Hello everyone,
I have an existing production Ubuntu server hosting multiple websites that have successfully renewed Let's Encrypt certificates for well over a year. As of July 1, all certificate renewals suddenly began failing, causing every website on the server to go offline. The sites have now been down for approximately 72 hours.
I have never relied on automatic renewals. I have always manually executed Certbot renewals every 30–45 days, and they have always completed successfully until now.
Environment
- Ubuntu 24.04.4 LTS
- Nginx 1.28.3
- Certbot 4.0.0
- Multiple production websites hosted on the same VPS
- IPv4 and IPv6 configured
- DNS A and AAAA records verified
Existing Configuration
The Nginx virtual host configurations have remained essentially unchanged since they were created.
- Three sites have had the same configuration since November 2024.
- One additional site was added in December 2025 and has also renewed successfully since its deployment.
- No recent changes have been made to the Nginx virtual hosts.
nginx -treturns:
syntax is ok
test is successful
The active Nginx configuration (nginx -T) confirms that each virtual host explicitly contains both the apex domain and the www hostname in the server_name directive.
Current Problem
Running:
certbot renew --dry-run -v
fails for every website.
The Certbot logs repeatedly contain:
Generated server block:
[]
followed by:
AuthorizationError: Some challenges have failed
Additional Testing
I tested using the webroot authenticator instead of the Nginx plugin.
Testing only the apex domain succeeds:
certbot certonly --webroot -w <webroot> -d example.com --dry-run
However, requesting both the apex domain and the www hostname fails:
certbot certonly --webroot -w <webroot> -d example.com -d www.example.com
The failure is:
Challenge failed for domain www.example.com
Type: unauthorized
Detail:
Invalid response from
http://www.example.com/.well-known/acme-challenge/<token>
404
The challenge directory exists and Certbot creates the challenge file correctly.
Testing with curl confirms the same behavior:
curl -4 http://www.example.com/.well-known/acme-challenge/test
returns:
404
and
curl -6 http://www.example.com/.well-known/acme-challenge/test
also returns:
404
What Has Been Verified
- DNS A records are correct.
- DNS AAAA records are correct.
- IPv6 is configured and active.
- Nginx configuration is valid.
- The renewal configuration has not changed and continues to use:
authenticator = nginx
installer = nginx
Request for Assistance
At this point, I am looking for the fastest path to restoring service.
Specifically:
- What would cause the Certbot Nginx plugin to report:
Generated server block: []
on an existing production configuration that has successfully renewed certificates for over a year?
- Why would the HTTP-01 challenge consistently return a 404 for the
wwwhostname even though both hostnames are explicitly defined in the active Nginx server block? - Is there a recommended method to restore certificate issuance immediately without rebuilding or significantly modifying a production Nginx configuration that has been stable for over a year?
- Has anyone experienced this behavior with Certbot 4.0.0 on Ubuntu 24.04, and if so, what was the resolution?
I can provide complete Certbot logs, the relevant Nginx virtual host configuration, renewal configuration, and any additional diagnostics that would help identify the issue.
Any guidance is greatly appreciated. My immediate priority is restoring HTTPS service across all hosted websites.