Renewing certificate inside ISP router network

Last time I was able to renew it just fine.
Setup is:
ISP Router WAN IP:
ISP Router LAN IP:
Port Forwarding: HTTPS 443 -> 443 of Linksys Router IP

Linksys Internal Router IP:
Linksys Port Forwarding: HTTPS 443 -> RPi

RPi runs nginx with this site config:
server {
listen 80;
listen [::]:80;
root /www/;


server {
        listen 443 ssl;
        listen [::]:443 ssl;

        ssl_certificate          /etc/letsencrypt/live/;
        ssl_certificate_key      /etc/letsencrypt/live/;

        root /www/;
        index index.php index.html index.htm;
        error_page 404 /404.html;
        error_page 500 502 503 504 /50x.html;

        # Error & Access logs
        error_log /www/ error;
        access_log /www/;

        location / {
                index index.html index.php;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection 'upgrade';
                proxy_set_header Host $host;
                proxy_cache_bypass $http_upgrade;

Now Im getting this at the renew prompt:

pi@raspberrypi:/etc/nginx/sites-available $ sudo /etc/letsencrypt/certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification…
Cleaning up challenges
Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Failed authorization procedure. (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from []: 404. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)

1 renew failure(s), 0 parse failure(s)


Why is it Skipping?

In some places you have, in others you have I assume you replaced the base domain in some places, and don’t actually own Otherwise that would be a place to look for mismatches.

The validation server is getting a 404 when asking your Nginx server for the /.well-known file. Possibly it’s not hitting the server you think it is, or possibly the webroot directory in your config is wrong. I’d recommend that you double-check your Nginx logs to see if the request actually hit your server. If it is hitting your server, check the configured webroot directory in /etc/letsencrypt/renewal/ and make sure it’s still right.

Also, for the webroot method you’ll need something listening on port 80 and forwarding that to your nginx server as well (not just forwarding port 443).

Neither port 80 nor 443 is now accessible from the Internet.

Thanks for writing us.
We will respond to you as soon as possible!

Gracias, responderemos lo antes posible!

ok yeah I tried to replace the actual domain but I guess I missed some :disappointed:

I dont think its hitting my server because checking the rpi logs for nginx I get no activity for today.
I checked the file but dont see anything off:

# renew_before_expiry = 30 days
version = 0.16.0
archive_dir = /etc/letsencrypt/archive/
cert = /etc/letsencrypt/live/
privkey = /etc/letsencrypt/live/
chain = /etc/letsencrypt/live/
fullchain = /etc/letsencrypt/live/

# Options used in the renewal process
authenticator = webroot
installer = None
account = be4f74hfkd929g4e5ce
[[webroot_map]] = /www/

What do you mean byt needing something for port 80 on the webroot method?

Nevermind, I got it. I had my linksys router port forwarding the http80 to one place and http443 to another. At the same time that I was trying to renew the ssl on 443 by forwarding the ip to the rpi-nginx, I was also trying out and arduino-wifi shield remote access which required me to forward http80 to the wifi shield.

I guess I cant do both at the same time :slight_smile:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.