Certbot don't create acme challenge files


My domain is: onyva.app

I ran this command: sudo certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/www.onyva.app.conf

Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.onyva.app
http-01 challenge for onyva.app
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/www.onyva.app.conf produced an unexpected error: Failed authorization procedure. www.onyva.app (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.onyva.app/.well-known/acme-challenge/yHuJCfSog2xLINgC3S3uxxHfLXkFz1_MQupjtQf_x10: “\r\n404 Not Found\r\n<body bgcolor=“white”>\r\n

404 Not Found

”, onyva.app (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://onyva.app/.well-known/acme-challenge/jK1hOQXZnVC90hcERBbaYvLWcyl1MK5ojllhZaM4YuQ: “\r\n404 Not Found\r\n<body bgcolor=“white”>\r\n

404 Not Found

”. Skipping.
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

The following certs were successfully renewed:
/etc/letsencrypt/live/darkredman.fr/fullchain.pem (success)

The following certs could not be renewed:
/etc/letsencrypt/live/www.onyva.app/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)


My web server is (include version): nginx 1.6.2

The operating system my web server runs on is (include version): Debian Jessie

My hosting provider, if applicable, is: kimsufi (OVH -> dedicated server solution)

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I already checked similar posts, tried the proposed solutions that didn’t work either for example the argument “–debug-challenges” is not recognized and my certbot version is 0.10.2 I also tried the /opt/certbot-auto that has version 0.28.0 and it doesn’t recognize the argument either.

I don’t know how certbot work under the hood but I expect it to ask to https://acme-staging.api.letsencrypt.org to receive two acme challenges then to write to the correct files in .well-known/acme-challenge but for the reason I ignore even if certbot is started with sudo it doesn’t make the files before the challenge test so obviously it could only fail, I wonder if this is a bug of certbot or something related to online communication.

Thanks in advance for your help.


Please show the contents of the files in the /etc/letsencrypt/renewal/ folder.
And also the vhost config that covers the name: www.onyva.app


The option --debug-challanges was added to version 0.13. Note the double dash at the beginninh, a normal dash to be exact. Not the single “m-dash” you’re using here.


Additionally, what do the web server’s access and error logs show?


I already saw that reply on a similar post but it seems that this forum convert it to – even if if I typed – in first place using the character under the 6 on azerty keyboard, I even compared the two using string comparison in python and they match so it has been converted by this website.

I retried checking again I use the right character but it’s still considered as unrecognized.


I’ve too much content from different websites I host, is there a specific filter I could use with grep for requests from let’s encrypt api website ?


Check for the directory /.well-known/acme-challenge/.


At the moment it doesn’t exist anymore, only /.well-known/ remained after the certbot fail, it seems that after the challenge check it removes the acme-challenge folder.