Cert Renewal Failed

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://bear.systems

I ran this command: /opt/letsencrypt/bin/letsencrypt renew && /sbin/service nginx restart > /dev/null 2>&1

It produced this output:

Processing /etc/letsencrypt/renewal/bear.systems.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for bear.systems
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (bear.systems) from /etc/letsencrypt/renewal/bear.systems.conf produced an unexpected error: Failed authorization procedure. bear.systems (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://bear.systems/.well-known/acme-challenge/_gYrRIJRnK52yzK4nak0dEvRjhRNEOADM-jIMYOEgmo []: “\r\n404 Not Found\r\n\r\n

404 Not Found

nginx\r\n”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/bear.systems/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/bear.systems/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)


My web server is (include version): Nginx 1.17.0, PHP 7.2.19, Percona MySQL 5.6.44, WP-CLI 2.1.0

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: Amazon

I can login to a root shell on my machine (yes or no, or I don’t know): I login as Sudo

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Does not work

Here is the log:

2019-05-31 16:58:22,822:DEBUG:certbot.main:certbot version: 0.31.0
2019-05-31 16:58:22,822:DEBUG:certbot.main:Arguments:
2019-05-31 16:58:22,822:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-05-31 16:58:22,842:DEBUG:certbot.log:Root logging level set at 20
2019-05-31 16:58:22,843:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-05-31 16:58:22,871:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7fe33b20a8d0> and installer <certbot.cli._Default object at 0x7fe33b20a8d0>
2019-05-31 16:58:22,905:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2019-05-26 14:35:37 UTC.
2019-05-31 16:58:22,905:INFO:certbot.renewal:Cert is due for renewal, auto-renewing…
2019-05-31 16:58:22,905:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2019-05-31 16:58:22,914:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7fe33b25aa50>
Prep: True
2019-05-31 16:58:22,915:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7fe33b25aa50> and installer None
2019-05-31 16:58:22,915:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2019-05-31 16:58:22,917:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u’https://acme-v01.api.letsencrypt.org/acme/reg/52195875’, new_authzr_uri=u’https://acme-v01.api.letsencrypt.org/acme/new-authz’, terms_of_service=None), 3d236d4c69986f67b11d3d78c0b8b79e, Meta(creation_host=u’ip-172-31-40-121.us-west-2.compute.internal’, creation_dt=datetime.datetime(2019, 2, 25, 15, 35, 29, tzinfo=)))>
2019-05-31 16:58:22,918:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2019-05-31 16:58:22,920:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org:443
2019-05-31 16:58:23,074:DEBUG:urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 658
2019-05-31 16:58:23,075:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
Replay-Nonce: BcoN8Jb6RLfT06Oep1IuE5O561Rwc8TpKSX8JERaHCY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 31 May 2019 23:58:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 31 May 2019 23:58:23 GMT
Connection: keep-alive
“key-change”: “https://acme-v01.api.letsencrypt.org/acme/key-change”,
“meta”: {
“caaIdentities”: [
“terms-of-service”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
“website”: “https://letsencrypt.org
“new-authz”: “https://acme-v01.api.letsencrypt.org/acme/new-authz”,
“/var/log/letsencrypt/letsencrypt.log” 322L, 20094C


Could you please try to place a file under $yourdomain/.well-known/acme-challenge/ and see if the file showed up online?

Thank you

Hi @ktola

webroot should always work. If it doesn't work, you have changed your configuration.

But: You have a lot of older certificates ( https://check-your-website.server-daten.de/?q=bear.systems#ct-logs ):

CRT-Id Issuer not before not after Domain names LE-Duplicate next LE
1429832395 CN=Amazon, OU=Server CA 1B, O=Amazon, C=US 2019-04-28 22:00:00 2020-05-29 10:00:00 *.bear.systems, bear.systems
2 entries
1497053509 CN=Amazon, OU=Server CA 1B, O=Amazon, C=US 2019-04-28 22:00:00 2020-05-29 10:00:00 *.bear.systems, bear.systems
2 entries
1236423454 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-02-25 13:35:37 2019-05-26 12:35:37 bear.systems
1 entries
1142852963 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-01-25 08:07:18 2019-04-25 07:07:18 bear.systems, www.bear.systems
2 entries
974883615 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2018-11-25 08:07:17 2019-02-23 08:07:17 bear.systems, www.bear.systems
2 entries
823179638 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2018-09-25 06:07:11 2018-12-24 07:07:11 bear.systems, www.bear.systems
2 entries
666187659 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2018-07-26 06:07:08 2018-10-24 06:07:08 bear.systems, www.bear.systems
2 entries

First is from 2018-07-26, last from 2019-02-25.

Looks like you have used tls-sni-01 validation, that's not longer supported, support ended ~~ 2019-03-15.

Perhaps your too old Letsencrypt (= newer: Certbot) has selected the webroot authenticator, but that doesn't work.

So share your Certbot configuration file so we can see the defined webroot:


And share your nginx vHost configuration.

But checking your urls there may be a second problem. You use certonly. Is this a Bitnami?

Domainname Http-Status redirect Sec. G
http://bear.systems/ 301 https://bear.systems/ 0.337 A
http://www.bear.systems/ 301 https://www.bear.systems/ 0.340 A
https://www.bear.systems/ 301 https://bear.systems/ 1.787 N
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
https://bear.systems/ 200 2.460 N
Certificate error: RemoteCertificateChainErrors
http://bear.systems/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 301 https://bear.systems/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.343 A
Visible Content: 301 Moved Permanently nginx
http://www.bear.systems/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 301 https://www.bear.systems/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.340 A
Visible Content: 301 Moved Permanently nginx
https://bear.systems/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 1.416 N
Not Found
Certificate error: RemoteCertificateChainErrors
Visible Content: 404 Not Found nginx
https://www.bear.systems/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 1.413 N
Not Found
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
Visible Content: 404 Not Found nginx

Your http redirects to https, same with /.well-known/acme-challenge.

Normally, that's ok, Letsencrypt follows these redirects. But if you use a Bitnami configuration, your renew-command must use the webroot of your Bitnami system, not your nginx - root.

Or you should create an exception, so /.well-known/acme-challenge isn't redirected to https. Then you can use your nginx port 80 root as webroot parameter.


Thank you for the reply! This is a Amimoto WordPress instance that I soon up in AWS about 6 months ago. I followed their instructions found here https://support.amimoto-ami.com/getting-started-with-amimoto-ami/5-enabling-https-using-lets-encrypt-on-amimoto-ami.

Should I remove everything somehow and install things from scratch?

I am a Windows server person and not really familiar with Linux. Any help is greatly appreciated.

Have a wonderful day.


1 Like

That looks good.

But perhaps your webroot has changed.

What's the content of your default-ssl.conf? There should be a root. And what's the content of your renewal file?


If there is another webroot defined, that can't work.

1 Like

I am traveling now but I will check when I get to my next destination. Thank you!

Juergen –

Thank you so much for your insights. The root was missing a letter which was causing the underlying issue.

Have a great day!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.