Nextcloud certificate renewal failing

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cloud.wicketit.com

I ran this command: sudo certbot renew --dry-run -v

It produced this output:

==========

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/cloud.wicketit.com.conf

Certificate not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Simulating renewal of an existing certificate for cloud.wicketit.com
Performing the following challenges:
http-01 challenge for Identifier(typ=IdentifierType(dns), value='cloud.wicketit.com')
Waiting for verification...
Challenge failed for domain cloud.wicketit.com
http-01 challenge for Identifier(typ=IdentifierType(dns), value='cloud.wicketit.com')

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Identifier: cloud.wicketit.com
Type: unauthorized
Detail: 205.200.240.17: Invalid response from http://cloud.wicketit.com/.well-known/acme-challenge/Yb8erlFamj98XOI_Hcg-r66MCvsCZjkna0nnT_XjcYw: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Failed to renew certificate cloud.wicketit.com with error: Some challenges have failed.

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/cloud.wicketit.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

==========

My web server is (include version): Nextcloud 32.0.11 with Apache 2.4.52

The operating system my web server runs on is (include version): Ubuntu 22.04.5 LTS

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 5.6.0

2

Hello @Tygonis,

Using the online tool Let's Debug
yields these results https://letsdebug.net/cloud.wicketit.com/2978820

image
image1484×658 38 KB

And from around the world we get "Connection timed out"
Permanent link to this check report

Please check your firewall.

3

Hi @Bruce5051, I normally keep port 80 closed until I need to renew the certificate. This is the first time its given me grief though. I'll reopen port 80 to my Nextcloud and retry that tool ...

4

Best Practice - Keep Port 80 Open

5

With port 80 open again to my server, I get an all good:

image
image1028×460 20 KB

6

However, the simulated renewal still fails:

sudo certbot renew --dry-run -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/cloud.wicketit.com.conf

Certificate not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Simulating renewal of an existing certificate for cloud.wicketit.com
Performing the following challenges:
http-01 challenge for Identifier(typ=IdentifierType(dns), value='cloud.wicketit.com')
Waiting for verification...
Challenge failed for domain cloud.wicketit.com
http-01 challenge for Identifier(typ=IdentifierType(dns), value='cloud.wicketit.com')

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Identifier: cloud.wicketit.com
Type: unauthorized
Detail: 205.200.240.17: Invalid response from http://cloud.wicketit.com/.well-known/acme-challenge/fB06-4UFFeO100g35yyE0Iqr5cPxizMSlTMyS3X6oNg: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Failed to renew certificate cloud.wicketit.com with error: Some challenges have failed.

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/cloud.wicketit.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

7

Yet the server appears to be running nginx

curl -Ii http://cloud.wicketit.com/.well-known/acme-challenge/fB06-4UFFeO100g35yyE0Iqr5cPxizMSlTMyS3X6oNg
HTTP/1.1 404 Not Found
Server: nginx
Date: Tue, 02 Jun 2026 19:00:15 GMT
Content-Type: text/html
Content-Length: 146
Connection: keep-alive