The client lacks sufficient authorization - renew not working


My certbot works fine for several months and suddenly it stop renewing the certificate.
No idea what's wrong..
Please your advise


My domain is:

I ran this command: certbot renew --dry-run
It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator manual, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification...
Cleaning up challenges
Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from []: 404. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)


My web server is (include version): ubuntu 18.04.5 LTS (Bionic Beaver)

The operating system my web server runs on is (include version): PHP

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

My current certificates is valid until 19 - DEC

Please help


I forgot to metion that I did not use any sudo user......I used root
Do not know if is important

That's your operating system.

PHP is a scripting language, not an operating system (nor a webserver).

Most users use Apache or nginx as their webserver. Which webserver are you using?

1 Like webserver is APACHE

OK, great, thanks.

Further more, this came across my eye:

You're using the manual authenticator. Did certbot ask you to put certain files at certain places? I'm not seeing that from your output.. Perhaps you're using a manual-auth-hook?

If you're not entering the details of the challenges manually, could you please share the contents of /etc/letsencrypt/renewal/ It doesn't contain sensitive info. Please put the output between two separate lines with three backticks (```).

Really not sure what I did...I ran a script and all works fine several months til now.

here is the output

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/
cert = /etc/letsencrypt/live/
privkey = /etc/letsencrypt/live/
chain = /etc/letsencrypt/live/
fullchain = /etc/letsencrypt/live/

Options used in the renewal process

account = 7d99b1a35422a64bc29c24a7d2380af4
must_staple = True
pref_challs = http-01,
authenticator = manual
manual_auth_hook = /opt/webinoly/lib/ex-ssl-authentication
manual_cleanup_hook = /opt/webinoly/lib/ex-ssl-cleanup
manual_public_ip_logging_ok = True
server =

OK, just as I thought, you're using a manual auth hook.What's that "webinoly"? I've never heard of it. Any idea where those scripts come from? How did you get the certificate in the first place? No offence, but it doesn't sound like you manually configured certbot, otherwise you probably would know how to debug this issue a little bit better.

Ok, interesting:

Linux Ubuntu + Nginx + MariaDB (MySQL) + PHP is one of the most reliable and powerful configurations to host your websites. With Webinoly you can set up your web server in just one step.

It says Webinoly uses Nginx.. A simple curl command indeed shows your webserver identifying itself as "nginx".. That's not Apache as you said earlier? I'm confused right now......

Sorry....As you realized..i am not a tech guy......
So it is nginx

Could you also please try to answer the questions from earlier?:

I think it's quite important to know how your setup came to be..

I followed this steps: (from command line)

add-apt-repository ppa:certbot/certbot
apt install python-certbot-nginx

Use webinoly script with this command:
wget -qO weby && sudo bash weby 3
site -proxy=[localhost:8082]

Install SSL with
site -ssl=on -root-path=/opt/traccar/web

verifying nginx installation with
• sudo nginx -t

No errors so next step reload nginx with
systemctl reload nginx

thats all


still correct?

It looks like the Webinoly scripts use that stored path to write the challenge token to. If that root path has changed, you probably would like to update it. The script doesn't seem to have an update option, but perhaps you can turn SSL off and on again with the site command and -ssl=off and then repeat your previous command used to enable it, but now with the updated root.

No, root path has not changed.

So what would be the next step?

I'm not sure, but as you've used the site command to enable SSL on your site (which uses certbot internally), perhaps using that script for renewal works better. The script should recognise the renew command if I read the code correctly:

site -ssl=renew -root-path=/opt/traccar/web just activated ssl but does not renew the certificate

root@track1:~# site -ssl=renew -root-path=/opt/traccar/web
[ERROR] Invalid value for SSL command!
root@track1:~# site -ssl=on -root-path=/opt/traccar/web
SSL is already enabled for your site -

Please show the version of certbot in use:
certbot --version

[to be 100% sure]

Perhaps you can turn it off and on again with:

site -ssl=off
site -ssl=on -root-path=/opt/traccar/web

However, I would only use that as a last resort, i.e., when you don't get it working before the 19th.

1 Like

Here is the version

certbot 0.31.0

1 Like

Thanks gave me the clue
I specified the path and search and found this command.... -ssl=force-renewal

complete command :
site -ssl=force-renewal -root-path=/opt/traccar/web

and now my cert ir renewed

Thanks a lot for your help

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.