Manually create acme-challenge

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: doas -u root certbot renew

It produced this output:

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification...
Challenge failed for domain
http-01 challenge for
Cleaning up challenges
Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)

The following certs are not due for renewal yet:
/etc/letsencrypt/live/ expires on 2020-12-29 (skipped)
/etc/letsencrypt/live/ expires on 2021-02-13 (skipped)
/etc/letsencrypt/live/ expires on 2021-02-13 (skipped)
/etc/letsencrypt/live/ expires on 2021-02-13 (skipped)
/etc/letsencrypt/live/ expires on 2020-12-29 (skipped)
/etc/letsencrypt/live/ expires on 2020-12-29 (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)

1 renew failure(s), 0 parse failure(s)


My web server is (include version): nginx/1.16.1

The operating system my web server runs on is (include version): OpenBSD 6.7

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.3.0

As you can see my problem is that the webserver is not allowing access to the challenge. I have added a Location block specifically for letsencrypt in my nginx config as so.

location /.well_known/ {
    root /var/www/sites/;
    try_files $uri $uri/ $uri.html =404;

And I have changed the renew config to also use the above directory.

[[webroot_map]] = /var/www/sites/

If I navigate to /var/www/sites/ and create a .well_known directory there and put something in it, say touch hello then hit it serves me the file. So I am lost as to why nginx isnt serving the challenge.

Is it possible to have certbot create the challenge for the renewal but stop? So I can see the file structure / permissions and where its creating what?



1 Like

Welcome to the Let's Encrypt Community, Chris :slightly_smiling_face:

These should be /.well-known/

When using the nginx authenticator, you don't actually create /.well-known/acme-challenge/ . Since you're using the webroot authenticator, you need to make sure that your webroot is properly specified. You aren't using an installer, which means you'll need to reload nginx after updating your certificate.

The command would look something like this:
doas -u root certbot certonly --cert-name --webroot -w /var/www/sites/ -d "," --deploy-hook "nginx -s reload"

If you want to have certbot pause so that you can see the challenge files, add --debug-challenges to your command.

1 Like

Thanks so much!
Argh, I cant believe it was a hyphen instead of a underscore. Annoying I didnt spot that, that fixed it.

Great info on the debug command. I'll make a note of that.

Thanks for the swift reply and the eagle eye for spotting the typo!

Appreciate it.


You're quite welcome. The certbot command I gave you has a few other features in it to help you along. :wink:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.