Ubuntu and nginx - Incorrect Web Root Configuration Means Challenges Do Not Pass

Hello ,
Yesterday my site ssl certificate expired, server try to auto renew , but its not done, 2years run this site with letsencypt with no issues, yesterday it happen :frowning:

I run this command: /opt/letsencrypt/letsencrypt-auto renew

It produced this output: ( i change here my site correct address with my-site-address.com )

root@localhost:~# /opt/letsencrypt/letsencrypt-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/my-site-address.com.conf
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for my-site-address.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/my-site-address.com.conf produced an unexpected error: Failed authorization procedure. my-site-address.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://my-site-address.com/.well-known/acme-challenge/RE7_4X-GtV3KIV1AUjlA1oGjMxykWPnyVGr9zZ--czA: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html ". Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/my-site-address.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

 - The following errors were reported by the server:

   Domain: my-site-address.com
   Type:   unauthorized
   Detail: Invalid response from
   "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   <html "

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

My operating system is : Ubuntu 14.04
My web server is : nginx/1.4.6 (Ubuntu)

I can login to a root shell on my machine

Please help me to fix it
thank you

Hi @Nic_John,

This makes it sound like the webroot directory that’s been used before is no longer valid. That is, creating files within that particular directory no longer makes them appear in the same place on your site.

You can find out what the webroot directory is from looking at the contents of /etc/letsencrypt/renewal/my-site-address.com.conf. Then you can consider whether that directory is still correct for that purpose or if it could have changed somehow.

If you think it’s still correct, can you try creating a text file within it and then seeing whether that same flie is directly visible on your web site under the corresponding name? For example, if your webroot were /var/www/html, would creating /var/www/html/test.txt make its contents visible on the web at http://my-site-address.com/test.txt?

Thanks for reply

Here is my site config file /etc/letsencrypt/renewal/my-site-address.com.conf

# renew_before_expiry = 30 days
version = 0.11.1
cert = /etc/letsencrypt/live/my-site-address.com/cert.pem
privkey = /etc/letsencrypt/live/my-site-address.com/privkey.pem
chain = /etc/letsencrypt/live/my-site-address.comt/chain.pem
fullchain = /etc/letsencrypt/live/my-site-address.com/fullchain.pem
archive_dir = /etc/letsencrypt/archive/my-site-address.com

# Options used in the renewal process
authenticator = webroot
installer = None
account = 17aef5d6859590594358762kljkfc3
my-site-address.com = /var/www/letsencrypt

But my web root is /var/www
there is folder /var/www/letsencrypt/ , but its empty its inside there is a folder .well-known
I put test.txt file in to /var/www so i can access http://my-site-address.com/test.txt
but i put txt file in /var/www/letsencrypt/ and its not works

Hi @Nic_John,

It is a little peculiar that the indicated webroot directory is /var/www/letsencrypt. I’m not really sure how this came to happen but it’s probably the reason for your problem.

One minimally invasive option might be to delete /var/www/letsencrypt and replace it with a symbolic link to the correct webroot location, for example by running as root:

rm /var/www/letsencrypt/.well-known/acme-challenge/* rmdir /var/www/letsencrypt/.well-known/acme-challenge /var/www/letsencrypt/.well-known /var/www/letsencrypt ln -s /var/www/letsencrypt /var/www

After doing this your renewal will probably succeed with your existing configuration.

As an alternative strategy, you can update the renewal configuration to refer to the correct location, as follows:

You can probably renew once manually with a command line something like

certbot certonly --cert-name my-site-address.com --webroot -w /var/www -d my-site-address.com

Once this has succeeded (with the “Congratulations” message), the settings should be saved and future attempts to use certbot renew should work properly.

I have done this before your last message comes

i edit /etc/letsencrypt/renewal/my-site-address.com.conf
and change my-site-address.com = /var/www/letsencrypt
my-site-address.com = /var/www and save

after i run this command /opt/letsencrypt/letsencrypt-auto renew
then i get “Congratulations” message after i restart ngnix,
now its works fine ssl updated ,
this is proper way ?
need to do as your last reply procedure ?

What you did works too. :smile:

You may want to tidy up and delete /var/www/letsencrypt if you no longer need it, but you don’t have to do anything else.

Agreed, your solution is perfectly fine! I’m glad it’s working for you now.

Thank you soo much yours kind help and support :heart:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.