Certificates won't renew with dry run


I have successfully pulled down certificates onto my server and the server is using them properly. The issue I have is when doing a dry run to renew the certificates, I am getting an error on multiple virtual sites. I get the error on all except one:

Processing /etc/letsencrypt/renewal/bustinballoons.com.conf
Cert not due for renewal, but simulating renewal for dry run
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for bustinballoons.com
http-01 challenge for www.bustinballoons.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/bustinballoons.com.conf produced an unexpected error: Failed authorization procedure. www.bustinballoons.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.bustinballoons.com/.well-known/acme-challenge/Xo6y9trUBR4cQ_14NFIVFcLbBfmJ8h8Vv8gaQpRSTl8: "<!DOCTYPE HTML>
<title>Bustin' Balloons Designs - Award Winning Professional Balloon Twister</title>
<meta http-eq", bustinballoons.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://bustinballoons.com/.well-known/acme-challenge/vEoFMPKQKxwSZl-e_pnnKIjH9ciV3XIsV0r9XlMIlzY: "<!DOCTYPE HTML>
<title>Bustin' Balloons Designs - Award Winning Professional Balloon Twister</title>
<meta http-eq". Skipping.

After doing some testing, I found it could have been an issue with me doing a 301 redirect for port 80 to 443. I disabled the redirect in the nginx config for all the sites experiencing the issue, then the dry run renewal completed without an issue. I then re-added the redirection from port 80 to 443 and ran the dry run renewal again. It completed without an issue again. I am not sure why this is happening. Any ideas? I just hope the certificates renew automatically like they should.

I see it is trying to reach out to http:// vs https:// and the response is the HTML code from the site. Could this be the issue? The redirect is removing the .well-known path? But if that is the case, why is it working now with the redirect back in?


Hi @webmastadj,

Maybe there was something else you previously fixed in the configuration that hadn’t taken effect because you hadn’t reloaded the web server configuration?

Or maybe there was a typo in the redirect (e.g., a missing slash or something) that you fixed when you re-added it?

As I think you’ve understood correctly, a redirect to HTTPS is fine for this situation (even, in this case, with an expired or invalid cert), as long as the content of the /.well-known/acme-challenge files can still be found at the location that the redirect points to.


There was nothing else that changed as I restarted nginx after each change and tested.

I was thinking the same thing on the redirect as I noticed for the one that was working (hosted on the same server) the redirect was “https://domain.com/” vs “https://domain.com” but even with me changing that for the effected site, still no good.

I could try to replicate the issue again with a test sub domain and see what happens.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.