Let's Encrypt Auto Renew Fails

February 24, 2016 20k views
Let's Encrypt Nginx Ubuntu
mrparker
By:
mrparker

I followed this tutorial:
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04

I got to the part where the command is ./letsencrypt-auto and it returns this:

Failed authorization procedure. example.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://example.com/.well-known/acme-challenge/QPUDzybZszvcrjQ1a7ShzMHBbiq8pYCmbN1y8p_K5Dw [server_ip]: 404, www.example.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.example.com/.well-known/acme-challenge/VtyUCMvp2hX_80e-x84T-X8Be94xPiPiPsBxbj_pP04 [server_ip]: 404

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: example.com
   Type:   unauthorized
   Detail: Invalid response from http://example.com/.well-known
   /acme-challenge/QPUDzybZszvcrjQ1a7ShzMHBbiq8pYCmbN1y8p_K5Dw
   [server_ip]: 404

   Domain: www.example.com
   Type:   unauthorized
   Detail: Invalid response from http://www.example.com/.well-
   known/acme-challenge/VtyUCMvp2hX_80e-x84T-X8Be94xPiPiPsBxbj_pP04
   [server_ip]: 404

The site redirects to https automatically using nginx config, and this error is returned whenever i run the renewal command.

The directory .well-known exists on the server, even in the browser it returns 404, which I don't know why.

2 comments
  • olavamjelde February 24, 2016

    Looks like you did not change the configuration as it has example.com ?
    I think you may have missed the "Create a Let's Encrypt Configuration File" steps with the config file. It has example.com but you have to change it for your domain values (and subdomains also have to reside in there, if you wish https for them too).

    PS. it's not supposed to be able to run via your browser, so do not change it so you can :)

  • asb MOD February 26, 2016

    It's hard to help without more information. Could you share your configuration and the actual command you are calling? A 404 suggests that your acme-challenge is unreachable. Make sure that you updated the path to your webroot when running the renewal command.

    • ./letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --webroot-path=/usr/share/nginx/html -d example.com -d www.example.com

    Replace /usr/share/nginx/html with where your files are located, e.g. /var/www/html

Log In to Comment
7 Answers
mylonasg88 November 2, 2016

I had exactly same problem and all my attempts to renew failed.
I run this and it renewed my certificate:

/root/certbot-auto renew --force-renew

The interesting part is that my certificate was expired 100% but when I run plain renew I had the following message:

/root/certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/i_wont-tell-you-my-domain.com.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/i_wont-tell-you-my-domain.com/fullchain.pem (skipped)
No renewals were attempted.

I suspect there is a bug with letsencrypt yet.

Reply
AtAFork December 23, 2016

Solve issue of the same exact error message and 404 as @mrparker had. What I did was:

  1. realized I was missing a .well-known folder for some reason, so I added an empty one with mkdir .well-known
  2. ran sudo letsencrypt certonly -a webroot --webroot-path=/var/www/html -d example.com -d www.example.com and it renewed it properly and gave me the "congrats!" message
  3. then I sudo service nginx reload and then sudo letsencrypt renew --force-renew and I no longer got the 404 error for the renew, then did sudo service nginx reload again

Hope this helps someone.

Reply
ddulic February 24, 2016

Did you change "example.com" with your own domain?

Reply
pdm August 17, 2016

I have the same problem here.
mrparker, have you find the solution? Would you mind to share/update it here?
Thanks.

Reply
alberosado7b5b4 September 28, 2016

same here!!
Failed authorization procedure. www.whatever.xyz (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.whatever.xyz/.well-known/acme-challenge/KHgDiTKrSrPK4a9F6t_kqZB6S-jjjyAcIZQ66SFl14I:

Reply
akligom December 14, 2016

I faced the problem too and fixed it by 3 actions:

  1. Set Debian variable path, because I also got an error "ldconfig not found in path":
    export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

  2. Made manually dir /var/www/mysite/.well-known/acme-challenge

  3. Added root line to location block:

    location ~ /.well-known {
    allow all;
root /var/www/mysite;
}


After that I became able to run renew command successfully:
/opt/letsencrypt/letsencrypt-auto renew

[Source](https://community.letsencrypt.org/t/404-on-well-known-acme-challenge/15565/11)
Reply
rob107421 March 30, 2017

more a suggestion than an answer: It sucks if the renewal breaks and you don't realise.

I wrote https://IsItWorking.info to let you monitor your SSL certificates. It warns you if they get close to expiry. That way if something goes wrong in future, you'll be notified.

and yes, it uses Let's Encrypt and is hosted on DO :)

Reply
Have another answer? Share your knowledge.

Related Questions