Error " 'utf-8' codec can't decode byte 0xe2 in position 120: invalid continuation byte."



i have a problem with the certbot.

certbot --version: certbot 0.23.0
Os: Ubuntu 18:04 LTS

when i run certbot renew --dry-run i recive the error message from the Topic.

i do not find any special character:
grep -r -P '[^\x00-\x7f]' /etc/letsencrypt /etc/nginx
show nothing.

in the debug log file i get this:
2019-01-21 14:31:24,497:DEBUG:certbot.main:certbot version: 0.23.0
2019-01-21 14:31:24,500:DEBUG:certbot.main:Arguments: [’–dry-run’]
2019-01-21 14:31:24,501:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-01-21 14:31:24,523:DEBUG:certbot.log:Root logging level set at 20
2019-01-21 14:31:24,525:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-01-21 14:31:24,583:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7f93a88b5080> and installer <certbot.cli._Default object at 0x7f93a88b5080>
2019-01-21 14:31:24,583:DEBUG:certbot.cli:Var dry_run=True (set by user).
2019-01-21 14:31:24,583:DEBUG:certbot.cli:Var server={‘staging’, ‘dry_run’} (set by user).
2019-01-21 14:31:24,584:DEBUG:certbot.cli:Var account={‘server’} (set by user).
2019-01-21 14:31:24,599:INFO:certbot.renewal:Cert not due for renewal, but simulating renewal for dry run
2019-01-21 14:31:24,601:DEBUG:certbot.plugins.selection:Requested authenticator nginx and installer nginx
2019-01-21 14:31:24,854:WARNING:certbot.renewal:Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: ‘utf-8’ codec can’t decode byte 0xe2 in position 120: invalid continuation byte. Skipping.
2019-01-21 14:31:24,858:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/”, line 422, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File “/usr/lib/python3/dist-packages/certbot/”, line 1095, in renew_cert
installer, auth = plug_sel.choose_configurator_plugins(config, plugins, “certonly”)
File “/usr/lib/python3/dist-packages/certbot/plugins/”, line 192, in choose_configurator_plugins
installer = pick_installer(config, req_inst, plugins)
File “/usr/lib/python3/dist-packages/certbot/plugins/”, line 32, in pick_installer
config, default, plugins, question, (interfaces.IInstaller,))
File “/usr/lib/python3/dist-packages/certbot/plugins/”, line 77, in pick_plugin
File “/usr/lib/python3/dist-packages/certbot/plugins/”, line 245, in prepare
return [plugin_ep.prepare() for plugin_ep in six.itervalues(self._plugins)]
File “/usr/lib/python3/dist-packages/certbot/plugins/”, line 245, in
return [plugin_ep.prepare() for plugin_ep in six.itervalues(self._plugins)]
File “/usr/lib/python3/dist-packages/certbot/plugins/”, line 126, in prepare
File “/usr/lib/python3/dist-packages/certbot_nginx/”, line 141, in prepare
self.parser = parser.NginxParser(self.conf(‘server-root’))
File “/usr/lib/python3/dist-packages/certbot_nginx/”, line 38, in init
File “/usr/lib/python3/dist-packages/certbot_nginx/”, line 45, in load
File “/usr/lib/python3/dist-packages/certbot_nginx/”, line 66, in _parse_recursively
File “/usr/lib/python3/dist-packages/certbot_nginx/”, line 56, in _parse_recursively
trees = self._parse_files(filepath)
File “/usr/lib/python3/dist-packages/certbot_nginx/”, line 206, in _parse_files
parsed = nginxparser.load(_file)
File “/usr/lib/python3/dist-packages/certbot_nginx/”, line 123, in load
return loads(
File “/usr/lib/python3.6/”, line 321, in decode
(result, consumed) = self._buffer_decode(data, self.errors, final)
UnicodeDecodeError: ‘utf-8’ codec can’t decode byte 0xe2 in position 120: invalid continuation byte

2019-01-21 14:31:24,859:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2019-01-21 14:31:24,859:ERROR:certbot.renewal: /etc/letsencrypt/live/ (failure)
2019-01-21 14:31:24,860:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.23.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/”, line 1266, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/”, line 1179, in renew
File “/usr/lib/python3/dist-packages/certbot/”, line 443, in handle_renewal_request
len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)

what can i do?


Hi @TimoB

first update your Certbot.

looks too old.


You could also try using --webroot option.

Or you could try showing this file:


Does your nginx configuration reference/include any files from outside the /etc/nginx directory?


This problem can also be triggered by filenames, not just file contents. You can check for that with:

 find /etc/letsencrypt /etc/nginx | grep -P '[^\x00-\x7f]'



i have tried this :
but " apt-get install python-certbot-nginx" says the it is on the newest version “(0.28.0-1+ubuntu18.04.1+certbot+3)”

~# whereis certbot
certbot: /usr/bin/certbot /usr/share/man/man1/certbot.1.gz

but still say this:

certbot --version

certbot 0.23.0

makes no difference

here it is, but if i remove the config file and the link from the nginx dir, i get the same error.

upstream php-handler {
# Depending on your used PHP version
#server unix:/var/run/php5-fpm.sock;
#server unix:/var/run/php7-fpm.sock;
server unix:/var/run/php/php7.2-fpm.sock;

server {
listen 80;

# For Lets Encrypt, this needs to be served via HTTP
location /.well-known/acme-challenge/ {
    root /var/www/owncloud; # Specify here where the challenge file is placed

# enforce https
location / {
    return 301 https://$server_name$request_uri;
error_log /var/log/nginx/owncloud-error.log;
access_log /var/log/nginx/owncloud-access.log;


server {
#listen 443 ssl http2;
listen 443 ssl;

#ssl_certificate /etc/nginx/certs/cert.pem;
#ssl_certificate_key /etc/nginx/certs/privkey.pem;
#ssl_certificate          /etc/letsencrypt/live/;
ssl_certificate          /etc/letsencrypt/live/;
ssl_certificate_key    /etc/letsencrypt/live/;

# Example SSL/TLS configuration. Please read into the manual of
# nginx before applying these.
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#ssl_dhparam /etc/nginx/dh4096.pem;
ssl_prefer_server_ciphers on;
keepalive_timeout    70;
ssl_stapling on;
ssl_stapling_verify on;

# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this topic first.
#add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;

# Path to the root of your installation
root /var/www/owncloud/;

location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;

# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

location = /.well-known/carddav {
    return 301 $scheme://$host/remote.php/dav;
location = /.well-known/caldav {
    return 301 $scheme://$host/remote.php/dav;

# set max upload size
client_max_body_size 512M;
fastcgi_buffers 8 4K;                     # Please see note 1
fastcgi_ignore_headers X-Accel-Buffering; # Please see note 2

# Disable gzip to avoid the removal of the ETag header
# Enabling gzip would also make your server vulnerable to BREACH
# if no additional measures are done. See
gzip off;

# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;

error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;

location / {
    rewrite ^ /index.php$uri;

location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
    return 404;
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
    return 404;

location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
    fastcgi_split_path_info ^(.+\.php)(/.*)$;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param SCRIPT_NAME $fastcgi_script_name; # necessary for owncloud to detect the contextroot
    fastcgi_param PATH_INFO $fastcgi_path_info;
    fastcgi_param HTTPS on;
    fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
    fastcgi_param front_controller_active true;
    fastcgi_read_timeout 180; # increase default timeout e.g. for long running carddav/ caldav syncs with 1000+ entries
    fastcgi_pass php-handler;
    fastcgi_intercept_errors on;
    fastcgi_request_buffering off; #Available since NGINX 1.7.11

location ~ ^/(?:updater|ocs-provider)(?:$|/) {
    try_files $uri $uri/ =404;
    index index.php;

# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js)$ {
    try_files $uri /index.php$uri$is_args$args;
    add_header Cache-Control "max-age=15778463";
    # Add headers to serve security related headers (It is intended to have those duplicated to the ones above)
    # Before enabling Strict-Transport-Security headers please read into this topic first.
    #add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    # Optional: Don't log access to assets
    access_log off;

location ~ \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg|map)$ {
    add_header Cache-Control "public, max-age=7200";
    try_files $uri /index.php$uri$is_args$args;
    # Optional: Don't log access to other assets
    access_log off;

error_log /var/log/nginx/owncloud-ssl-error.log;
access_log /var/log/nginx/owncloud-ssl-access.log;

no result.


ok with
apt full-upgrade

i was able to update the certbot, it is now

but still the same error.


Please show the full command line used with --webroot

Are there any “special” characters in your real domain name?

Please show this file:


webroot may not work if there is such a definition. Remove / comment that part, so that /.well-known/acme-challenge is a regular path in your standard-webroot.


webroot would work with that config snippet if you use “-w /var/www/owncloud”, unless something else interferes.


I commented out that part

and the I have tried
certbot renew --dry-run --webroot
certbot renew --dry-run --webroot -w /var/www/owncloud

both still the same error.

no special charaters


If you comment out this block, then this command

must be wrong.

If you remove this block, you have to use your real webroot.


To be clear:
The webroot must match the document root.


I do not know what you mean.

the ngnix is reverse Proxy for 4 subdomain and webserver for ownloud.
so the only “webroot” is /var/www/owncloud as far that i have undersand this.


What I mean is when you use --webroot, you must also specify the actual root with -w
That “directory” provided with -w must match the directory used in the line root /xxx/yyy/zzz in your port 80 vhost config file (or port 443 vhost config file if the port 80 merely forwards to 443).

That said, I’m now confused by this additional bit of information:

Is the owncloud service running on another server?
Are there more than one server involved in this?
If so, which server does what?



sorry for the late reply, had some other trouble.

the nginx has 5 “sites-enabled” 4 as reverse Proxy for subdomain with dieffrent applications and 1 with the owncloud config.The owncloud server is on the same server.

i have posted the nginx config file for owncloud earlier (

if understand this correct, it makes no difference whether ich let those lines in the config or use the -w option .

evertime i get the same error.


Using this as the root:

Please try:
certbot renew --dry-run --preferred-challenges http --webroot -w /var/www/owncloud



I think we need to increase the logging and check in that file:

mv /var/log/letsencrypt/letsencrypt.log /var/log/letsencrypt/letsencrypt.log.2019.01.29

certbot renew --dry-run --preferred-challenges http --webroot -w /var/www/owncloud -vvv

Then upload /var/log/letsencrypt/letsencrypt.log