Failed authorization procedure for my site

I followed this tutorial to config the ssl…it was working fine, when I tried to renew it says failed.

Failed authorization procedure. (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from "<!DOCTYPE html>

    <meta charset="UTF-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />"

 - The following errors were reported by the server:

   Type:   unauthorized
   Detail: Invalid response from
   "<!DOCTYPE html>

       <meta charset="UTF-8" />
       <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
Reloading nginx
Renewal process finished for domain

I cannot understand what is the problem, can you please help me resolve this.

That’s an exceptionally outdated tutorial, unfortunately. While it will still work (mostly), there are much more efficient ways to handle this now that Nginx is fully supported by Certbot. You can still keep this method working without issue, however. The main issue is that Let’s Encrypt is attempting to load the challenge file, which is a text file located in .well-known/acme-challenge/. However, instead of returning this text file, your server is returning an html page. Would you post your nginx configs? It seems something is preventing your server from serving files from this location.

Thanks for your kind response, here is my nginx code

server {
    listen 80;
    return 301 https://$host$request_uri;

server {
    listen 443 ssl;

    ssl_certificate /etc/letsencrypt/live/;
    ssl_certificate_key /etc/letsencrypt/live/;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    location = /favicon.ico { access_log off; log_not_found off; }
    location ^/static/ {
        root /home/webapps/blog/blog/staticfiles;

    location / {
        include proxy_params;
        proxy_pass http://unix:/home/webapps/blog/blog/blog.sock;

So this is your issue. All requests (besides favicon) are passed to that unix socket. You'll need to add an additional location block to catch requests for /.well-known/acme-challenge and handle them differently. It should look something like (edited because @mnordhoff is right):

location /.well-known/acme-challenge {
    root /path/to/webroot;

Note that the root path for this block will need to be the webroot folder Certbot is looking for (often something like /usr/share/nginx/html or /var/www/html), with the .well-known/acme-challenge appended to it. That way, when Certbot places the challenge files there, the server will properly serve that file.

(Also moved this to "help".)

Just “root /path/to/webroot;”. Nginx appends the “/.well-known/acme-challenge/”.

1 Like

What would be the path of my webroot, this is a django application served by gunicorn.

In this case, whatever it was when you initially issued the certificate. The application itself doesn’t really have a relevant one, which is why we need that new block. It will revert your nginx functionality back to it was when you first issued the certificate, which seems to have been before you set up this application, but only for that specific path.

I don’t have the ability to verify the path immediately, but there should be a renewal.conf file somewhere in /etc/letsencrypt/ that will contain this information.

Thanks buddy, finally the issue is solved. and it will expire on 2018-02-24 , how can I auto renew this using crontab

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.