Certbot - Troubleshooting HTTP-01 Challenge Related Issues

Hi Guys,

Using Nginx on Ubuntu 16.04

Long time ago, i setup everything and it worked perfectly :slight_smile: now i received an email, that my certificate will expire, so i checked whats not good with my certbot.

when i want to renew: “/opt/certbot/certbot-auto renew”

it says:

"All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mydomain/fullchain.pem (failure)

So i added a file in “.well-known/acme-challenge”. if i wanna access it by browser, it says error 403 Forbidden

html root directory permissions: 755

these are my nginx settings:

"server {
listen 80;
server_name Domain IP;
rewrite ^ https://$server_name$request_uri? permanent;

server {
listen 443 ssl http2;
server_name Domain IP;

include snippets/ssl-domain.conf;
include snippets/ssl-params.conf;

root /var/www/html;
index index.html index.php;

location ~ .php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;

Let’s Encrypt Webroot plugin location – allow access

location ^~ /.well-known/acme-challenge/ {
auth_basic off;
autoindex on;
Probably LE cant authenticate due to some permissions issues. but i don’t know further ):

Has anyone any advice on this?

Thank you guys :slight_smile:

Hi @kaplannn

would have been good for you to share the domain.

Usually with HTTP challenges we ask you to put a test.html and a test file (no extensions) in to the .well-known/acme-challenge/ folder

You then browse to these with a browser. If you are not able to get either check your rules, I know you a directive in your web browser but it’s also good to check HTACCESS files as well (in case there is something blocking it there)


Try turning this off:
"rewrite ^ https://$server_name$request_uri? permanent;"
then turn it back on

1 Like

Hi Andrei,

Thanks for your reply :slight_smile:

i put a testfile in the location but i am not able to access it. What do you mean with rules?
htaccess file seems to be good.

P.S: my domain is streammachine.ch



I tried it but ended up with the same error:

"Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for streammachine.ch
Waiting for verification…
Cleaning up challenges
Unable to clean up challenge directory /var/www/html/.well-known/acme-challenge
Attempting to renew cert from /etc/letsencrypt/renewal/streammachine.ch.conf produced an unexpected error: Failed authorization procedure. streammachine.ch (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://streammachine.ch/.well-known/acme-challenge/5TFm0uJ0CC11MV1x_R9ci0x4ezXfrascz28g4Vy9d84: "

404 Not Found

Not Found

<p". Skipping. "

put a simple test text file in that folder - like: /var/www/html/.well-known/acme-challenge/test.txt
Then check web logs for (failed) access.

1 Like

i did that. i am able to access the file via browser. there are no errors in the access log

Hi @kaplannn,

I'm a little confused because you said at one point

and then at another point

Is this referring to the same test file, or to two different files?

1 Like


This is another Testfile. i fucked up with the first one ):

so yeah i am able to access the file

OK, what does certbot think the webroot is? Is it correct?

You can find it in the appropriate renewal configuration file in /etc/letsencrypt/renewal.

1 Like

it’s like this: webroot_path = /var/www/html,

so thats correct

Can you post your log from /var/log/letsencrypt showing what it was trying to do when the renewal failed?

1 Like

Domain: streammachine.ch
Type: unauthorized
Detail: Invalid response from http://streammachine.ch/.well-known/acme-challenge/EAvSMG0QxRrneDytxIfY1CetktSoIjROwQ3PJ5IsKgo: "

404 Not Found

Not Found


To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
2017-06-05 18:16:02,805:INFO:certbot.auth_handler:Cleaning up challenges
2017-06-05 18:16:02,805:DEBUG:certbot.plugins.webroot:Removing /var/www/html/.well-known/acme-challenge/EAvSMG0QxRrneDytxIfY1CetktSoIjROwQ3PJ5IsKgo
2017-06-05 18:16:02,806:INFO:certbot.plugins.webroot:Unable to clean up challenge directory /var/www/html/.well-known/acme-challenge
2017-06-05 18:16:02,806:DEBUG:certbot.plugins.webroot:Error was: [Errno 39] Directory not empty: '/var/www/html/.well-known/acme-challenge’
2017-06-05 18:16:02,807:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/streammachine.ch.conf produced an unexpected error: Failed authorization procedure. streammachine.ch (http-01): urn:acme:error:unau$

404 Not Found

Not Found

<p". Skipping. 2017-06-05 18:16:02,983:DEBUG:certbot.renewal:Traceback was: Traceback (most recent call last): File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/renewal.py", line 418, in handle_renewal_request main.renew_cert(lineage_config, plugins, renewal_candidate) File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 640, in renew_cert _get_and_save_cert(le_client, config, lineage=lineage) File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 77, in _get_and_save_cert

Can you recreate http://streammachine.ch/.well-known/acme-challenge/test.txt by creating a single file at /var/www/html/.well-known/acme-challenge/test.txt?

1 Like

yep, i did it. i can access it.

well its gone:
wget http://streammachine.ch/.well-known/acme-challenge/test.txt
–2017-06-06 02:36:46-- http://streammachine.ch/.well-known/acme-challenge/test.txt
Resolving streammachine.ch (streammachine.ch)…, 2a00:d70:0:a::166
Connecting to streammachine.ch (streammachine.ch)||:80… connected.
HTTP request sent, awaiting response… 404 Not Found
2017-06-06 02:36:47 ERROR 404: Not Found.

1 Like

this is strange. it is accessible via Browser.

not accessible from the Internet…
resolve that and your on your way

That is, at least not accessible from an IPv4 address.
the resolve shows IPv4 & IPv6;
“Resolving streammachine.ch (streammachine.ch)…, 2a00:d70:0:a::166”

care to share the http portion of the conf file?

1 Like

ok. But its resolving correct.which conf file do you mean?

my nginx settings are shown in my first post.