How to renew certificate - Problem: failed authorisation procedure

Hi all,
I am having a problem renewing my certificate using letsencrypt.
I am using nginx as a reverse proxy web server. I previously managed to create a certificate but after 90 days the certificate did not renew automatically.

I ran this command:
sudo certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/
Cert is due for renewal, auto-renewing...
Starting new HTTPS connection (1):
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/ produced an unexpected error: Failed authorization procedure. (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>". Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/ (failure)
1 renew failure(s), 0 parse failure(s)

 - The following errors were reported by the server:

   Type:   unauthorized
   Detail: Invalid response from
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):

The operating system my web server runs on is (include version):
Debian Jessie 8

Any help would be greatly appreciated

Hi @ahmadkhudeish,

Could you take a look in the file /etc/letsencrypt/renewal/ It should define a webroot directory. Can you see whether that is still the correct directory that files for your website’s content are being served from? If your website configuration has changed to serve files from a different directory since you obtained the certificate, that directory would need to be updated in the configuration.

Hi @schoen

Thanks for your reply, I have opened that file and it does have the webroot correctly. However, that webroot directory exists on a different server than the one where the certificate is generated from. I am using nginx as the proxy web server so I am not sure if that is a problem when renewing the certificate?

Yes, certbot --webroot (including a renewal of a certificate generated this way) needs to be able to write files into the webroot so that they appear on the site. There are ways to use proxies and/or HTTP redirection to work around this if it's not possible to run Certbot directly on the web server, but the validator ultimately needs to be able to find the challenge file when making an inbound connection to the web server.

That is, if you want to renew your certificate for, the certificate authority is going to effectively say "you need to put this specific data in a file called /.well-known/acme-challenge/PMond0zCInJLX0Zrie" (or whatever—the exact filename will be random and different each time). Then it's going to connect to, and it expects what it gets back to ultimately be or lead it to the specific data. You can achieve this by running Certbot on the web server and letting it write into the web content directory, or by proxying requests so that they get forwarded to another machine, or by manually copying this file into the right place every time you renew the certificate, or by returning a 301 redirect to an equivalent file on a different web server... but one way or another, the certificate authority needs to find the specified data in response to a request to that URL.

1 Like

Hi Schoen, thanks for your help. I have fixed it by configuring my nginx file.
I had to change the location of the webroot to point to the local web server rather than proxy it to the upstream servers.

If anyone is reading this just add this to your site nginx file :
location ~ /.well-known/acme-challenge {
root /pathToYourlLocalWebrootDirectory;
allow all;

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.