I have a nginx docker that I use as reverse proxy. I been trying to auto renew my certs lately and followed this blog to do so. I had my certs working before but now they are not working.

My domain is:

I ran this command:
certbot certonly –webroot -w /var/www/certbot -d 1040nra.com

It produced this output:

*Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for 1040nra.com
http-01 challenge for www.1040nra.com
Using the webroot path /var/www/certbot for all unmatched domains.
Waiting for verification…
Challenge failed for domain 1040nra.com
Challenge failed for domain www.1040nra.com
http-01 challenge for 1040nra.com
http-01 challenge for www.1040nra.com
Cleaning up challenges
Some challenges have failed.


The following errors were reported by the server:

Domain: 1040nra.com
Type: unauthorized
Detail: Invalid response from
[]: “\r\n404 Not

404 Not
Domain: www.1040nra.com
Type: unauthorized
Detail: Invalid response from
[]: "\r\n404 Not
404 Not

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.*

My web server is (include version): spring boot [tomcat]

The operating system my web server runs on is (include version): ubuntu 18.04

My hosting provider, if applicable, is: digital ocean

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot –version or certbot-auto –version if you’re using Certbot):


server {
listen 80;
server_name 1040nra.com;
server_tokens off;

       location /.well-known/acme-challenge/ {
            allow all;
           root /var/www/certbot;

    return 301 https://www.1040nra.com$request_uri;

server {
    listen 443 ssl;
    server_name 1040nra.com;
    ssl_certificate /etc/letsencrypt/live/1040nra.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/1040nra.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
         proxy_pass http://1040nra.com;
         proxy_http_version 1.1;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;

Docker compose

image: nginx:1.15-alpine
- ./data/certbot/conf:/etc/letsencrypt
- ./data/certbot/www:/var/www/certbot
- 80:80
- 443:443
- keycloak
- dt-app
- keycloak
- dt-app
command: “/bin/sh -c ‘while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g “daemon off;”’”
image: certbot/certbot
restart: unless-stopped
- ./data/certbot/conf:/etc/letsencrypt
- ./data/certbot/www:/var/www/certbot
entrypoint: “/bin/sh -c ‘trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;’”

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

1 answer


I think that you are experiencing the problem because you don’t have your www version added in your server_name list. I would recommend trying to add it and then test again. It should look something like this for both your http and https server blocks:

server_name 1040nra.com www.1040nra.com;

Then run a config test with nginx -t and if you get Syntax OK run a quick restart and then try again.

Hope that this helps!

Submit an Answer