Issues with nginx

Please fill out the fields below so we can help you better.

My domain is:

I ran this command:
certbot certonly --webroot --agree-tos --email -w /var/www/letsencrypt -d -d

It produced this output:
Failed authorization procedure. (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from
My web server is (include version):
nginx version: nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 16.04.3 LTS
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): N/A

Hi @jwilleke,

Are you sure?. Because seems your site is using Apache Tomcat 7.0.54.

Anyway, to test if this command would work:

certbot certonly --webroot --agree-tos --email -w /var/www/letsencrypt -d -d

Create a test file here: /var/www/letsencrypt/.well-known/acme-challenge/test


mkdir -p /var/www/letsencrypt/.well-known/acme-challenge/
echo "Testing acme-challenge" > /var/www/letsencrypt/.well-known/acme-challenge/test

And then try to access this file with your browser:

If you get “Testing acme-challenge” then we will need more info about your config.

If you get an error you should review your config to know what is the web root for your site and place the right path in certbot command…


I believe the issue is with the webroot directory you specified. I would find it surprising that your webroot is /var/www/letsencrypt, and I’m assuming what you did is map that to /.well-known/acme-challenge instead. This will cause certbot to serve the file at /.well-known/acme-challenge/.well-known/acme-challenge, because webroot expects the directory at which you are serving /.

lsof -i :80
nginx 1272 root 6u IPv4 337596 0t0 TCP *:http (LISTEN)
nginx 1272 root 7u IPv6 337597 0t0 TCP *:http (LISTEN)
nginx 4952 www-data 6u IPv4 337596 0t0 TCP *:http (LISTEN)
nginx 4952 www-data 7u IPv6 337597 0t0 TCP *:http (LISTEN)
nginx 4953 www-data 6u IPv4 337596 0t0 TCP *:http (LISTEN)
nginx 4953 www-data 7u IPv6 337597 0t0 TCP *:http (LISTEN)
nginx 4954 www-data 6u IPv4 337596 0t0 TCP *:http (LISTEN)
nginx 4954 www-data 7u IPv6 337597 0t0 TCP *:http (LISTEN)
nginx 4955 www-data 6u IPv4 337596 0t0 TCP *:http (LISTEN)
nginx 4955 www-data 7u IPv6 337597 0t0 TCP *:http (LISTEN)

So pretty sure nginx is working on port 80.

The config file (Well one them with

configuration file /etc/nginx/sites-available/tomcat-proxy.conf:

Basic Proxy for ROOT Wiki

server {
listen 80;
root /usr/share/tomcat/webapps/ROOT/;
index index.jsp index.html index.htm;

Add robots.txt

location /robots.txt {
alias /usr/share/tomcat/webapps/ROOT/robots.txt;

location /.well-known/acme-challenge/ {
default_type “text/plain”;
root /var/www/letsencrypt;

location / {
try_files $uri $uri/ =404;

location ~ .jsp$ {

location ~* .(jpg|jpeg|png|gif|ico|css|js)$ {
expires 1M;

Really appreciate the help as have worked on this for too many hours.

If I remember correctly, this maps /.well-known/acme-challenge on the site to /var/www/letsencrypt instead of the intended /var/www/letsencrypt/.well-known/acme-challenge. The correct form would probably be to created /var/www/letsencrypt/.well-known/acme-challenge and then set root /var/www/letsencrypt/.well-known/acme-challenge, or, alternatively, to keep it as it is and create /var/www/letsencrypt/.well-known and then ln -s /var/www/letsencrypt /var/www/letsencrypt/.well-known/acme-challenge.

No, the nginx directive is ok, maybe you are confusing root with alias. alias directive has the behaviour your are explaining.

1 Like

“location with root inside” seems confusing.
I’ve always seen “location with alias inside”.
location /.well-known {
alias /var/www/letsencrypt/.well-known;

Ok. For me, your tomcat-proxy.conf is ok so the problem should be in another side. I suppose you already enabled this conf right?. I mean, is there a link in /etc/nginx/sites-enabled/tomcat-proxy.conf pointing to /etc/nginx/sites-available/tomcat-proxy.conf?.

Could you please also check if you have some kind of port forwarding from port 80 to 8080?. I’m asking because I’m still viewing that your tomcat is answering directly instead of being proxified by nginx.

$ curl -IkL
HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 1013
Date: Mon, 28 Aug 2017 18:28:51 GMT


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.