today returned the following error. No configuration has been changed since last renewal which finished fine.
If anyone has any idea, please help.
Processing /etc/letsencrypt/renewal/gitlab.spartagency.com.conf
2019-06-05 14:37:50,126:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/gitlab.spartagency.com.conf produced an unexpected error: Failed authorization procedure. office.spartagency.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://office.spartagency.com/.well-known/acme-challenge/e9itqHxvw8ZcT2OF2oZWkEnPUaQrEpsrpKusYOkursM [89.216.22.59]: "\r\n404 Not Found\r\n<body bgcolor="white">\r\n
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/gitlab.spartagency.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: office.spartagency.com
Type: unauthorized
Detail: Invalid response from http://office.spartagency.com/.well-
known/acme-challenge/e9itqHxvw8ZcT2OF2oZWkEnPUaQrEpsrpKusYOkursM
[89.216.22.59]: "\r\n404 Not
Found\r\n<body bgcolor="white">\r\n
404
Not Found
\r\n"
Domain: gitlab.spartagency.com
Type: unauthorized
Detail: Invalid response from http://gitlab.spartagency.com/.well-
known/acme-challenge/n5zsAuX9FNpH66kOVIbofGcHIRRonL2FITgwxs63yEQ
[89.216.22.59]: "\r\n404 Not
Found\r\n<body bgcolor="white">\r\n
404
Not Found
\r\n"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
Using --standalone indicates that Certbot will be binding a small webserver to port 80 to respond to HTTP-01 challenges.
The HTML output you're seeing in the urn:acme:error:unauthorized error from Let's Encrypt seems to indicate there's another webserver actually answering the HTTP-01 challenge verification requests, and serving page content instead of a challenge response.
My requests to office.spartagency.com are showing a Server: nginx header in the response. Did you previously have something in your Nginx config that would direct requests to /.well-known/acme-challenge/ to the Certbot standalone server? In general are you sure that nothing has changed in the way that HTTP requests to the failing domains are routed?
Have you considered using the Certbot nginx plugin instead? It would let you renew this certificate without having to take down the Nginx instance by having Certbot write the HTTP-01 challenge response into the Nginx webroot.
It's difficult to diagnose your problem since I assume you've started the Nginx instance again. To be able to help we would likely need to see what is happening when Nginx is stopped and Certbot --standalone is running. Using Certbot's native nginx plugin is likely a better path forward unless there's a reason it can't be used in your environment.
In the end it was the router configuration which forwarded port 80 to different virtual machine and what differed from other times is this time cert actually expired so it didnt use tls-sni for renewal, but http and it ended up on different server
Hi 
