Cert renew error :error 502 , bad gateway

My domain is : auzou-lab.ovh

I ran this command : cerbot -v renew —dry-run

Output produced that :


Processing /etc/letsencrypt/renewal/npm-1.conf


Certificate is due for renewal, auto-renewing...

Plugins selected: Authenticator webroot, Installer None

Account registered.

Simulating renewal of an existing certificate for plex.auzou-lab.ovh

Performing the following challenges:

http-01 challenge for plex.auzou-lab.ovh

Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.

Waiting for verification...

Challenge failed for domain plex.auzou-lab.ovh

http-01 challenge for plex.auzou-lab.ovh

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:

Domain: plex.auzou-lab.ovh

Type: unauthorized

Detail: 2606:4700:3036::6815:29ac: Invalid response from http://plex.auzou-lab.ovh/.well-known/acme-challenge/CK4eeQrelu6El87N6Q5Hx9-Iie5JudMbGm4ellBXJIs: 502

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges

Failed to renew certificate npm-1 with error: Some challenges have failed.


Processing /etc/letsencrypt/renewal/npm-11.conf


Certificate is due for renewal, auto-renewing...

Plugins selected: Authenticator webroot, Installer None

Simulating renewal of an existing certificate for unraid.auzou-lab.ovh

Performing the following challenges:

http-01 challenge for unraid.auzou-lab.ovh

Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.

Waiting for verification...

Challenge failed for domain unraid.auzou-lab.ovh

http-01 challenge for unraid.auzou-lab.ovh

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:

Domain: unraid.auzou-lab.ovh

Type: unauthorized

Detail: 2606:4700:3036::6815:29ac: Invalid response from http://unraid.auzou-lab.ovh/.well-known/acme-challenge/5TqOiISacjl3EC86nTJGlelcomdYId4SClj39UpexIY: 502

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges

Failed to renew certificate npm-11 with error: Some challenges have failed.


Processing /etc/letsencrypt/renewal/npm-12.conf


Certificate is due for renewal, auto-renewing...

Plugins selected: Authenticator webroot, Installer None

Simulating renewal of an existing certificate for unbalance.auzou-lab.ovh

Performing the following challenges:

http-01 challenge for unbalance.auzou-lab.ovh

Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.

Waiting for verification...

Challenge failed for domain unbalance.auzou-lab.ovh

http-01 challenge for unbalance.auzou-lab.ovh

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:

Domain: unbalance.auzou-lab.ovh

Type: unauthorized

Detail: 2606:4700:3036::6815:29ac: Invalid response from http://unbalance.auzou-lab.ovh/.well-known/acme-challenge/qyiAtGqL0iBGHjdsi9688FlmBGhL-ATOgCyGla8oc2s: 502

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges

Failed to renew certificate npm-12 with error: Some challenges have failed.


Processing /etc/letsencrypt/renewal/npm-19.conf


Certificate is due for renewal, auto-renewing...

Plugins selected: Authenticator webroot, Installer None

Simulating renewal of an existing certificate for nextcloud.auzou-lab.ovh

Performing the following challenges:

http-01 challenge for nextcloud.auzou-lab.ovh

Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.

Waiting for verification...

Challenge failed for domain nextcloud.auzou-lab.ovh

http-01 challenge for nextcloud.auzou-lab.ovh

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:

Domain: nextcloud.auzou-lab.ovh

Type: unauthorized

Detail: 2606:4700:3033::ac43:a5e8: Invalid response from http://nextcloud.auzou-lab.ovh/.well-known/acme-challenge/k_9EW5nl_CrM_ewW52WkB0krCEfEvwKDx8c0RR2Ei5M: 502

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges

Failed to renew certificate npm-19 with error: Some challenges have failed.


Processing /etc/letsencrypt/renewal/npm-2.conf


Certificate is due for renewal, auto-renewing...

Plugins selected: Authenticator webroot, Installer None

Simulating renewal of an existing certificate for cloudcommander.auzou-lab.ovh

Performing the following challenges:

http-01 challenge for cloudcommander.auzou-lab.ovh

Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.

Waiting for verification...

Challenge failed for domain cloudcommander.auzou-lab.ovh

http-01 challenge for cloudcommander.auzou-lab.ovh

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:

Domain: cloudcommander.auzou-lab.ovh

Type: unauthorized

Detail: 2606:4700:3036::6815:29ac: Invalid response from http://cloudcommander.auzou-lab.ovh/.well-known/acme-challenge/RE85BpvfAaJOYa6lCLC56lADT5EAEz1bsuU_XDvGc9A: 502

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges

Failed to renew certificate npm-2 with error: Some challenges have failed.


Processing /etc/letsencrypt/renewal/npm-20.conf


Certificate is due for renewal, auto-renewing...

Plugins selected: Authenticator webroot, Installer None

Simulating renewal of an existing certificate for cloudcommander.auzou-lab.ovh

Performing the following challenges:

http-01 challenge for cloudcommander.auzou-lab.ovh

Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.

Waiting for verification...

Challenge failed for domain cloudcommander.auzou-lab.ovh

http-01 challenge for cloudcommander.auzou-lab.ovh

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:

Domain: cloudcommander.auzou-lab.ovh

Type: unauthorized

Detail: 2606:4700:3036::6815:29ac: Invalid response from http://cloudcommander.auzou-lab.ovh/.well-known/acme-challenge/O4U5tHIrdX_7jvlcNxuvEYmx6fOJ1tObGfx8PW-RaGI: 502

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges

Failed to renew certificate npm-20 with error: Some challenges have failed.


Processing /etc/letsencrypt/renewal/npm-21.conf


Certificate is due for renewal, auto-renewing...

Plugins selected: Authenticator webroot, Installer None

Simulating renewal of an existing certificate for collabora.auzou-lab.ovh

Performing the following challenges:

http-01 challenge for collabora.auzou-lab.ovh

Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.

Waiting for verification...

Challenge failed for domain collabora.auzou-lab.ovh

http-01 challenge for collabora.auzou-lab.ovh

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:

Domain: collabora.auzou-lab.ovh

Type: unauthorized

Detail: 2606:4700:3036::6815:29ac: Invalid response from http://collabora.auzou-lab.ovh/.well-known/acme-challenge/Rw4JROiqk9ibcgdenM7S12OQAu-RnXsuh3rWIV9SbmY: 502

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges

Failed to renew certificate npm-21 with error: Some challenges have failed.


Processing /etc/letsencrypt/renewal/npm-3.conf


Certificate is due for renewal, auto-renewing...

Plugins selected: Authenticator webroot, Installer None

Simulating renewal of an existing certificate for collabora.auzou-lab.ovh

Performing the following challenges:

http-01 challenge for collabora.auzou-lab.ovh

Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.

Waiting for verification...

Challenge failed for domain collabora.auzou-lab.ovh

http-01 challenge for collabora.auzou-lab.ovh

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:

Domain: collabora.auzou-lab.ovh

Type: unauthorized

Detail: 2606:4700:3033::ac43:a5e8: Invalid response from http://collabora.auzou-lab.ovh/.well-known/acme-challenge/LRz9sf1LYXSyyBWIU-m252zMEPeyLGTSkE7ao4xz2bM: 502

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges

Failed to renew certificate npm-3 with error: Some challenges have failed.


Processing /etc/letsencrypt/renewal/npm-4.conf


Certificate is due for renewal, auto-renewing...

Plugins selected: Authenticator webroot, Installer None

Simulating renewal of an existing certificate for guacamole.auzou-lab.ovh

Performing the following challenges:

http-01 challenge for guacamole.auzou-lab.ovh

Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.

Waiting for verification...

Challenge failed for domain guacamole.auzou-lab.ovh

http-01 challenge for guacamole.auzou-lab.ovh

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:

Domain: guacamole.auzou-lab.ovh

Type: unauthorized

Detail: 2606:4700:3036::6815:29ac: Invalid response from http://guacamole.auzou-lab.ovh/.well-known/acme-challenge/vMQGyKLutiOsfUSXUQhewbaeYI6BEOW7n51xwgeqtbY: 502

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges

Failed to renew certificate npm-4 with error: Some challenges have failed.


Processing /etc/letsencrypt/renewal/npm-5.conf


Certificate is due for renewal, auto-renewing...

Plugins selected: Authenticator webroot, Installer None

Simulating renewal of an existing certificate for nextcloud.auzou-lab.ovh

Performing the following challenges:

http-01 challenge for nextcloud.auzou-lab.ovh

Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.

Waiting for verification...

Challenge failed for domain nextcloud.auzou-lab.ovh

http-01 challenge for nextcloud.auzou-lab.ovh

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:

Domain: nextcloud.auzou-lab.ovh

Type: unauthorized

Detail: 2606:4700:3036::6815:29ac: Invalid response from http://nextcloud.auzou-lab.ovh/.well-known/acme-challenge/j4YIsEp7O1hncj1SHpm_jF0GXsHw7fy-qHWeArQR8iI: 502

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges

Failed to renew certificate npm-5 with error: Some challenges have failed.


All simulated renewals failed. The following certificates could not be renewed:

/etc/letsencrypt/live/npm-1/fullchain.pem (failure)

/etc/letsencrypt/live/npm-11/fullchain.pem (failure)

/etc/letsencrypt/live/npm-12/fullchain.pem (failure)

/etc/letsencrypt/live/npm-19/fullchain.pem (failure)

/etc/letsencrypt/live/npm-2/fullchain.pem (failure)

/etc/letsencrypt/live/npm-20/fullchain.pem (failure)

/etc/letsencrypt/live/npm-21/fullchain.pem (failure)

/etc/letsencrypt/live/npm-3/fullchain.pem (failure)

/etc/letsencrypt/live/npm-4/fullchain.pem (failure)

/etc/letsencrypt/live/npm-5/fullchain.pem (failure)


10 renew failure(s), 0 parse failure(s)

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

/tmp #

/tmp #

/tmp #

My webserver is : UNRAID os Custom NAS

Operating system :

Internet provider : STARLINK

Login a root Shell : YES

Using a control panel to manage my site : YES ( cloudflare )

cerbot version : ? can’t access cerbot —version with my shell

It work just fine since 5-6 months ago ( maybe a modification in my firewall rules , unifi gateway , but can’t find something )

Port fowarding firewall rules : port foward of 80 and 443 to my Unraid NAS local IP

In fact itt’s not vital for me not to be able to use my reverse proxy , because I use VPN access to reach my services remotely. But I just want to understand, what is wrong. I’m sure , the problem is a triffle.

Thanks for your help

The 502 is a Bad Gateway error. Your domains are proxied at Cloudflare and the Cloudflare Edge cannot connect to your origin domain.

The 502 happens for the HTTP Challenge and for any HTTPS request (or at least the "home" page). This is not a problem unique to port 80 or Let's Encrypt. There is some more fundamental problem in your origin server.

See: Troubleshooting Cloudflare 5XX errors · Cloudflare Support docs

# HTTPS to "home" page
 curl -i https://plex.auzou-lab.ovh
HTTP/2 502
server: cloudflare

error code: 502

# HTTP Challenge
curl -i http://plex.auzou-lab.ovh/.well-known/acme-challenge/Test404
HTTP/1.1 502 Bad Gateway
Server: cloudflare

error code: 502
2 Likes