Renewall not possible


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

sudo certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/

Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/ produced an unexpected error: Failed authorization procedure. (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from “\r\n403 Forbidden\r\n<body bgcolor=“white”>\r\n

403 Forbidden

”. Skipping.
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)


My web server is (include version):
nginx version: nginx/1.10.3

The operating system my web server runs on is (include version):
Raspbian GNU/Linux 9 \n \l

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


Please also provide the contents of /var/log/letsencrypt/letsencrypt.log.


Hi @DocMo

checking your domain ( ):

Domainname Http-Status redirect Sec. G 301 0.110 A 302 7.500 N
Certificate error: RemoteCertificateChainErrors 200 3.364 N
Certificate error: RemoteCertificateChainErrors 301 0.043 A 403 1.907 N
Certificate error: RemoteCertificateChainErrors

You have a redirect http -> https, this isn’t a problem. Same with the expired certificate, Letsencrypt ignores this error.

But you have a real http status code 403 - Forbidden. 404 - not found - was expected.

So your configuration must allow to load a file via /.well-known/acme-challenge.

Create a file (file name 1234) in this subdirectory and test, if you can load this file with your browser.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.