Problem with renewing Let's Encrypt certificate


3 months ago, I configured our company cloud: qnap / ubuntu 22 (in qnap's container) / apache2 / ownCloud. I used Let's Encrypt certificate in apache2 config files to start https service. Everything worked well till the beginning of May, when your certificate expired. I need help to renew the certificate and configure it to cyclic renewing. I know that there are tons of articles in the internet, how to do this. I tried many things, without success.

During my trials, I created the folder:

and also configured this directory in Apache site config file (/etc/apache2/sites-available/owncloud4.conf) adding below:

Alias "/.well-known/acme-challenge/" "/var/www/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/www/letsencrypt/.well-known/acme-challenge/">
        Options None
        AllowOverride None
        ForceType text/plain
        RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"

I added above outside all "VirtualHost"" sections (I have two such sections: regarding 80 and 443 port).

Please help! Thank you in advance!

My domain is:

I ran this command:
./ (from /etc/letsencrypt/ directory)
and also
certbot certonly (from any directory)

It produced this output:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Type: unauthorized
Detail: Invalid response from 404

My web server is (include version):
Apache/2.4.52 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 22.04.1 LTS
(uname -a produces below:
Linux ubuntu-2 5.10.60-qnap #1 SMP Fri Apr 21 01:51:27 CST 2023 x86_64 x86_64 x86_64 GNU/Linux)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0

Can you please post your port 80 <VirtualHost> and also the output of

sudo apachectl -t -D DUMP_VHOSTS


root@ubuntu-2:~# sudo apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:80 (/etc/apache2/sites-enabled/owncloud4.conf:1)
*:443 (/etc/apache2/sites-enabled/owncloud4.conf:15)


<VirtualHost *:80>


        #Redirect permanent /
        LogLevel debug

        ErrorLog /var/log/apache2/http_owncloud_error.log
        CustomLog /var/log/apache2/http_owncloud_access.log combined


# Default host
<VirtualHost *:443>
        DocumentRoot /var/www/owncloud
        LogLevel Debug
        ErrorLog /var/log/apache2/https_owncloud_error.log
        CustomLog /var/log/apache2/https_owncloud_access.log combined

        SSLEngine on
        SSLCertificateChainFile /etc/letsencrypt/live/
        SSLCertificateKeyFile /etc/letsencrypt/live/
        SSLCertificateFile /etc/letsencrypt/live/


SSLUseStapling on
SSLStaplingCache "shmcb:/tmp/stapling_cache(2097152)"

<Directory /var/www/owncloud/>
        AllowOverride All

# konfiguracja kartoteki "well-known" dla certbot przy odnowieniu
# certyfikatu - on potrzebuje zapisać tu pliki z sieci
Alias "/.well-known/acme-challenge/" "/var/www/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/www/letsencrypt/.well-known/acme-challenge/">
        Options None
        AllowOverride None
        ForceType text/plain
        RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"

For port 80 virtual host, I commented "Redirect" directive during my last testing. Normally, during last 3 months, this redirecting was active.

The port 80 virtual host you linked to, does not have a document root.

If you want to use --webroot, the port 80 virtual host's DocumentRoot needs to agree with the webroot path that you pass to Certbot.


I concur with using --webroot.
But, I also think that you should move that alias statement.
Using the alias outside the <Virtualhost> may be problematic for certbot Apache plugin.


Nothing changed. Conf file (after modification) and terminal screenshot - attached.

By using alias you overwrite the DocumentRoot for the matching ACME requests.

Try matching --webroot to the alias:

  • --webroot -w /var/www/letsencrypt/.well-known/acme-challenge/
  • --webroot -w /var/www/letsencrypt/


Remove the alias.



certbot certonly \
--webroot -w /var/www/letsencrypt/.well-known/acme-challenge/ \
-d \


certbot certonly \
--webroot -w /var/www/letsencrypt/ \
-d \

One of them should pass the test.
Whichever does pass, then redo it without the --dry-run testing.


@rg305, your second certbot calling proposal was successful. First with --dry-run, and next, without this. Now my certificate is renewed. Thank you.

I made this without any modifications of my last "owncloud4.conf" (directory alias still exists in both 80 and 443 virtual hosts). After that, I modified "owncloud4.conf" and removed these directory aliases - I issued the command "certbot certonly" and success.

I know, that it sounds strange, but after few hours, I tried "certbot certonly" command again (now I always use --dry-run), and it don't work! It is suprise, because you wrote earlier, that I can remove directory aliases.

I restored the previous "owncloud4.conf" (directory aliases present) and now "certbot certonly --dry-run" works.

For me it is a half of success, because I need to configure automatic renewing of certificate. Unfortunately, the command "certbot renew --dry-run" is not working. What I need to renew: "certbot certonly" or "certbot renew"? I'm not understand the differences between these two. How often I can issue "certonly" or "renew" commands (without --dry-run)?


For renewals, just do:
certbot renew

certbot certonly