Failure to renew due to incorrect challenge

The 404 error indicated in the response below is accurate. The filename at the site is

How do I correct the certbot configuration so that I may renew the certficate?

My domain is:

I ran this command: certbot certonly -d

It produced this output:
How would you like to authenticate with the ACME CA?

1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)

Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 3
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
Input the webroot for (Enter ‘c’ to cancel): /u/websites/liferoot
Unable to change owner and uid of webroot directory
Waiting for verification…
Challenge failed for domain
http-01 challenge for
Cleaning up challenges
Some challenges have failed.


My web server is (include version): Apache/2.0.52

The operating system my web server runs on is (include version):
linux 2.6.32-042stab108.8 i686

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): no

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.36.0

1 Like

Hi @jimoe

did you run the command as root? Is your webroot correct?

Create the two required subdirectories


there a file (file name 1234), then try to load that file via

Checking your domain there is a redirect http -> https ( ):

Normally, that's not a problem. But if you use webroot: Have both vHosts (port 80 and port 443) the same webroot? You have to use the port 443 vHost webroot.

What says

apachectl -S

And you have a certificate with only one domain name, so your www version is unsecure. Perhaps create a certificate with both domain names (-d www....).

1 Like

To have the renewal work as expected I needed to add the --manual option, like I did when I created the certificates initially.

1 Like

If you use this method, automated renewals won’t work in the future—you’ll have to do this yourself by hand again and again.

1 Like

I know.
Is there a way to automate renewal on one network for a website an another network?

I cannot install certbot at the ISP.
The issue I had here was that the acme challenge did not match. Is a new challenge created every time a certificate is renewed?

Yes, so trying to re-use old authorization values won't work.

The HTTP-01 challenge method follows 301 redirects, while the DNS-01 challenge method follows CNAMEs. So if you make the live server redirect all of /.well-known/acme-challenge to /.well-known/acme-challenge on the other server, it's effectively delegating the ability to request certificates with HTTP validation. Similarly, if you create a CNAME from _acme-challenge in one DNS zone to _acme-challenge in another DNS zone, it's effectively deleting the ability to request certificates with DNS verification.

1 Like

Ah. The site where certbot is installed in not accessible from the Internet.
I suspect I am SoL for automated renewal then.

1 Like

If it has outgoing Internet access, you could still automate renewal with the DNS method. Create some DNS domain or subdomain of your choice on DNS servers that you can update via an API. (A lot of people choose to use Cloudflare for this because they offer free DNS hosting for any domain, and have an API for updates.) Then, make a CNAME record for _acme-challenge in your regular DNS zone to point to this other zone. Give your Let’s Encrypt client the credentials to update it, and then you can do automated renewals without any inbound verification connections to your own infrastructure.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.