.well-known/acme-challenge won't be created

My domain is: upgrade.sv-zoefelt.de

I ran this command:

certbot -d upgrade.sv-zoefelt.de --staging

It produced this output:

Challenge failed for domain upgrade.sv-zoefelt.de
http-01 challenge for upgrade.sv-zoefelt.de
Cleaning up challenges
Some challenges have failed.


My web server is (include version):


The operating system my web server runs on is (include version):

Linux hcloud 5.4.0-37-generic #41-Ubuntu SMP Wed Jun 3 18:57:02 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is:

Hetzner Cloud

I can login to a root shell on my machine :


I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Yes and No, i use CLI (sometimes Webmin)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 0.40.0

I can access the Webpage via http, and I can access the .well-known/acme-challenge/, I’ve created manually.

But if I run the above command. the acme-challange-file wouldn’t be created at least.

This is my vhost-file I’ve created for the domain:

<VirtualHost *>
ServerAdmin webmaster@sv-zoefeflt.de
ServerName upgrade.sv-zoefelt.de
DocumentRoot /var/www/sv-zoefelt.de/httpdocs/app/webroot
<Directory /var/www/sv-zoefelt.de/httpdocs/app/webroot>
Allowoverride all
CharsetDefault ISO-8859-1

ErrorLog {APACHE_LOG_DIR}/error.log CustomLog {APACHE_LOG_DIR}/access.log combined

How can I check, why the challange-file won’t be created by the certbot?

1 Like

I figured out following:

If I enter this in cli:

certbot certonly -d upgrade.sv-zoefelt.de --webroot

It works, but during creating this Certificate, it ask me to enter the webroot by typing it into the cli.

Why does the webroot not recognized by certbot by the domain-name?

1 Like

If you use --authenticator apache instead of --webroot, then Certbot will try to interpret your Apache configuration and do everything automatically.

When using --webroot, Certbot does not try to infer the webroot on its own. It’s a “dumb” mode which is totally unaware of your domains and webserver. You always need to specify the webroot manually in that case. FYI you can avoid being prompted by directly providing the webroot as part of the command:

--webroot -w /var/www/whatever

Sure. You could add a deploy hook as a flag:

--deploy-hook "service apache2 reload" # (or whatever command you use)

or by creating an executable shell script which does the same inside the /etc/letsencrypt/renewal-hooks/deploy/ directory.

The hooks are described in-depth here: https://certbot.eff.org/docs/using.html#renewing-certificates


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.