Cert-bot auto renew Not Working - HTTP Challenge Failing As There is No File Being in ACME Challenge Directory


Please fill out the fields below so we can help you better.

My domain is: i-windenergy.com

I ran this command:cert-bot auto renew

It produced this output:

", www.i-windenergy.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.i-windenergy.com/.well-known/acme-challenge/euUBk5uhKdk9iFvkVH54cSANO0oy4Nd61KZ-8AY1kjc: " 404 Not Found

My operating system is (include version): Debian

My web server is (include version):nginx 1.2.1

My hosting provider, if applicable, is: digitalocean

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

I have the ssl running fine as of now, but I cannot renew. Recently, i deleted the .well-known directory accidentally. So when I attempt to renew, I get the error: he client lacks sufficient authorization…
Do I need to recreate the certificates or can I still renew?


Usually this error means you specified the wrong webroot directory. Certbot should re-create the .well-known directory automatically if you delete it, though. Did you move the site to a different webroot after you originally created the certificates?

Check the configuration in /etc/letsencrypt/renewal and confirm that the webroot directory is what you expect it to be.

If you manually re-create the directories and create a file in .well-known/acme-challenge/test.txt can you access that file with a web browser?


The webroot is correct in /etc/letsencrypt/renewal.
I am able to access https://i-windenergy.com/.well-known/acme-challenge/aa

When I run as root, certbot-auto renew

i get error:
Waiting for verification…
Cleaning up challenges
Unable to clean up challenge directory /usr/share/nginx/www/.well-known/acme-challenge
Attempting to renew cert from /etc/letsencrypt/renewal/i-windenergy.com.conf produced an unexpected error: Failed authorization procedure. www.i-windenergy.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.i-windenergy.com/.well-known/acme-challenge/J5vhppHUAujujMzSZcnc7JnSQ-8k6Exq-V6N1rTAxEs: "

404 Not Found ... Domain: i-windenergy.com Type: unauthorized Detail: Invalid response from http://i-windenergy.com/.well-known/acme-challenge/eeqgeSuYuTKY47_08pJHZsvMu3Kfh2wM37hQXQ3n4m4: " 404 Not Found

404 Not Found


To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.


Just to let you know, I am trying to do this to 8 domains, and the renewal file has:

renew_before_expiry = 30 days

version = 0.10.1
archive_dir = /etc/letsencrypt/archive/i-windenergy.com
cert = /etc/letsencrypt/live/i-windenergy.com/cert.pem
privkey = /etc/letsencrypt/live/i-windenergy.com/privkey.pem
chain = /etc/letsencrypt/live/i-windenergy.com/chain.pem
fullchain = /etc/letsencrypt/live/i-windenergy.com/fullchain.pem

Options used in the renewal process

authenticator = webroot
installer = None
account = {{removed}}
webroot_path = /usr/share/nginx/www,
www.datawizard.me = /usr/share/nginx/www
www.quantumleapwind.com = /usr/share/nginx/www
www.windenergyengineeringbook.com = /usr/share/nginx/www
windenergyengineeringbook.com = /usr/share/nginx/www
quantumleapwind.com = /usr/share/nginx/www
www.i-windenergy.com = /usr/share/nginx/www
datawizard.me = /usr/share/nginx/www
i-windenergy.com = /usr/share/nginx/www
www.i-windenergy.net = /usr/share/nginx/www
i-windenergy.net = /usr/share/nginx/www


Is it really possible that all of those domains have the same webroot? Doesn’t that mean that they also have the same content? Or do you have a fancy nginx configuration that mostly doesn’t serve content from the webroot at all, but does allow /.well-known to be served from the webroot?


Just to confirm, that aa file is located at /usr/share/nginx/www/.well-known/acme-challenge/aa on your server?

@schoen the site appears to be using Drupal 7 which allows you to serve different content for different domains from the same webroot.


My mistake. I had aa in two places. My webroot_path was incorrect. After fixing it, renew went thru.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.