Invalid response from; I suspect it is not creating temp files on acme-challenge directory [SOLVED]

Hello. I am reviewing all similar posts but none of them matches with my problem.

My S.O. info:
Ubuntu server 16

# apt-cache policy certbot | grep -i Installed
  Installed: 0.25.0-1+ubuntu16.04.1+certbot+1

Mi server is neither configured for IPv6 nor has any AAAA record:

server {
    listen 80 default_server;

    location ^~ /.well-known/ {
	default_type "text/plain";
	root /var/www/letsencrypt;

# dig +short A

# dig +short A

# curl -i4 ''
HTTP/1.1 200 OK

# curl -i4 '
curl: (6) Could not resolve host:

I suspect It is not creating temporary files on acme-challenge directory because I am trying F5 (reloading) directory while renewing certs and ANY of file is created for any moment.

So… why have invalid response by using cerbot renew --dry-run ?

Well, it’s hard to say without seeing your existing renewal parameters or Certbot logs, but that location block doesn’t look like it would work, since Certbot’s webroot plugin expects to place files in the /.well-known/acme-challenge directory, not the /.well-known/ directory.

The simplest thing to do is just to allow Certbot to figure out the nginx directives by using the nginx plugin:

certbot renew --cert-name --nginx --dry-run

I have another working server with 0.19 version and when I am trying to renew certificates, the temp files are created and deleted as normal behaviour on the acme-challenge directory. In my no-working server the temp files are not created on the acme-challenge directory. Why?

Post your unredacted renewal parameters from /etc/letsencrypt/renewal/*.conf and it’ll probably become clear. My suspicion is on your location block not mapping properly onto the webroot anticipated by Certbot, but there’s insufficient evidence to be sure.

1 Like
# renew_before_expiry = 30 days
version = 0.22.2
archive_dir = /etc/letsencrypt/archive/
cert = /etc/letsencrypt/live/
privkey = /etc/letsencrypt/live/
chain = /etc/letsencrypt/live/
fullchain = /etc/letsencrypt/live/

# Options used in the renewal process
installer = None
webroot_path = /var/www/html,
authenticator = webroot
account = c5a2b678387db7b06e8050bfe2dffbdd
[[webroot_map]] = /var/www/html

There we go - Certbot has a completely different idea about the location of the webroot.

Maybe replace your location with a simple:

location /.well-known/acme-challenge/ {
   root /var/www/html;
1 Like

@_az I am VERY SO THANKFUL. Your response was the correct one.


However, I changed parameters from /etc/letsencrypt/renewal/ in order to working on /var/www/letsencrypt and I worked fine

I hope this is helpful for another letsencrypt users


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.