Certbot error: can't find directory -well-know of subdomains

Please fill out the fields below so we can help you better.

My domain is: miklaboratory.com

I ran this command: sudo certbot certonly --webroot --webroot-path=/var/www/html -d miklaboratory.com -d www.miklaboratory.com -d blog.miklaboratory.com -d blog.miklaboratory.com -d validate.miklaboratory.com -d validate.miklaboratory.com

It produced this output:
(I cut the first part of output due to 20 linlks limitation)

(E)xpand/©ancel: E
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for miklaboratory.com
http-01 challenge for www.miklaboratory.com
http-01 challenge for blog.miklaboratory.com
http-01 challenge for validate.miklaboratory.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. blog.miklaboratory.com (http-01): urn:acme:error:unauthorized :: The client lacks suffic ient authorization :: Invalid response from http://blog.miklaboratory.com/.well-known/acme-challenge/-hvpfwCEOxBRbM1hiYN sowX9PnkbYeYTNIzbITUhtm8: "

404 Not Found

404 Not Found

", validate.miklaboratory.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authoriz ation :: Invalid response from http://validate.miklaboratory.com/.well-known/acme-challenge/H0a8ytE14jOj9g99xpguJG0S0uhv x7RbrEvc3C563tM: " 404 Not Found

404 Not Found



My web server is (include version): nginx 1.10.3

The operating system my web server runs on is (include version): (Ubuntu)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I want just to add the new subdomain blog to the ceritificate

Thanks Mik

Hi @mikfaina,

Are you sure all your subdomains have the same webroot path?. Because you should specify exactly the webroot path for all of them.


  1. miklaboratory.com and www.miklaboratory.com have the same webroot path /var/www/html/miklaboratory.com/
  2. blog.miklaboratory.com has the webroot path /var/www/html/blog.miklaboratory.com/
  3. validate.miklaboratory.com has the webroot path /var/www/html/validate.miklaboratory.com/

So the command would be (I’ve removed duplicated blog and validate sub domains)

sudo certbot certonly --webroot -w /var/www/html/miklaboratory.com/ -d miklaboratory.com -d www.miklaboratory.com -w /var/www/html/blog.miklaboratory.com -d blog.miklaboratory.com -w /var/www/html/validate.miklaboratory.com -d validate.miklaboratory.com


1 Like

It might have just been a transcription error, but in your command you list one webroot directory for disparate subdomains. Typically you would use a different web serving directory per domain.

You may just need to define separate webroot directories per domain, e.g.:

sudo certbot certonly --webroot -w /var/www/html -d miklaboratory.com -d www.miklaboratory.com -w /var/www/blog -d blog.miklaboratory.com -d www.blog.miklaboratory.com -w /var/www/validate -d validate.miklaboratory.com -d www.validate.miklaboratory.com

If that was just a transcription error and you did indeed define the right webroot directories for the right domains, it is likely that the virtual host configuration for the failing domains blocks hidden directories that begin with a period like .well-known, or that the “pretty URL” logic that forwards requests to your blog isn’t properly set up to serve static paths. If you’re not sure what is causing this you could share the nginx server block for these virtual hosts so we could take a look.

Ok now it works. But the subdomain blog.miklaboratory.com still told me is not https…
I created in nginx a configuration file for this subdomain as done previously for validate subdomain and tha works:

Default server configuration

server {
listen 80 ;
listen [::]:80;
server_name blog.miklaboratory.com www.blog.miklaboratory.com;
return 301 https://blog.miklaboratory.com$request_uri;

server {
# SSL configuration
listen 443 ssl http2 ;
listen [::]:443 ssl http2;
server_name blog.miklaboratory.com www.blog.miklaboratory.com;

include snippets/ssl-miklaboratory.com.conf;
include snippets/ssl-params.conf;
root /var/www/html/blog;

location / {
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Proto $scheme;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header Host $http_host;

location ~ /.well-known {
allow all;


It works quite well here. :thinking:

www.blog.miklaboratory.com doesn’t work, but you don’t appear to have a DNS A record set for that domain.

Maybe caching? I tried from my mobile and is working.

Thank you very much :slight_smile:

1 Like

Maybe your mobile browser removes a www. automatically if a lookup fails? The DNS record for that name still doesn’t exist!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.