Inexplicable certbot-auto renew error

alainalemany · November 27, 2017, 2:45pm

Good day.

I have a certificate (example.com) which expired a couple days ago. I’m trying to renew it with ./letsencrypt/certbot-auto renew but I’m getting errors regarding not getting access to my /.well-known directory, which is present and should be accessible.

This is the complete output when I use the command:

Processing /etc/letsencrypt/renewal/example.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for example.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (example.com) from /etc/letsencrypt/renewal/example.com.conf produced an unexpected error: Failed authorization procedure. example.comu (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://example.com/.well-known/acme-challenge/06TXVpJMgS_JL_8E5RhYLXAjesHdZL_fR8uKRnPplvQ: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/example.com/fullchain.pem (failure)

-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: example.com
   Type:   unauthorized
   Detail: Invalid response from
   http://example.com/.well-known/acme-challenge/06TXVpJMgS_JL_8E5RhYLXAjesHdZL_fR8uKRnPplvQ:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

I’ve checked and it really pass through my DNS properly, then it goes through a Squid reverse proxy which ends in a 404 error:

z1511792411.640 4 13.58.30.69 TCP_MISS/404 367 GET http://example.com/.well-known/acme-challenge/06TXVpJMgS_JL_8E5RhYLXAjesHdZL_fR8uKRnPplvQ - HIER_DIRECT/192.168.20.11 text/html

Also I have /.well-known properly declared in website’s .conf:

location ^~ /.well-known/ {
allow all;
default_type "text/plain";
}

What could be happening there?

My webserver is Nginx 1.10.3, and my OS is Ubuntu 16.04.3 LTS.

Thanks in advance.

Warm regards.

bytecamp · November 27, 2017, 2:47pm

What it the root of that domain in the nginx configuration?
This seems to be a filesystem mapping issue.

system · December 27, 2017, 2:47pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can't certbot renew in nginx Server	23	7764	August 26, 2017
Webroot renewal failure with Certbot Help	12	4830	September 9, 2017
Renewal problems after upgrading certbot Help	13	1881	March 18, 2019
Problem with automatic certificate renewal Help	6	2330	February 11, 2018
Suddenly acme-challenge Invalid response Help	27	7742	June 25, 2020

Inexplicable certbot-auto renew error

Related topics