Renewal: Invalid response from '.well-known/acme-challenge' 404 but letsdebug is ok

Please find the standard form response below, but in addition please note that I’ve tested each of these domains individually on letsdebug.net using HTTP-01 and they’ve all come back with no problems. I’ve also tested mirror.itruns.co.uk with DNS-01 and TLS-ALPN-01 as well and those came back fine.

Swift help would be much appreciated as my certificate expires in 2 days!

My domain is: it runs.co.uk (single certificate with domains and subdomains: itruns.co.uk diff.itruns.co.uk eats.itruns.co.uk jw.itruns.co.uk mirror.itruns.co.uk)

I ran this command:
Tried various:

  • sudo certbot renew (with and without --debug-challenges, didn’t wait for prompt, it just ran through)
  • sudo certbot certonly --webroot --cert-name itruns.co.uk -w /var/www/itruns -d itruns.co.uk -w /var/www/ep -d mirror.itruns.co.uk -w /var/www/jw -d jw.itruns.co.uk -w /var/www/eats -d eats.itruns.co.uk. Think I initially installed using webroot command as certbot --nginx wasn’t working, pretty sure I renewed successfully last time with just using renew, and console output when running renew by itself states Authenticator nginx, Installer nginx so I’m not sure. Incidentally I know diff.itruns.co.uk isn’t in that list, I’m not using it so was going to remove it at the same time.

It produced this output:
Running sudo certbot renew --debug-challenges
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/itruns.co.uk.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for diff.itruns.co.uk
http-01 challenge for eats.itruns.co.uk
http-01 challenge for itruns.co.uk
http-01 challenge for jw.itruns.co.uk
http-01 challenge for mirror.itruns.co.uk
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Waiting for verification…


Challenges loaded. Press continue to submit to CA. Pass “-v” for more info about
challenges.


-v
Cleaning up challenges
Attempting to renew cert (itruns.co.uk) from /etc/letsencrypt/renewal/itruns.co.uk.conf produced an unexpected error: Failed authorization procedure. itruns.co.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://itruns.co.uk/.well-known/acme-challenge/Uuyk0NVhhVFUDaowH1_mU4gG2_Pmt-rYoFocRNtZMww [35.176.194.112]: “\n\n404 Not Found\n\n

Not Found

\n<p”, jw.itruns.co.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://jw.itruns.co.uk/.well-known/acme-challenge/NnPaiL1ouP1-gA9psNH4nI_zVD5QKbTIq3a9QlCa2zM [35.176.194.112]: “\n\n404 Not Found\n\n

Not Found

\n<p”, eats.itruns.co.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://eats.itruns.co.uk/.well-known/acme-challenge/rGpZTIy1BVHnthPp2pWbfbO3m2QJT5MhkVq4gXoFLfk [35.176.194.112]: “\n\n404 Not Found\n\n

Not Found

\n<p”, diff.itruns.co.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://diff.itruns.co.uk/.well-known/acme-challenge/CkgmFl4JbiURZNNwphxSxGQpwcbMvDlIgNwA3Z9LKRw [35.176.194.112]: “\n\n404 Not Found\n\n

Not Found

\n<p”, mirror.itruns.co.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mirror.itruns.co.uk/.well-known/acme-challenge/JV2uFBKCRpNrv9zjxDFHR4xY7Y6EnHQui5O2X1_WkbM [35.176.194.112]: “\n\n404 Not Found\n\n

Not Found

\n<p”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/itruns.co.uk/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/itruns.co.uk/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

Running sudo certbot certonly --webroot --cert-name itruns.co.uk -w /var/www/itruns -d itruns.co.uk -w /var/www/ep -d mirror.itruns.co.uk -w /var/www/jw -d jw.itruns.co.uk -w /var/www/eats -d eats.itruns.co.uk
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None

Please choose an account


1: ip-172-26-5-50.eu-west-2.compute.internal@2018-05-30T10:13:34Z (89c9)
2: ip-172-26-5-50.eu-west-2.compute.internal@2017-09-25T12:30:45Z (6f8b)


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1


You are updating certificate itruns.co.uk to include new domain(s):
(None)

You are also removing previously included domain(s):

Did you intend to make this change?


(U)pdate cert/©ancel: u
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for eats.itruns.co.uk
http-01 challenge for itruns.co.uk
http-01 challenge for jw.itruns.co.uk
http-01 challenge for mirror.itruns.co.uk
Using the webroot path /var/www/eats for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. itruns.co.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://itruns.co.uk/.well-known/acme-challenge/Hi3SKGPrxXji8VgnEZ-ClFd4FC3hBfeUEKHADwf4vPM [35.176.194.112]: “\n\n404 Not Found\n\n

Not Found

\n<p”, eats.itruns.co.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://eats.itruns.co.uk/.well-known/acme-challenge/dLMTXlOw_EGMCC7Lsrjy9aC_JxvJaY7rjc05rw2C95s [35.176.194.112]: “\n\n404 Not Found\n\n

Not Found

\n<p”, jw.itruns.co.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://jw.itruns.co.uk/.well-known/acme-challenge/2b_rtP55BgeH-pTHaMWa4yOn-ph66qicWhRCdVMKQpo [35.176.194.112]: “\n\n404 Not Found\n\n

Not Found

\n<p”, mirror.itruns.co.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mirror.itruns.co.uk/.well-known/acme-challenge/wr0RAFNWRm11As4Fhq-SxGCkmGtP7RP2Px7RKE3F-F0 [35.176.194.112]: “\n\n404 Not Found\n\n

Not Found

\n<p”

IMPORTANT NOTES:

My web server is (include version):
nginx version: nginx/1.14.0 (EasyEngine) - I installed easy engine awhile ago, didn’t like how much it overwrote things, turned out after the fact that the guy who wrote it didn’t come up with an uninstall script for it because (and I quote) “Since I never need to uninstall easyengine, I find this case harder to imagine.” I’ve tried updating nginx directly but it comes up with other errors relating to easy engine. This may possibly be the issue, in which case I may have to do a full server install again to get rid of easy engine but naturally I’m reluctant to do this right now if this isn’t current issue.

The operating system my web server runs on is (include version):
Ubuntu 16.04 Xenial

My hosting provider, if applicable, is:
AWS Lightsail

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

1 Like

Hi @sheardd

checking your domain - https://check-your-website.server-daten.de/?q=itruns.co.uk - that result

is expected.

Your http / port 80

Domainname Http-Status redirect Sec. G
http://itruns.co.uk/ 35.176.194.112 GZip used - 3186 / 11321 - 71,86 % 200 Html is minified: 214,49 % 0.080 H
https://itruns.co.uk/ 35.176.194.112 Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0 401 Html is minified: 108,05 % 2.686 M
Unauthorized
http://itruns.co.uk/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 35.176.194.112 Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0 404 Html is minified: 100,00 % 0.064 A
Not Found
Visible Content: Not Found The requested URL was not found on this server. Apache/2.4.18 (Ubuntu) Server at itruns.co.uk Port 80

is an Apache, not a nginx. So --nginx can’t work. --webroot may work, if you use the correct Apache-webroot.

1 Like

…huh. Interesting. I’ve been using nginx on this server for about 3 years at this point. I suspect that easy engine may have installed it as Apache was installed by default, and since Apache wasn’t doing any harm I just left it there. I didn’t realise it was actually running though. I’ll try uninstalling Apache and running again.

There’re a couple of other variables that might be worth mentioning. Firstly, all my http redirects to https. I have a single default server block that listens on port 80, then returns a 301 to the relevant https url: return 301 https://$server_name$request_uri;). I then have all my various subdomains listening on 443. This is for my development server, so each subdomain serves a different root directory for a different client’s site. I did wonder if the redirect might be causing the issue, but according to this thread from last year the challenge should follow the redirect and then work as expected. The certificate is also still valid (for today at least), so a redirect to 443 would presumably still be fine.

The other thing that might bear mentioning is that, being a development server, all of my sites are secured with basic http auth. I’ve tried turning this off temporarily while renewing certificates to see if that made a difference, and it didn’t. I’ll try uninstalling apache and see what I find.

Success!

sudo certbot renew

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/itruns.co.uk.conf


Cert is due for renewal, auto-renewing…

Plugins selected: Authenticator nginx, Installer nginx

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for diff.itruns.co.uk

http-01 challenge for eats.itruns.co.uk

http-01 challenge for itruns.co.uk

http-01 challenge for jw.itruns.co.uk

http-01 challenge for mirror.itruns.co.uk

Using default addresses 80 and [::]:80 ipv6only=on for authentication.

Using default addresses 80 and [::]:80 ipv6only=on for authentication.

Using default addresses 80 and [::]:80 ipv6only=on for authentication.

Using default addresses 80 and [::]:80 ipv6only=on for authentication.

Using default addresses 80 and [::]:80 ipv6only=on for authentication.

Waiting for verification…

Cleaning up challenges


new certificate deployed with reload of nginx server; fullchain is

/etc/letsencrypt/live/itruns.co.uk/fullchain.pem



Congratulations, all renewals succeeded. The following certs have been renewed:

/etc/letsencrypt/live/itruns.co.uk/fullchain.pem (success)

I’ve been meaning to teardown my server instance and rebuild it without all the detritus left behind by Easy Engine for awhile, and this is yet another reminder that I need to get onto that. Thanks for your help!

1 Like