Renew Certificate Error

Hey guys,
i’m running nextcloud on my raspberry pi and it worked fine just until a few days ago the Let’s Encrypt certificate expired. I’m not able to reach my cloud in a browser, firefox gives me the following error code: SEC_ERROR_EXPIRED_CERTIFICATE. But i can reach my cloud with the desktop and smartphone app, so its still working.
If i’m trying to renew the certificate on my raspberry it gives me this:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/

Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification…
Cleaning up challenges
Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from []: “\r\n403 Forbidden\r\n<body bgcolor=“white”>\r\n

403 Forbidden

”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)

1 renew failure(s), 0 parse failure(s)


I have no idea what to do, the IP adress is correct.
I hope you can help me :slight_smile:

Hi @MadUnicorn

checking your domain - yep, there is a 403 -

Domainname Http-Status redirect Sec. G 301 0.163 A 302 2.773 N
Certificate error: RemoteCertificateChainErrors 200 2.640 N
Certificate error: RemoteCertificateChainErrors
small content: 301 0.084 A
Visible Content: 301 Moved Permanently nginx/1.10.3 403 2.233 N
Certificate error: RemoteCertificateChainErrors
Visible Content: 403 Forbidden nginx/1.10.3

But it's not the http, it's your https - configuration. Expected is a http status 404 - Not Found, not 403.

So first step: Check your config file in


to see, which webroot you use.

Then check, if this is the correct webroot and if the permissions are correct.

Create the two subdirectories


there a file (file name 1234), then try to load that file via

or use the online tool to check that url.

That must work.

Okay so my config file ( says the following:

renew_before_expiry = 30 days

version = 0.28.0
archive_dir = /etc/letsencrypt/archive/
cert = /etc/letsencrypt/live/
privkey = /etc/letsencrypt/live/
chain = /etc/letsencrypt/live/
fullchain = /etc/letsencrypt/live/

Options used in the renewal process

server =
authenticator = webroot
webroot_path = /var/www/html,
account = 5ae9462977b08629b1d672976d1c31da
[[webroot_map]] = /var/www/html

Seems about right for me but i’m not quite sure. How do i check if the permissions are correct and where exactly do i place the file 1234 to be able to access it online? And just to understand, what do i gain with creating the file? To check if i can reach my cloud?
Thanks for your help


is your webroot_path. I'm curious about the , (comma) at the end, perhaps remove that, perhaps that's the problem.

Then create the two subdirectories


there a file, then test it. This directory needs the correct permissions (if it is correct).

To check, if your webroot path is correct and has the correct permissions.

Okay, thanks for your answer.
I removed the comma, but that didn’t changed a thing. Then i created the file “1234” which i can’t reach in my browser due to a possible security-problem as firefox tells me. I get the same screen when i want to reach my cloud normally, saying that there’s a certificate missing : “SEC_ERROR_EXPIRED_CERTIFICATE”.
I’m just curius why i simply cant renew my certificate, the cloud just worked fine before it expired.

Create an exception in your browser.

Then you see the problem:

There is a http status 403 - Forbidden.

So there is a wrong configuration. You must see the content of your test file, a http status 200 is required.

Sorry i’m writing late, i was on vacation.
So there is a wrong configuration but what can i do to fix it?
Is there a way to see where exactly the error is located and what caused it?

It might help us to know what webserver software you are using.

Would you like to share your webserver configuration here please?

Okay so I experimented a bit, updated my raspberry and suddenly i was able to renew the certificate. I dont know what exactly the problem was but after restarting nginx everything just worked fine. So thanks for your answers and your help guys! :smiley:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.