Renew certificate nginx http authentication

I received an e-mail saying that my certificate is about to expire. I tried a manual renewal however getting the below error.

Because of the contents i am hosting (for personal/private use only) i don’t want to temporarily switch off http authentication.

Is there a way to add a “certbot” user for example with a password or another way so that the certificate can be renewed while http authentication is still enabled?

Please let me know if more information is needed e.g. nginx configuration and i can add this to the post. By default i have port 80 blocked since this is forwarded to port 443 by nginx. For the purpose of renewing the certificate i opened port 80 but since it’s insecure i have now closed it again.



My domain is:

I ran this command:

kasper@Servert:/opt/certbot$ sudo ./certbot-auto renew

It produced this output:

Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Failed authorization procedure. (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from "

401 Authorization Required

401 Authorization Required</". Skipping.

My web server is (include version):

nginx version: nginx/1.12.2

The operating system my web server runs on is (include version):
Linux Servert 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64

My hosting provider, if applicable, is:

N/A home server

I can login to a root shell on my machine (yes or no, or I don’t know):

Yes (sudo enabled account)

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

You could just disable http authentication for the location /.well-known/acme-challenge/.

Can you explain how i do this?

I am not an expert on this. I just use this to access my home server from other places then home. Could use some guidance on exactly what to add to the configuration.


The first hit while searching “nginx disable http authentication for specific location” in a well known search engine reveals the following article:

edit: I can now access https://domain/.well-known/acme-challenge without needing a password when i create it in /var/www.

However the certbot renewal still fails with authentication failed.

Is it the same error as before, or a slightly different error?

It was exactly the same. I have now commented out about 90% of my nginx configuration leaving only the very basic setup incuding redirecting 80 to 403. the basic authentication has been commented out as well.

A new challenge has arrived: the not found error:


The following errors were reported by the server:

Type: unauthorized
Detail: Invalid response from
404 Not Found
404 Not Found

It is correct that that directory didn’t exit. I was in the understanding certbot would create it for the challenge. However before when the auth was still enabled i created it manually and created a test text file. I was able to download the text file without needing to enter a password. But because certbot still indicated a failure i commented out the reverse proxy parts temporarily so there is no risk for disabling basic auth for the time of the renewal.

I am completely clueless now on what is going on. Should that directory be there? was it created during the first request of the certificate?

Is it at this point not easier to just revoke the current certificate and request a new one?!

Note: the above was done with the command sudo ./certbot-auto renew --dryrun to not use too many resources by all these failures

Hi @kasper1985,

The output is different because the 401 error has changed to a 404 error. So the underlying reason for the failure is now different—you’re making progress!

Could you take a look in /etc/letsencrypt/renewal/ and see what webroot directory it’s trying to use? That directory might be wrong.

Hi Schoen,

Thank you. this is the webroot dir in that file:

webroot_path = /var/www/html,
[[webroot_map]] = /var/www/html
can i safely edit that without breaking anything (removing the html part)?

Yes, you might want to edit both of them because I’m not sure which is being used. (I think webroot_map takes priority over webroot_path when both are present.)

Awesome thank you that worked!

Any idea why that was configured wrong? I have never touched those files so assume it was done when the cert was requested by the automatic process?

No, I'm not sure. Normally the webroot directory is chosen and saved based on user input!

Oops it was a PEBCAK? That is very embarrassing :frowning_face:

Thank you for your help!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.