I followed this tutorial:

I got to the part where the command is ./letsencrypt-auto and it returns this:

Failed authorization procedure. example.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://example.com/.well-known/acme-challenge/QPUDzybZszvcrjQ1a7ShzMHBbiq8pYCmbN1y8p_K5Dw [server_ip]: 404, www.example.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.example.com/.well-known/acme-challenge/VtyUCMvp2hX_80e-x84T-X8Be94xPiPiPsBxbj_pP04 [server_ip]: 404

 - The following errors were reported by the server:

   Domain: example.com
   Type:   unauthorized
   Detail: Invalid response from http://example.com/.well-known
   [server_ip]: 404

   Domain: www.example.com
   Type:   unauthorized
   Detail: Invalid response from http://www.example.com/.well-
   [server_ip]: 404

The site redirects to https automatically using nginx config, and this error is returned whenever i run the renewal command.

The directory .well-known exists on the server, even in the browser it returns 404, which I don’t know why.

  • Looks like you did not change the configuration as it has example.com ?
    I think you may have missed the “Create a Let’s Encrypt Configuration File” steps with the config file. It has example.com but you have to change it for your domain values (and subdomains also have to reside in there, if you wish https for them too).

    PS. it’s not supposed to be able to run via your browser, so do not change it so you can :)

  • It’s hard to help without more information. Could you share your configuration and the actual command you are calling? A 404 suggests that your acme-challenge is unreachable. Make sure that you updated the path to your webroot when running the renewal command.

    • ./letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --webroot-path=/usr/share/nginx/html -d example.com -d www.example.com

    Replace /usr/share/nginx/html with where your files are located, e.g. /var/www/html

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

7 answers

I had exactly same problem and all my attempts to renew failed.
I run this and it renewed my certificate:

/root/certbot-auto renew --force-renew

The interesting part is that my certificate was expired 100% but when I run plain renew I had the following message:

/root/certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/i_wont-tell-you-my-domain.com.conf
Cert not yet due for renewal

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/i_wont-tell-you-my-domain.com/fullchain.pem (skipped)
No renewals were attempted.

I suspect there is a bug with letsencrypt yet.

Solve issue of the same exact error message and 404 as @mrparker had. What I did was:

  1. realized I was missing a .well-known folder for some reason, so I added an empty one with mkdir .well-known
  2. ran sudo letsencrypt certonly -a webroot --webroot-path=/var/www/html -d example.com -d www.example.com and it renewed it properly and gave me the “congrats!” message
  3. then I sudo service nginx reload and then sudo letsencrypt renew --force-renew and I no longer got the 404 error for the renew, then did sudo service nginx reload again

Hope this helps someone.

Did you change “example.com” with your own domain?

I have the same problem here.
mrparker, have you find the solution? Would you mind to share/update it here?

same here!!
Failed authorization procedure. www.whatever.xyz (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.whatever.xyz/.well-known/acme-challenge/KHgDiTKrSrPK4a9F6t_kqZB6S-jjjyAcIZQ66SFl14I:

I faced the problem too and fixed it by 3 actions:

  1. Set Debian variable path, because I also got an error “ldconfig not found in path”:
    export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

  2. Made manually dir /var/www/mysite/.well-known/acme-challenge

  3. Added root line to location block:

    location ~ /.well-known {
        allow all;
    root /var/www/mysite;

After that I became able to run renew command successfully:
/opt/letsencrypt/letsencrypt-auto renew


more a suggestion than an answer: It sucks if the renewal breaks and you don’t realise.

I wrote https://IsItWorking.info to let you monitor your SSL certificates. It warns you if they get close to expiry. That way if something goes wrong in future, you’ll be notified.

and yes, it uses Let’s Encrypt and is hosted on DO :)

Submit an Answer