Certbot renew always fails

Hi there,

I’m runing let’s encrypt on a Debian 9 Apache2 webserver.
I have multiple virtualhosts with diffrent domains on this server.

so some of my certs are due to renewal but whenever i run “certbot renew” i always get errors like this:


Cert is due for renewal, auto-renewing…
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for domain.tdl
http-01 challenge for www.domain.tdl
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/domain.tdl.conf produced an unexpected error: Failed authorization procedure. www.domain.tdl (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.domain.tdl/.well-known/acme-challenge/LNI2jSG8Vgh051uY9AoUBD8AGaUkm6IWgmKtlg5E788: "

404 Not Found

Not Found

<p", domain.tdl (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain.tdl/.well-known/acme-challenge/FiyuPUq3hank_dJcz-DUZEuaGUCks72V-_xQ-yiSlrM: " 404 Not Found

Not Found

or the output after the cerbot renew run

Domain: domain.tld
Type: unauthorized
Detail: Invalid response from

404 Not Found

Not Found


To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.

I tried a lot of things found in this forum but nothing really helps.
I can navigate to /.well-known in my browser and if I create /acme-challange/test i can open this too in my brwoser.

here is my .htaccess where I exclude /.well-know to not get redirected to https

AddDefaultCharset UTF-8
Options -Indexes
RewriteEngine on
RewriteBase /
RewriteRule ^(.well-known)($|/) - [L]
RewriteCond %{HTTPS} off
RewriteRule ^(.)$ https://%{HTTP_HOST}/$1 [R=301,L]
RewriteCond %{HTTP_HOST} !^www.
RewriteRule ^(.
)$ https://www.%{HTTP_HOST}/$1 [R=301,L]
RewriteCond %{REQUEST_URI} ^/[^.]+[^/]$
RewriteRule ^(.)$ https://%{HTTP_HOST}/$1/ [R=301,L]
RewriteCond %{THE_REQUEST} ^.
RewriteRule ^(.*)index.php$ /$1 [R=301,L]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule . index.php [L]
php_flag magic_quotes_gpc Off

When I just run "Certbot certonly -w Webroot -d domain.tld -d www.domain.tdl -m mail@me.tld --rsa-key-size 4096"
it all works fine and the cert is renewed

does anyone know where the problem is?
The command is run as root so it should have sufficient rights to create everything it needs.

I’m trying to fix this since days and cant get it to work.
Thanks in advance

Hi @pantrtxp,

That’s interesting; it sounds like there’s some problem where the saved webroot location doesn’t match up with the one that you now provide on the command line with certbot certonly. I’m not sure why this should be the case.

Can you post the contents of all of your files from /etc/letsencrypt/renewal and also the exact command that you run with certbot certonly? Also, did you happen to create a file /etc/letsencrypt/cli.ini?

By the way, redirecting /.well-known to HTTPS is actually OK with the Let’s Encrypt validator — as long as the files are still being served out of the filesystem under the webroot. (The trouble with rewriting /.well-known mainly comes in when you have a web application in PHP or Python or whatever routed to serve the URLs, instead of serving them as static files. That’s the main case that needs an exception for /.well-known, rather than the fact of rewriting them to HTTPS.)

I found the cause of the error, thanks to your request of posting my /renewal files.

I opened one of them in my editor out of curiosity and found that the webroot in there differs from the current one.
I replaced the old path with the new one and everything works fine.

i totally forgot that we moved them a while ago(a few days after the cert was issued)

Thanks a lot!!
i guess this can be closed then.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.