Certbot-Auto renew unauthorized 404


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: koval.privatedns.org

I ran this command: certbot-auto renew

It produced this output:
Requesting to rerun ./certbot-auto with root privileges…
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/koval.privatedns.org.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for koval.privatedns.org
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (koval.privatedns.org) from /etc/letsencrypt/renewal/koval.privatedns.org.conf produced an unexpected error: Failed authorization procedure. koval.privatedns.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://koval.privatedns.org/.well-known/acme-challenge/ffQ7a4et83BCimZ8XfLAB29GWBMXE2c2z2QJrVpv4yo: “\r\n404 Not Found\r\n<body bgcolor=“white”>\r\n

404 Not Found

”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/koval.privatedns.org/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/koval.privatedns.org/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)


My web server is (include version):

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: Apache

I can login to a root shell on my machine (yes or no, or I don’t know): i don’t know

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.23.0


Your domain currently responds with the webserver nginx - are you sure that you are using Apache?

Is your dynamic DNS definitely up to date for this domain?

If it is, you might try the following:

certbot-auto renew --cert-name koval.privatedns.org -a nginx --dry-run


Sorry i guess i should say I’m running Apache and NGINX, i set it up following this guide.

Everything is working except for auto renewing the cert. i can get to all of my pages externally and authenticate.

Ironically that command you just gave me worked… that doesn’t make sense to me but i guess ill be updating the command in my cron job instead of what was provided in that guide.


Using the nginx authenticator can be more successful on webroot since there are less opportunities for things like a wrong webroot or redirects to cause issues with the process. As for why we use nginx’s authenticator rather than Apache - we use whatever server is at the “front” of the proxy stack.

I’m glad it worked for you, but there’s no need to modify your cronjob.

Just modify /etc/letsencrypt/renewal/koval.privatedns.org.conf so that the authenticator is set in this way:

authenticator = nginx


Thank you! i really appreciate the help, I’ve been trying to fix it myself for about a week now.

i will give that a try and check up on it again when renewal is need.


Actually, i responded to quickly, just went to my conf file and the authenticator is already set to nginx.


If you renewed using my command without --dry-run, it would have updated that setting automatically. You should be all set.


Indeed I did, well then hopefully I am all set, thank you again.