Error creating certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
I ran this command:
certbot --nginx
It produced this output:

root@Openhab-virtual:/var/www/mydomain# certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from []: “\r\nDocument Error: Not Found\r\n

Access Error: 404 – Not Found



My web server is (include version):
The operating system my web server runs on is (include version):
Debian 9
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):


I’m trying to renew my certificate but it fails with a 404 not found error.
I’ve created a sites-enabled config file with the location (/var/www/mydomain) and with the root (/.well-known/acme-challenge).
before it just worked fine, but now it fails without changing anything to the server.
any help would be greatly appriciated.

Hi @arjveld

there are checks of your domain -

http + /.well-known/acme-challenge/random-filename answers with the expected http status 404 - Not Found.

But that's

Server: App-webs/

not a nginx, so --nginx may not work. Is there a webroot you can use?

certbot run -a webroot -i nginx -w yourWebroot -d

Or you must use certonly, because Certbot may not be able to install the certificate.

Thanks for the fast reply.
when running:

certbot run -a webroot -i nginx -w /var/www/mydomain -d

it just outputs the same error it did before.

That's expected. I have no idea which Server Software you use. So it's not a nginx, it's something else.

Find your correct webroot. isn’t reaching an Nginx web server.

It’s the login page for some sort of device made by Hikvision, a surveillance camera company.

Do your DNS records have the correct IP address? If you’re using port forwarding, are you sure it’s configured correctly?

1 Like

I’m running a nginx but as a reverse proxy.
it passes all requests to a openhab instance.
Just removed nginx as well as certbot and reinstalled. Recreated the most default conf in /etc/nginx/sites-enabled/openhab
The site is now reachable where as you get a login asking for username an password (just changed to say requiered for openhab). if you cancel, you get a 403 forbidden with the server (nginx 1.10).
However, i still can’t create a certificate.
Thanks so far for helping

When I visit, I still get the Hikvision login page.

Ok, really strange.
Just double checked and the settings including port-forwards are all oke.
when I open it using Edge it just loads perfectly. Firefox on the other hand can’t seem to load (error connecting to site).
Just cleared the cache in firefox and now it also asks for username and password for the right site

I’m still getting the Hikvsion login page.

that can only be if you enter a portnumber behind
maybe a cache problem? all devices I use are now asking for a username and password to enter openhab

I’m connecting to port 80, like Let’s Encrypt does. There’s no caching involved.

would you be so kind to try again and see what happens?

There’s still no change.

oke, removed the hikvision port forward. Does that change anything?

and could you try this link?

I've updated my tool. Now http content is checked and shown, if it is "small enough".

So the JavaScript redirect is visible.

window.location.href = "doc/page/login.asp?_"+nowDate.getTime();

(Check 16:56, 15 minutes old).

That's the redirect to the hikvision login.

yes that’s correct.
But that was port forwarded when you enter port 1080.
I’ve removed the port forward and now my browser says it’s not reachable (which also should be correct).
Whenever i click or enter the domain name i get redirect to the right page, I’m kind of clueless now…
Did you have any luck with the ip-adress i gave you?

I didn't check it. But you can try it - "check-your-website" allows ip-addresses and non-standard ports.

I see always the same result.

I still get the Hikvision page. D:

There is a check with your domain. With the port 80 and a curious result -

http answers with the JavaScript redirect to the login page.

But https over port 80 has a timeout. Not the expected

SendFailure - The underlying connection was closed: An unexpected error occurred on a send. The handshake failed due to an unexpected packet format.

So it looks there is another instance, that filters.

Isn’t it possible to create an exception, so Certbot can write a file in /.well-known/acme-challenge?

That’s the idea of using the webroot version.