Certbot-Auto renew unauthorized 404

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: koval.privatedns.org

I ran this command: certbot-auto renew

It produced this output:
Requesting to rerun ./certbot-auto with root privileges…
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/koval.privatedns.org.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for koval.privatedns.org
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (koval.privatedns.org) from /etc/letsencrypt/renewal/koval.privatedns.org.conf produced an unexpected error: Failed authorization procedure. koval.privatedns.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://koval.privatedns.org/.well-known/acme-challenge/ffQ7a4et83BCimZ8XfLAB29GWBMXE2c2z2QJrVpv4yo: “\r\n404 Not Found\r\n<body bgcolor=“white”>\r\n

404 Not Found

\r\n
”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/koval.privatedns.org/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/koval.privatedns.org/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version):

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: Apache

I can login to a root shell on my machine (yes or no, or I don’t know): i don’t know

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.23.0

2

Your domain currently responds with the webserver nginx - are you sure that you are using Apache?

Is your dynamic DNS definitely up to date for this domain?

If it is, you might try the following:

certbot-auto renew --cert-name koval.privatedns.org -a nginx --dry-run
3

Sorry i guess i should say I’m running Apache and NGINX, i set it up following this guide.

Everything is working except for auto renewing the cert. i can get to all of my pages externally and authenticate.

Ironically that command you just gave me worked… that doesn’t make sense to me but i guess ill be updating the command in my cron job instead of what was provided in that guide.

4

Using the nginx authenticator can be more successful on webroot since there are less opportunities for things like a wrong webroot or redirects to cause issues with the process. As for why we use nginx’s authenticator rather than Apache - we use whatever server is at the “front” of the proxy stack.

I’m glad it worked for you, but there’s no need to modify your cronjob.

Just modify /etc/letsencrypt/renewal/koval.privatedns.org.conf so that the authenticator is set in this way:

authenticator = nginx
5

Thank you! i really appreciate the help, I’ve been trying to fix it myself for about a week now.

i will give that a try and check up on it again when renewal is need.

6

Actually, i responded to quickly, just went to my conf file and the authenticator is already set to nginx.

7

If you renewed using my command without --dry-run, it would have updated that setting automatically. You should be all set.

8

Indeed I did, well then hopefully I am all set, thank you again.

9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.