Certbot didn't renew the cert (fixed)


  • Used Zammad version: 6.0.0-1689022706.43799676.buster
  • Used Zammad installation type: package
  • Operating system: Debian 10

Expected behavior:

  • Certbot should renew the certificate

Actual behavior:

  • Certbot doesn’t renew the certificate
  • Last renewal worked automatically and without issues on May 2nd
  • It seems, Certbot is trying to use https instead of http for some reason. I checked another server (Mattermost), there it uses http.
Attempting to renew cert (<domain>) from /etc/letsencrypt/renewal/<domain>.conf produced an unexpected error:
Failed authorization procedure. <domain> (http-01): urn:ietf:params:acme:error:unauthorized ::
The client lacks sufficient authorization :: <ip>: Invalid response from https://<domain>/.well-known/acme-challenge/<id>: 404. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/<domain>/fullchain.pem (failure)

I have added the following to the second directive (for port 443) in /etc/nginx/sites-enabled/zammad.conf and got it working again:

  location /.well-known/ {
    root /var/www/html;

Just leaving this here for other folks, and of course I’d like to know the root cause. It seems, neither the NGINX configuration file nor the Certbot configuration file had been changed, so I’m not sure what caused this.

1 Like