/.well-known/acme-challenge directory is empty

Please fill out the fields below so we can help you better.

My domain is:

I ran this command:
./certbot-auto certonly --webroot -w /var/www/ghost -d halistechnology.com -d www.halistechnology.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for halistechnology.com
http-01 challenge for www.halistechnology.com
Using the webroot path /var/www/ghost for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Unable to clean up challenge directory /var/www/ghost/.well-known/acme-challenge
Failed authorization procedure. halistechnology.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://halistechnology.com/.well-known/acme-challenge/zEutXEGLVM5kWMOBAQavnDSJzWOeMglSA1PbWHrMazs: "

404 Not Found

404 Not Found


", www.halistechnology.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.halistechnology.com/.well-known/acme-challenge/S4pdo-lnd_zDb6N6IsW4TDk1x87KHaU0IR5E2ouCv2w: " 404 Not Found

404 Not Found


"

IMPORTANT NOTES:

My web server is (include version):
nginx/1.4.6

The operating system my web server runs on is (include version):
Ubuntu (trusty)

My hosting provider, if applicable, is:
Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

Hi @halis,

If you make a file /var/www/ghost/test.txt, do you see its contents at http://www.halistechnology.com/test.txt?

And if you make a file /var/www/ghost/.well-known/acme-challenge/test2.txt, do you see its contents at http://www.halistechnology.com/.well-known/acme-challenge/test2.txt?

Ah that was the issue, I created the same directory under /var/www instead and changed my command to use /var/www and then it worked.

Once a cert is renewed, does it take a while to show up in the browser as secure? It still says insecure…

No, it’s instantaneous. But if you use certbot certonly instead of certbot renew (the recommended form for renewals, which checks what certificates are less than 30 days from expiry and then renews those), or if you didn’t use an installer plugin when you originally obtained a certificate (like if you used certbot certonly the first time that you got the certificate, which is almost certainly the case with --webroot), then Certbot doesn’t restart your web server for you. If you restart or reload the web server, it should notice the new certificate.

A recommended way to do this automatically with certificates that were obtained via --webroot is

certbot renew --renew-hook "service apache graceful"

or a similar command for your web server/environment.

I had also run the renew command and that didn’t work either BUT you are correct again, restarting nginx picked up the new cert!

Thank you for your help, I don’t know that much about SSL and certs and how it all works.

If you don’t have the --renew-hook set at or before the time that the renewal happens, then Certbot doesn’t tell the web server to restart so you have to tell it separately. Glad it worked!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.