It produced this output:Processing /etc/letsencrypt/renewal/audio.phoncert.com.conf
2017-07-12 17:03:41,541:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/audio.phoncert.com.conf produced an unexpected error: Failed authorization procedure. audio.phoncert.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://audio.phoncert.com/.well-known/acme-challenge/-6ExySvl3Kig406lyXxsh1JrEtxhDtaiR7pQxvS3tV0: "
404 Not Found
404 Not Found
". Skipping.
My web server is (include version): nginx
The operating system my web server runs on is (include version): ubuntu 16.04
My hosting provider, if applicable, is: AWS
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): yes AWS ec2
Yes. I read most of the previous similar reports on 404 problems, and checked that the webroot line in .conf looked right - it points to the folder that actually hosts the app:
Great! So the first test would be: if you create a text file /home/ubuntu/apps/soundctl/test.txt, can you see it at http://audio.phoncert.com/test.txt? (note: not https)
OK, I realize my node server will not let anything thru that is not expected, therefore both my test.txt and I suppose whatever letsencrypt .well-known wants to do has been rerouted - it defaults to the main page
Do I need to make a specific route for the .well-known folder?
Well, that should explain the 404 error; glad you were able to figure that out.
If you can pass through /.well-known/acme-challenge from HTTP requests into /home/ubuntu/apps/soundctl/.well-known/acme-challenge on the filesystem, the renewal should go through successfully. (This refers to a directory path, not just a single file.)
I have tested that my path is displaying the 2 text files you suggested as a test.
The permissions seem correct on folders .well-known and acme-challenge (755)
Once the challenge begins, what is happening? My server expects to respond to a request for an existing file in the folder, and the response to be the content-type text/html - but the renew process sends something like this - kt7uA7LoM7aOqMfvhh-bKRl9AqGt1uhcTnhRv9qANpc:
The certificate authority is telling the client (Certbot, previously called letsencrypt) “if you really control the domain name audio.phoncert.com, you can prove it by making a file at http://audio.phoncert.com/.well-known/acme-challenge/kt7uA7LoM7aOqMfvhh-bKRl9AqGt1uhcTnhRv9qANpc containing the content [whatever]”. Then Certbot tries to create such a file within the webroot directory that was previously specified to it. It tells the CA that it’s done so, and the CA makes an inbound web connection to check whether that content is really in place as requested.
The webroot directory needs to be the directory that contains.well-known/acme-challenge, not the acme-challenge subdirectory itself.
Can you give me an example of a test file that you made in .well-known/acme-challenge that’s accessible over the web?
Alternatively, you can run with --debug-challenges, which will pause Certbot after setting up the challenge but before telling the certificate authority to validate it, so that you can take a look for yourself at what it’s tried to do.
Hi, @schoen and @ktys1 I have the same problem and I made a little test: I rename my .htaccess and run the renew command and works well… so my question is: What kind of rule a must have in my .htaccess for the renew command works well?
I got try many different rules
I don’t have enough familiarity with mod_rewrite to answer your question offhand. You might have better luck starting a new thread and mentioning in the topic that it relates to mod_rewrite; maybe that will attract someone else to jump in and help figure out your problem!