To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
nextcloud, cloud, bircloud and owncloud are pointing to the same root path; bircloud and owncloud aren't generating an error, cloud and nextcloud do.
See the difference? Those webroots not the same, so certbot places the challenge file in the wrong directory, a directory where your webserver isn't getting the files from.
I don't know, perhaps the webroot_map variable in the renewal configuration is set to the correct webroot for those other subdomains, but not for cloud/nextcloud. I'm not sure if certbot actually mentions the used webroot-path in the output or only mentions the "common" webroot-path and withholding the information about the other specific webroot-paths.
Some testing of my own confirms certbotnot mentioning the actual webroot-path used. Only the path for "unmatched" domains.. Not very helpful for debugging, why mention the "unmatched" webroot-path without mentioning specific webroot-paths? That's very confusing...
@jekami There's probably something wrong with the webroot paths you're using. But as you didn't entirely fill in the questionaire when you opened this thread, you didn't post the actual command used, I don't know how to help you further.
You only specified -w (the webroot-path) once. Every -d after it uses that webroot-path. But you clearly say those two domains have a different webroot-path. But you’re not specifying it. I’m sure you can connect the dots now
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for flaemig42.de
http-01 challenge for www.flaemig42.de
http-01 challenge for ajenti.flaemig42.de
http-01 challenge for config.flaemig42.de
http-01 challenge for mail.flaemig42.de
http-01 challenge for bircloud.flaemig42.de
http-01 challenge for cloud.flaemig42.de
http-01 challenge for owncloud.flaemig42.de
http-01 challenge for nextcloud.flaemig42.de
Using the webroot path /home/www/cloud.flaemig42.de for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem
IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/flaemig42.de-0001/fullchain.pem. Your cert
will expire on 2017-07-10. To obtain a new or tweaked version of
this certificate in the future, simply run certbot again. To
non-interactively renew all of your certificates, run "certbot
renew"
If you like Certbot, please consider supporting our work by:
Nevertheless, I don't understand why it isn't working with the webroot "/home/www/flaemig42.de". Why certbot cares about the location of .well-known, as long as it is on my server?
certbot just puts the challenge token in the specified directory. It doesn't serve the files to the internet: that's your webservers job (Apache/nginx/NodeJS/whatever).
And because you've set up your webserver to use those specified webroot paths. Your webserver only knows where to serve files from from its configuration. If you've configured certain virtualhosts to serve files from a different location, then you should also tell certbot to put the challenge tokens in that different location.
It's actually quite simple: the webservers DocumentRoot (Apache) or root (nginx) directive need to correspond to the webroot-path you've told certbot.
