Failure Creating Certificate - acme-challenge - 404 error - nginx - AWS

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: sudo ./certbot-auto certonly --webroot -w apps/simple-booking-api -d --debug-challenges

It produced this output:

Type: unauthorized
Detail: Invalid response from
[]: “\r\n404 Not
Found\r\n<body bgcolor=“white”>\r\n

Not Found


To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version): nginx/1.12.2

The operating system my web server runs on is (include version): AWS Linux 2

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.4.0

Nginx conf:
server {
listen 80;

    location ~ /.well-known {
        allow all;
        root /usr/share/nginx/html;

    location / {
        proxy_pass http://localhost:2020;

        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

Additional Info from letsencrypt logs:
“identifier”: {
“type”: “dns”,
“value”: “”
“status”: “invalid”,
“expires”: “2020-05-18T11:29:29Z”,
“challenges”: [
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:unauthorized”,
“detail”: “Invalid response from []: “\u003chtml\u003e\r\n\u003chead\u003e\u003ctitle\u003e404 Not Found\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody bgcolor=\“white\”\u003e\r\n\u003ccenter\u003e\u003ch1\u003e404 Not Found\u003c/h1\u003e\u003c/center\u003e\r\n\u003chr\u003e\u003ccenter\u003e””,
“status”: 403
“url”: “”,
“token”: “hmuJX-S4lXIyPcyRujkJbxbjAlnDZ9aXl6zmXl1_Cug”,
“validationRecord”: [
“url”: “”,
“hostname”: “”,
“port”: “80”,
“addressesResolved”: [
“addressUsed”: “”
2020-05-11 11:29:35,281:DEBUG:acme.client:Storing nonce: 0002hBhojvy_B5g1HJqNPUrv00trJq1u_Oi5jTbyd4NxIUA
2020-05-11 11:29:35,282:WARNING:certbot._internal.auth_handler:Challenge failed for domain

Have tried adding a test file but /.well-known/acme-challenge/ only serves a 404.
Adding specific routing to root in

Hi @mattycrocks

if you use this

why do you think that

should work?

Your not working test file is expected. Your test file must work, then you have your correct webroot.

In case it was missed:

Doesn’t equal

Hi Juergen,

Thanks for the response. I am certainly a newbie here.

I was under the presumption that the webroot or -w flag was the path to where this particular website files reside on the server. We are hosting multiple sites in nginx via reverse proxy so I apps/simple-booking-api is the directory for this site.

If I remove the location ~ /.wellknown etc, I was getting a 404 from the node app itself as no route was defined in the app.

Should I be pointing the webroot at the location of my files, or the base nginx webroot?


The answer is simple: Where runs your Certbot? Proxy + website - same server? Why is then a /.well-known/ definition if you want to use the normal root?

Your Certbot must see the root of that website, that’s the -w parameter. Then .well-known/acme-challenge is added, there a file.

So create the two subdirectories, there a file (file name 1234), then try to load that file via

If that works, you have your correct webroot -> -w should work.

Hi Juergen,

So i managed to get it working. Not sure if it was the correct way but it is working.

mkdir -p /usr/share/nginx/html/.well-known/acme-challenge/

(using dry run)
sudo ./certbot-auto certonly --webroot -w /usr/share/nginx/html -d --dry-run

My Nginx config for that particular server :
location ~ /.well-known {
allow all;
root /usr/share/nginx/html;

This generated certificates for me.

Thanks for your help @JuergenAuer and @rg305

Your quite welcome.
But I don’t think that these two line up:

As I read that…
Location /.well-known = /usr/share/nginx/html
Would be served at:

If you want the challenge files to go into the folder you created:
mkdir -p /usr/share/nginx/html/.well-known/acme-challenge/
Then use that full path as the root for the complete path location:
--webroot -w /usr/share/nginx/html.well-known/acme-challenge

location ~ /.well-known/acme-challenge/ {
allow all;
root /usr/share/nginx/html/.well-known/acme-challenge;

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.