mrparker
By:
mrparker

Let's Encrypt Auto Renew Fails

February 24, 2016 4.9k views
Let's Encrypt Nginx Ubuntu

I followed this tutorial:
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04

I got to the part where the command is ./letsencrypt-auto and it returns this:

Failed authorization procedure. example.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://example.com/.well-known/acme-challenge/QPUDzybZszvcrjQ1a7ShzMHBbiq8pYCmbN1y8p_K5Dw [server_ip]: 404, www.example.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.example.com/.well-known/acme-challenge/VtyUCMvp2hX_80e-x84T-X8Be94xPiPiPsBxbj_pP04 [server_ip]: 404

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: example.com
   Type:   unauthorized
   Detail: Invalid response from http://example.com/.well-known
   /acme-challenge/QPUDzybZszvcrjQ1a7ShzMHBbiq8pYCmbN1y8p_K5Dw
   [server_ip]: 404

   Domain: www.example.com
   Type:   unauthorized
   Detail: Invalid response from http://www.example.com/.well-
   known/acme-challenge/VtyUCMvp2hX_80e-x84T-X8Be94xPiPiPsBxbj_pP04
   [server_ip]: 404

The site redirects to https automatically using nginx config, and this error is returned whenever i run the renewal command.

The directory .well-known exists on the server, even in the browser it returns 404, which I don't know why.

2 comments
  • Looks like you did not change the configuration as it has example.com ?
    I think you may have missed the "Create a Let's Encrypt Configuration File" steps with the config file. It has example.com but you have to change it for your domain values (and subdomains also have to reside in there, if you wish https for them too).

    PS. it's not supposed to be able to run via your browser, so do not change it so you can :)

  • It's hard to help without more information. Could you share your configuration and the actual command you are calling? A 404 suggests that your acme-challenge is unreachable. Make sure that you updated the path to your webroot when running the renewal command.

    • ./letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --webroot-path=/usr/share/nginx/html -d example.com -d www.example.com

    Replace /usr/share/nginx/html with where your files are located, e.g. /var/www/html

6 Answers

I had exactly same problem and all my attempts to renew failed.
I run this and it renewed my certificate:

/root/certbot-auto renew --force-renew

The interesting part is that my certificate was expired 100% but when I run plain renew I had the following message:

/root/certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/i_wont-tell-you-my-domain.com.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/i_wont-tell-you-my-domain.com/fullchain.pem (skipped)
No renewals were attempted.

I suspect there is a bug with letsencrypt yet.

Did you change "example.com" with your own domain?

I have the same problem here.
mrparker, have you find the solution? Would you mind to share/update it here?
Thanks.

same here!!
Failed authorization procedure. www.whatever.xyz (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.whatever.xyz/.well-known/acme-challenge/KHgDiTKrSrPK4a9F6t_kqZB6S-jjjyAcIZQ66SFl14I:

I faced the problem too and fixed it by 3 actions:

  1. Set Debian variable path, because I also got an error "ldconfig not found in path":
    export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

  2. Made manually dir /var/www/mysite/.well-known/acme-challenge

  3. Added root line to location block:

    location ~ /.well-known {
        allow all;
    root /var/www/mysite;
    }
    

After that I became able to run renew command successfully:
/opt/letsencrypt/letsencrypt-auto renew

[Source](https://community.letsencrypt.org/t/404-on-well-known-acme-challenge/15565/11)

Solve issue of the same exact error message and 404 as @mrparker had. What I did was:

  1. realized I was missing a .well-known folder for some reason, so I added an empty one with mkdir .well-known
  2. ran sudo letsencrypt certonly -a webroot --webroot-path=/var/www/html -d example.com -d www.example.com and it renewed it properly and gave me the "congrats!" message
  3. then I sudo service nginx reload and then sudo letsencrypt renew --force-renew and I no longer got the 404 error for the renew, then did sudo service nginx reload again

Hope this helps someone.

Have another answer? Share your knowledge.