To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: sudo certbot --nginx certonly

It produced this output:
Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization ::

My web server is (include version):

The operating system my web server runs on is (include version):
Description: Ubuntu 18.04.6 LTS

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): AWS/EC2/Route53

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

Hi @it.specialist, and welcome to the LE community forum :slight_smile:

There is a problem with the handling of the challenge requests.
It seems that all requests are replied with "It works" (as shown below).
Please show the output of:
nginx -T

It works
1 Like

For now, I just had an index.php file in the domains root folder. Its content just echo "it works";
THat is very simple and should not be giving issues don't you think?

Output of nginx -T

worker_processes 1;                                                                                                 
pid /run/;                                                                                                 
include /etc/nginx/modules-enabled/*.conf;                                                                          
events {                                                                                                            
        worker_connections 768;                                                                                     
        multi_accept on;                                                                                            
http {                                                                                                              
        # Basic Settings                                                                                            
        sendfile on;                                                                                                
        tcp_nopush on;                                                                                              
        tcp_nodelay on;                                                                                             
        keepalive_timeout 15;                                                                                       
        types_hash_max_size 2048;                                                                                   
        server_tokens off;                                                                                          
        client_max_body_size 64m;                                                                                   
        # server_names_hash_bucket_size 64;                                                                         
        # server_name_in_redirect off;                                                                              
        include /etc/nginx/mime.types;                                                                              
        default_type application/octet-stream;                                                                      
        # SSL Settings                                                                                              
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE                                          
        ssl_prefer_server_ciphers on;                                                                               
        # Logging Settings                                                                                          
        access_log /var/log/nginx/access.log;                                                                       
        error_log /var/log/nginx/error.log;                                                                         
        # Gzip Settings                                                                                             
        gzip on;                                                                                                    
        # gzip_vary on;                                                                                             
        gzip_proxied any;                                                                                           
        gzip_comp_level 2;                                                                                          
        # gzip_buffers 16 8k;                                                                                       
        # gzip_http_version 1.1;                                                                                    
        gzip_types text/plain text/css application/json application/javascript t                                    
ext/xml application/xml application/xml+rss text/javascript;                                                        
        # Virtual Host Configs                                                                                      
        include /etc/nginx/conf.d/*.conf;                                                                           
        include /etc/nginx/sites-enabled/*;                                                                         
        server {                                                                                                    
                listen 80 default_server;                                                                           
                listen [::]:80 default_server;
				server_name _;
                return 444;


#mail {
#       # See sample authentication script at:
#       #
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }

# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip.conf:
load_module modules/;

# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/;

# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/;

# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/;

# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/;

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;
	image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/         m3u8;
    application/              xls;
    application/         eot;
    application/         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/  kml;
    application/      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    d
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          x
    application/vnd.openxmlformats-officedocument.presentationml.presentation  p

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
	video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;

# configuration file /etc/nginx/sites-enabled/modamarieclaire.aliases:
server {
     listen 80;
     listen [::]:80;
     server_name modamarieclai modestclassy. marieclaire.s
tore modama www.modamarieclaire.inf
o www.modam modamarieclaire.
site mod www.modamarie _;

     error_log  /var/www/html/;

     root  /var/www/html/;
     index index.html index.php;

     location / {
         try_files $uri $uri/ /index.php?$args;

     location = /favicon.ico {
         log_not_found off;
         access_log off;

     location ~ \.php$ {
         try_files $uri =404;
         fastcgi_split_path_info ^(.+.php)(/.+)$;
         fastcgi_pass unix:/run/php/php7.4-fpm.sock;
         fastcgi_read_timeout 3600;
         fastcgi_index index.php;
         fastcgi_buffers 16 16k;
         fastcgi_buffer_size 32k;
         include fastcgi_params;
# Necessary for Let's Encrypt Domain Name ownership validation
#location ~ /.well-known {
#  allow all;

# configuration file /etc/nginx/fastcgi_params:
fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

# configuration file /etc/nginx/sites-enabled/
server {
        listen 80;
        listen [::]:80; # ipv6only=on;

        listen 443 ssl;
        listen [::]:443 ssl; # ipv6only=on;

        root /var/www/html/;

        index index.html index.htm index.php;

        server_name _;#modamarieclai m www.modestclassy
.au www.modamarieclai www.mod modamariecla www.modamar modamarieclaire.x
yz _;

        ssl on;
        ssl_certificate /etc/ssl/;
        ssl_certificate_key /etc/ssl/

        location / {
                #rewrite ^/(.*)$ //$1 redirect;
                try_files $uri $uri/ @handler;

        location ~ \.php$ {
                try_files     $uri @handler;
                fastcgi_split_path_info  ^(.+\.php)(/.+)$;
                fastcgi_index            index.php;
                fastcgi_pass             unix:/var/run/php/php7.4-fpm.sock;
                include                  fastcgi_params;
                fastcgi_read_timeout 300;
                fastcgi_param   PATH_INFO       $fastcgi_path_info;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name

        location @handler {
                rewrite ^/sitemap.xml(\?.+)?$ /cart.php?target=sitemap;
                rewrite ^/(.*)$ /cart.php?url=$1 last;

1 Like

I have tried to put here the output of nginx -T but it was deleted by the forum system

1 Like

Try adding backticks [key found normally above TAB key] above (and below) the post.
the nginx output goes here

You can also post it on any public site.
like: paste.bin
then post the link to it here.


You can see it here

1 Like

Try making the challenge path and placing a test text file there.

mkdir -p /var/www/html/
echo "test" > /var/www/html/`

Then we can test access to it with:


Also, you must have already changed something!:

<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>

Like this change:

location ~ /.well-known {                                       
  allow all;                                                    

What else have you changed?


Nothing else. Apologies as I was waiting for your response I remember I had commented on the above. I was just placing back the way it was to see if would make a difference.

1 Like

I have done this

1 Like

This works here now.
Please try again.


This is the current nginx -T output:

1 Like

certbot certificates


root@ip-172-31-6-215:/# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

No certs found.

1 Like


certbot certonly \
--webroot -w /var/www/html/ \
-d \
-d \
-d \
-d \
-d \
-d \
-d \
-d \
-d \
-d \
-d \
-d \
-d \
-d \

Feel free to add or remove any names to that list.


You should remove this or replace it with

        server {                                                                                                    
                listen 80 default_server;                                                                           
                listen [::]:80 default_server;
                server_name _;
                return 301 https://$host$request_uri;

For this reason:


Also, don't do this:

Just use port 443. Let the other server block handle port 80 and the redirect.

And this sounds incredibly redundant:


I got this while trying to run that command:

root@ip-172-31-6-215:~# certbot certonly \
> --webroot -w /var/www/html/ \
> -d \
> -d \
> -d \
> -d \
> -d \
> -d \
> -d \
> -d \
> -d \
> -d \
> -d \
> -d \
> -d \
> -d \
> -d
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certbot: error: unrecognized arguments: