No longer able to renew existing cert, nor make new certs

Hello! I've been using certbot quite smoothly for over a year now, but I'm currently experiencing some issues with one server that hosts 3 websites. For one I already activated the certificate, although when running "sudo certbot renew --dry-run" it gives an error I also encounter when trying to add new certificates to two other websites. The error and details are described below for one of the sites:

My domain is:

I ran this command: certbot --duplicate --nginx -v

It produced this output:
Requesting a certificate for
Performing the following challenges:
http-01 challenge for
Waiting for verification...
Challenge failed for domain
http-01 challenge for

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Type: unauthorized
Detail: Invalid response from []: "\r\n404 Not Found\r\n<body bgcolor="white">\r\n

404 Not Found


Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx/1.14.2

The operating system my web server runs on is (include version): Debian 10

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.18.0

I'm adding also the nginx site config here: server { server_name; root /var/www/ht -

Would anyone be able to help with this? Many thanks!

1 Like


With the paste you sent, this looks like it should work just fine.

Would you please be able to do a paste of the entire nginx configuration for me, as reported by this command?

sudo nginx -T
1 Like

Hi _az! Thanks for looking it over!
Here is the output I got: nginx: [warn] could not build optimal proxy_headers_hash, you should increase ei -

1 Like


My main suspicion right now is that the mix of IPv4/IPv6/ipv6only listen settings across your virtual hosts is causing trouble. nginx can do some weird things when the settings are not consistent.

What I suggest trying is adding these listen directives to your virtual host in /etc/nginx/sites-enabled/

listen 80; 
listen [::]:80;

and give it another go.

1 Like

Thanks @_az ! I've tried adding those lines but it still gave the same error.

I think there might be something wrong in the virtual host conf of, that stops any certificate attempt. If I delete it from sites-enabled, the certbot dry run renewal command works. But I can't exactly figure out what it can be.


This suems unrelated but none-the-less conflicting code:

server {
    listen 80;
    listen [::]:80 ipv6only=on;
server {
    if ($host = {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    listen 80;
    listen [::]:80;
    return 404; # managed by Certbot

I also agree, this section has no listen statement:

# configuration file /etc/nginx/sites-enabled/
server {
        root /var/www/html/multispecies/;
        index index.html;
        location / {
                try_files $uri $uri/ =404;
        location ~ ^/\.well-known {
                allow all;

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.