80;

    location /.well-known/acme-challenge/ {
        root /tmp/acme-challenge;

    location / {
	root /usr/share/nginxptif/html;
	index index.html;

The test docker compose file is:

version: '3.7'


    image: nginx:latest
    container_name: nginx
      - "80:80"
      - ./config/nginx_init:/etc/nginx/conf.d
      - /etc/letsencrypt:/etc/letsencrypt:ro
      - /tmp/acme-challenge:/tmp/acme-challenge
      - /var/log/nginx:/var/log/nginx
      - ./config/tmpsite:/usr/share/nginx/html
      - ./config/tmpsiteptif:/usr/share/nginxptif/html

Thank you for any guidance.

Hi @johnfern, and welcome to the LE community forum :slight_smile:

Those don't match.
[webroot path should equal root path]

Please continue your testing with the staging environment [until all test have passed].


Well @rg305 you are a saviour. Thank you very much indeed.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.