Certbot renew --dry-run fails with 502

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: schemefusion.com

I ran this command: certbot renew --dry-run

It produced this output:

Domain: schemefusion.com
Type:   unauthorized
Detail: xxxx:xxxx::xxxx:xxxx:xxxx:xxxx: Invalid response from http://schemefusion.com/.well-known/acme-challenge/8VCz1h6N_MkHqlMhBfUWk2SiRwzLqr6zMInMM1Oi-lA: 502

My web server is (include version): nginx/1.24.0

The operating system my web server runs on is (include version): fedora 38

My hosting provider, if applicable, is: linode/akamai

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.8.0

1 Like

Welcome @onyeibo

You should check any firewall or network routing gear. It looks like something is rejecting ACME Challenge requests with an HTTP 502 error. We see something similar with people using Palo Alto brand firewalls with certain settings. This does not look exactly like what we see with Palo Alto but it is similar.

# A reasonable 301 response
curl -I4 http://schemefusion.com/.well-known/acme-challeng
HTTP/1.1 301 Moved Permanently
Server: nginx/1.24.0
Location: https://schemefusion.com/.well-known/acme-challeng

# But a 502 when using the full challenge path
curl -I4 http://schemefusion.com/.well-known/acme-challenge
HTTP/1.1 502 Bad Gateway
Server: nginx/1.24.0

# An actual challenge will also include a challenge token 
# Test404 is not valid but should get a 404 Not Found response not 502
curl -I4 http://schemefusion.com/.well-known/acme-challenge/Test404
HTTP/1.1 502 Bad Gateway
Server: nginx/1.24.0

Update: Above used your IPv4 address. I got the same results with your IPv6 address


Another option that you may have a backend system to answer the ACME challenges. If this is the case then the backend seems to be unreachable. You may want to check your nginx configuration where are the challenges reverse-proxied?

upstream certbot {

server {
    listen  [::]:80;
    listen  80;
    server_name _;
    root    /var/www/letsencrypt;

    location /.well-known/acme-challenge/ {
        proxy_pass http://certbot/.well-known/acme-challenge/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

    location / {
        return 301 https://$host$request_uri;

I probably did something wrong above. Otherwise, I have tried renewing with the following script:

export DOMAINS="-d site.com -d www.site.com -d aaa.site.com -d bbb.site.com -d ccc.site.com -d xxx.site.com -d yyy.site.com -d zzz.site.com"
export CERTDIR=/var/www/letsencrypt
letsencrypt certonly --server https://acme-v02.api.letsencrypt.org/directory -a webroot --webroot-path=$CERTDIR --agree-tos $DOMAINS
service nginx reload

The script worked in the past (for creating the certs but not for renewals).

What is there?
Is it still working?


Nothing really

I am trying to set up a temporary proxy server to respond to the challenge. This worked in the past. The server should accept certs at /var/www/letsencrypt as in the script above

No. ping gives me "Name or service not known"

That is a service supposed to run locally on the host itself. What does the command:

ss -pan | grep 8000




So the service is not running. You have to know or figure out what process supposed to start this service.


http://certbot without a path will probably be enough.

If you search the forum there's probably a config that does what you're trying to do.

1 Like


Try adding to your certbot request:
--standalone --http-01-port 8000


Thanks a lot!

That worked!. Certificates for all domains are now renewed.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.