So LetsEncrypt is obviously pretty cool for free and mostly automatic installation of TLS certificates but on a site that is still under development (and not touched for over a month), the 90 day expiry is (imho) a bit of a problem and I hadn't installed a cron job to auto renew the cert. I'm also nervous about such a wide-spread automation feature that, if compromised, would immediately affect hundreds of thousands of servers around the world.


Since the cert had expired, FF wouldn't let me onto the site so I logged into the server, made sure everything was up to date (Ubuntu/RaspPi) and tried to run certbot renew and then saw the error "unauthorized", "Invalid response from URL"!

It's always a bit annoying when something that is supposed to just work just doesn't so onto Google for some help.

The "challenges" were not present on the server, but apparently, certbot deletes them after it passes or fails so that was no help but interestingly, the acme-challenge folder was not present. I re-created it to make sure I hadn't accidentally deleted it but still no dice.

Certbot should be able to follow redirects (my site is setup https only) so I added a test file into /acme-challenge and curled it - it worked fine after the 301 but still no joy!

I then modified the config for the site so that http request for .well-known would not be redirected (although Lets Encrypt is supposed to ignore cert errors like expired certs). I tested that it worked with curl but certbot was still failing, always showing the same error.

I then tried with the verbose flag set (-vvvv) and all I could see was this:

Creating root challenges validation dir at /home/pi/www/frontend/web/.well-known/acme-challenge
Creating root challenges validation dir at /home/pi/www/frontend/web/.well-known/acme-challenge
Attempting to save validation to /home/pi/www/frontend/web/.well-known/acme-challenge/E6qaqKvXDbzhpEzuzJfZWfHDjQS69gUVoCURymPU2cY
Attempting to save validation to /home/pi/www/frontend/web/.well-known/acme-challenge/BUxHgfEjQOCve47PhkkjATwyzSxYocl7giIK_XcU-zQ

Where the word "attempting" was not exactly helpful!

That's when I spotted that the site had been moved! certbot was not looking in the correct location, which is possibly because it was the only site on the box to begin with but was then moved into a sub folder. Nginx had been updated so the site worked but certbot had lost its way.

What I did to get round it, was simply to run sudo certbot certonly --standalone, enter the site name again and get it to generate me the new certs (which I now specified with www in the domain name) so they were stored in a separate folder. Then all I had to do was update the nginx config to point to the new certs and...hey presto.. all back up and running!