Nginx webroot authenticator

Having been screwing with this for an embarrassing number of hours…I need help. I’m trying to install a cert with Nginx using the webroot authenticator and all I keep getting back is 404s.

My webroot is owned by a non-root user. I don’t know whether I’m supposed to do this, but I’ve manually created a .well-known directory, made it owned by me:www-data and then, taking it a step further, opened the perms up to 777.

DNS is pointing to the right box.

The :80 portion of my Nginx config looks like this:

server {
  listen 80;


  location ~ /.well-known {
    access all

# ./letsencrypt-auto certonly -a webroot --webroot-path=/opt/www/my-site/www/ -d
Checking for new version...
Requesting root privileges to run letsencrypt...
   /root/.local/share/letsencrypt/bin/letsencrypt certonly -a webroot --webroot-path=/opt/www/my-site/www/ -d
Failed authorization procedure. (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from []: 404

 - The following errors were reported by the server:

   Type:   unauthorized
   Detail: Invalid response from
   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

For the life of me, I haven’t been able to figure out what I’m missing. Help?!

Are you sure is pointing to the right IP? I’m seeing a Server: Apache/2 header in the response.

1 Like

Sorry, it’s a made up domain. I didn’t want to expose the client any more than I needed to. The IP address in the error message is correct, so DNS seems to be resolving correctly.


The easiest thing to do is to drop a file into that webroot and make sure you can read it via the public internet. the webroot plugin just writes a file into /.well-known/acme-challenge… so you can just do:

touch /opt/www/my-site/www/.well-known/acme-challenge/TEST.txt

and make sure that you can access

nginx error logs should help you figure out any issues from there


Try this:

server {
  listen 80;


  location ~ /.well-known {
    root /opt/www/my-site/www;
    allow all;
1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.